Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a2e8c0d6 authored by Prashant Patil's avatar Prashant Patil
Browse files

Keystore: Attestation fix in AOSP builds 

Alternet device properties used for attestation on AOSP and GSI builds.
Attestation ids were different in AOSP/GSI builds than provisioned ids
in keymint. Hence additional properties used to make these ids identical
to provisioned ids.

Bug: 110779648
Bug: 259376922
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/0_android_hardware_security_keymint_IKeyMintDevice_default
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/1_android_hardware_security_keymint_IKeyMintDevice_strongbox
Test: atest CtsKeystoreTestCases:android.keystore.cts.KeyAttestationTest CtsKeystoreTestCases:DeviceOwnerKeyManagementTest

Change-Id: Idd87314b8e5a95de3daac0ea4ff4dffd4c4c6f63
parent 2239399d

core/api/test-current.txt

+3 −0
Original line number Diff line number Diff line
@@ -1696,7 +1696,10 @@ package android.os { 
  public class Build {

    method public static boolean is64BitAbi(String);

    method public static boolean isDebuggable();

    field @Nullable public static final String BRAND_FOR_ATTESTATION;

    field public static final boolean IS_EMULATOR;

    field @Nullable public static final String MODEL_FOR_ATTESTATION;

    field @Nullable public static final String PRODUCT_FOR_ATTESTATION;

  }



  public static class Build.VERSION {

core/java/android/os/Build.java

+33 −0
Original line number Diff line number Diff line
@@ -61,6 +61,17 @@ public class Build { 
    /** The name of the overall product. */

    public static final String PRODUCT = getString("ro.product.name");



    /**

     * The product name for attestation. In non-default builds (like the AOSP build) the value of

     * the 'PRODUCT' system property may be different to the one provisioned to KeyMint,

     * and Keymint attestation would still attest to the product name, it's running on.

     * @hide

     */

    @Nullable

    @TestApi

    public static final String PRODUCT_FOR_ATTESTATION =

            getString("ro.product.name_for_attestation");



    /** The name of the industrial design. */

    public static final String DEVICE = getString("ro.product.device");
@@ -89,9 +100,31 @@ public class Build { 
    /** The consumer-visible brand with which the product/hardware will be associated, if any. */

    public static final String BRAND = getString("ro.product.brand");



    /**

     * The product brand for attestation. In non-default builds (like the AOSP build) the value of

     * the 'BRAND' system property may be different to the one provisioned to KeyMint,

     * and Keymint attestation would still attest to the product brand, it's running on.

     * @hide

     */

    @Nullable

    @TestApi

    public static final String BRAND_FOR_ATTESTATION =

                getString("ro.product.brand_for_attestation");



    /** The end-user-visible name for the end product. */

    public static final String MODEL = getString("ro.product.model");



    /**

     * The product model for attestation. In non-default builds (like the AOSP build) the value of

     * the 'MODEL' system property may be different to the one provisioned to KeyMint,

     * and Keymint attestation would still attest to the product model, it's running on.

     * @hide

     */

    @Nullable

    @TestApi

    public static final String MODEL_FOR_ATTESTATION =

                getString("ro.product.model_for_attestation");



    /** The manufacturer of the device's primary system-on-chip. */

    @NonNull

    public static final String SOC_MANUFACTURER = SocProperties.soc_manufacturer().orElse(UNKNOWN);

keystore/java/android/security/keystore2/AndroidKeyStoreKeyPairGeneratorSpi.java

+10 −3
Original line number Diff line number Diff line
@@ -801,25 +801,32 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato 
            ));



            if (mSpec.isDevicePropertiesAttestationIncluded()) {

                final String platformReportedBrand = TextUtils.isEmpty(Build.BRAND_FOR_ATTESTATION)

                        ? Build.BRAND : Build.BRAND_FOR_ATTESTATION;

                params.add(KeyStore2ParameterUtils.makeBytes(

                        KeymasterDefs.KM_TAG_ATTESTATION_ID_BRAND,

                        Build.BRAND.getBytes(StandardCharsets.UTF_8)

                        platformReportedBrand.getBytes(StandardCharsets.UTF_8)

                ));

                params.add(KeyStore2ParameterUtils.makeBytes(

                        KeymasterDefs.KM_TAG_ATTESTATION_ID_DEVICE,

                        Build.DEVICE.getBytes(StandardCharsets.UTF_8)

                ));

                final String platformReportedProduct =

                        TextUtils.isEmpty(Build.PRODUCT_FOR_ATTESTATION) ? Build.PRODUCT :

                                Build.PRODUCT_FOR_ATTESTATION;

                params.add(KeyStore2ParameterUtils.makeBytes(

                        KeymasterDefs.KM_TAG_ATTESTATION_ID_PRODUCT,

                        Build.PRODUCT.getBytes(StandardCharsets.UTF_8)

                        platformReportedProduct.getBytes(StandardCharsets.UTF_8)

                ));

                params.add(KeyStore2ParameterUtils.makeBytes(

                        KeymasterDefs.KM_TAG_ATTESTATION_ID_MANUFACTURER,

                        Build.MANUFACTURER.getBytes(StandardCharsets.UTF_8)

                ));

                final String platformReportedModel = TextUtils.isEmpty(Build.MODEL_FOR_ATTESTATION)

                        ? Build.MODEL : Build.MODEL_FOR_ATTESTATION;

                params.add(KeyStore2ParameterUtils.makeBytes(

                        KeymasterDefs.KM_TAG_ATTESTATION_ID_MODEL,

                        Build.MODEL.getBytes(StandardCharsets.UTF_8)

                        platformReportedModel.getBytes(StandardCharsets.UTF_8)

                ));

            }