Merge "Enable self-testing by default in rkp factory tool" am: 63e3a2b0df

Original change: https://android-review.googlesource.com/c/platform/system/security/+/2609433 Change-Id: Ib5b4c5eb23e29e3f3f3558a871fa7c64b5d4dcf1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-05-31 21:27:57 +00:00 · 2023-05-31 21:27:57 +00:00 · dcdbd79d3f
commit dcdbd79d3f
parent 3ec25a1e75 63e3a2b0df
4 changed files with 37 additions and 59 deletions
--- a/provisioner/rkp_factory_extraction_lib.cpp
+++ b/provisioner/rkp_factory_extraction_lib.cpp
@ -195,7 +195,11 @@ void selfTestGetCsrV1(std::string_view componentName, IRemotelyProvisionedCompon
                                             protectedData, *eekChain, eekId,
                                             hwInfo.supportedEekCurve, irpc, challenge);

-    std::cout << "Self test successful." << std::endl;
+    if (!result) {
+        std::cerr << "Self test failed for IRemotelyProvisionedComponent '" << componentName
+                  << "'. Error message: '" << result.message() << "'." << std::endl;
+        exit(-1);
+    }
 }

 CborResult<Array> composeCertificateRequestV3(const std::vector<uint8_t>& csr) {
@ -220,7 +224,7 @@ CborResult<Array> composeCertificateRequestV3(const std::vector<uint8_t>& csr) {
 }

 CborResult<cppbor::Array> getCsrV3(std::string_view componentName,
-                                   IRemotelyProvisionedComponent* irpc) {
+                                   IRemotelyProvisionedComponent* irpc, bool selfTest) {
    std::vector<uint8_t> csr;
    std::vector<MacedPublicKey> emptyKeys;
    const std::vector<uint8_t> challenge = generateChallenge();
@ -232,32 +236,20 @@ CborResult<cppbor::Array> getCsrV3(std::string_view componentName,
        exit(-1);
    }

+    if (selfTest) {
+        auto result = verifyFactoryCsr(/*keysToSign=*/cppbor::Array(), csr, irpc, challenge);
+        if (!result) {
+            std::cerr << "Self test failed for IRemotelyProvisionedComponent '" << componentName
+                      << "'. Error message: '" << result.message() << "'." << std::endl;
+            exit(-1);
+        }
+    }
+
    return composeCertificateRequestV3(csr);
 }

-void selfTestGetCsrV3(std::string_view componentName, IRemotelyProvisionedComponent* irpc) {
-    std::vector<uint8_t> csr;
-    std::vector<MacedPublicKey> emptyKeys;
-    const std::vector<uint8_t> challenge = generateChallenge();
-
-    auto status = irpc->generateCertificateRequestV2(emptyKeys, challenge, &csr);
-    if (!status.isOk()) {
-        std::cerr << "Bundle extraction failed for '" << componentName
-                  << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;
-        exit(-1);
-    }
-
-    auto result = verifyFactoryCsr(/*keysToSign=*/cppbor::Array(), csr, irpc, challenge);
-    if (!result) {
-        std::cerr << "Self test failed for '" << componentName
-                  << "'. Error message: " << result.message() << "." << std::endl;
-        exit(-1);
-    }
-
-    std::cout << "Self test successful." << std::endl;
-}
-
-CborResult<Array> getCsr(std::string_view componentName, IRemotelyProvisionedComponent* irpc) {
+CborResult<Array> getCsr(std::string_view componentName, IRemotelyProvisionedComponent* irpc,
+                         bool selfTest) {
    RpcHardwareInfo hwInfo;
    auto status = irpc->getHardwareInfo(&hwInfo);
    if (!status.isOk()) {
@ -267,24 +259,11 @@ CborResult<Array> getCsr(std::string_view componentName, IRemotelyProvisionedCom
    }

    if (hwInfo.versionNumber < kVersionWithoutSuperencryption) {
+        if (selfTest) {
+            selfTestGetCsrV1(componentName, irpc);
+        }
        return getCsrV1(componentName, irpc);
    } else {
-        return getCsrV3(componentName, irpc);
-    }
-}
-
-void selfTestGetCsr(std::string_view componentName, IRemotelyProvisionedComponent* irpc) {
-    RpcHardwareInfo hwInfo;
-    auto status = irpc->getHardwareInfo(&hwInfo);
-    if (!status.isOk()) {
-        std::cerr << "Failed to get hardware info for '" << componentName
-                  << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;
-        exit(-1);
-    }
-
-    if (hwInfo.versionNumber < kVersionWithoutSuperencryption) {
-        selfTestGetCsrV1(componentName, irpc);
-    } else {
-        selfTestGetCsrV3(componentName, irpc);
+        return getCsrV3(componentName, irpc, selfTest);
    }
 }
--- a/provisioner/rkp_factory_extraction_lib.h
+++ b/provisioner/rkp_factory_extraction_lib.h
@ -46,7 +46,8 @@ std::vector<uint8_t> generateChallenge();
 // what went wrong.
 CborResult<cppbor::Array>
 getCsr(std::string_view componentName,
-       aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent* irpc);
+       aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent* irpc,
+       bool selfTest);

 // Generates a test certificate chain and validates it, exiting the process on error.
 void selfTestGetCsr(
--- a/provisioner/rkp_factory_extraction_lib_test.cpp
+++ b/provisioner/rkp_factory_extraction_lib_test.cpp
@ -180,7 +180,8 @@ TEST(LibRkpFactoryExtractionTests, GetCsrWithV2Hal) {
                        SetArgPointee<6>(kFakeMac),             //
                        Return(ByMove(ScopedAStatus::ok()))));  //

-    auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get());
+    auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get(),
+                                   /*selfTest=*/false);
    ASSERT_THAT(csr, NotNull()) << csrErrMsg;
    ASSERT_THAT(csr->asArray(), Pointee(Property(&Array::size, Eq(4))));

@ -249,7 +250,8 @@ TEST(LibRkpFactoryExtractionTests, GetCsrWithV3Hal) {
        .WillOnce(DoAll(SaveArg<1>(&challenge), SetArgPointee<2>(kCsr),
                        Return(ByMove(ScopedAStatus::ok()))));

-    auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get());
+    auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get(),
+                                   /*selfTest=*/false);
    ASSERT_THAT(csr, NotNull()) << csrErrMsg;
    ASSERT_THAT(csr, Pointee(Property(&Array::size, Eq(5))));

--- a/provisioner/rkp_factory_extraction_tool.cpp
+++ b/provisioner/rkp_factory_extraction_tool.cpp
@ -35,10 +35,10 @@ using namespace cppbor;
 using namespace cppcose;

 DEFINE_string(output_format, "build+csr", "How to format the output. Defaults to 'build+csr'.");
-DEFINE_bool(self_test, false,
-            "If true, the tool does not output CSR data, but instead performs a self-test, "
-            "validating a test payload for correctness. This may be used to verify a device on the "
-            "factory line before attempting to upload the output to the device info service.");
+DEFINE_bool(self_test, true,
+            "If true, this tool performs a self-test, validating the payload for correctness. "
+            "This checks that the device on the factory line is producing valid output "
+            "before attempting to upload the output to the device info service.");

 namespace {

@ -81,17 +81,13 @@ void getCsrForInstance(const char* name, void* /*context*/) {
        exit(-1);
    }

-    if (FLAGS_self_test) {
-        selfTestGetCsr(name, rkp_service.get());
-    } else {
-        auto [request, errMsg] = getCsr(name, rkp_service.get());
-        if (!request) {
-            std::cerr << "Unable to build CSR for '" << fullName << ": " << errMsg << std::endl;
-            exit(-1);
-        }
-
-        writeOutput(std::string(name), *request);
+    auto [request, errMsg] = getCsr(name, rkp_service.get(), FLAGS_self_test);
+    if (!request) {
+        std::cerr << "Unable to build CSR for '" << fullName << ": " << errMsg << std::endl;
+        exit(-1);
    }
+
+    writeOutput(std::string(name), *request);
 }

 }  // namespace