Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0453c361 authored by Treehugger Robot's avatar Treehugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Improve unique attestation docs & tests" am: 0872e42b am: f5eb250c am: 8e928b5b 

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1719304

Change-Id: I2eb5f3c8797cd0b25f44ac016a7e9cdecd38dd90
parents fc599c09 8e928b5b

security/keymint/aidl/android/hardware/security/keymint/Tag.aidl

+15 −5
Original line number Diff line number Diff line
@@ -831,14 +831,24 @@ enum Tag { 
    /**

     * DEVICE_UNIQUE_ATTESTATION is an argument to IKeyMintDevice::attested key generation/import

     * operations.  It indicates that attestation using a device-unique key is requested, rather

     * than a batch key.  When a device-unique key is used, only the attestation certificate is

     * returned; no additional chained certificates are provided.  It's up to the caller to

     * recognize the device-unique signing key.  Only SecurityLevel::STRONGBOX IKeyMintDevices may

     * support device-unique attestations.  SecurityLevel::TRUSTED_ENVIRONMENT IKeyMintDevices must

     * return ErrorCode::INVALID_ARGUMENT if they receive DEVICE_UNIQUE_ATTESTATION.

     * than a batch key.  When a device-unique key is used, the returned chain should contain two

     * certificates:

     *    * The attestation certificate, containing the attestation extension, as described in

            KeyCreationResult.aidl.

     *    * A self-signed root certificate, signed by the device-unique key.

     * No additional chained certificates are provided. Only SecurityLevel::STRONGBOX

     * IKeyMintDevices may support device-unique attestations.  SecurityLevel::TRUSTED_ENVIRONMENT

     * IKeyMintDevices must return ErrorCode::INVALID_ARGUMENT if they receive

     * DEVICE_UNIQUE_ATTESTATION.

     * SecurityLevel::STRONGBOX IKeyMintDevices need not support DEVICE_UNIQUE_ATTESTATION, and

     * return ErrorCode::CANNOT_ATTEST_IDS if they do not support it.

     *

     * The caller needs to obtain the device-unique keys out-of-band and compare them against the

     * key used to sign the self-signed root certificate.

     * To ease this process, the IKeyMintDevice implementation should include, both in the subject

     * and issuer fields of the self-signed root, the unique identifier of the device. Using the

     * unique identifier will make it straightforward for the caller to link a device to its key.

     *

     * IKeyMintDevice implementations that support device-unique attestation MUST add the

     * DEVICE_UNIQUE_ATTESTATION tag to device-unique attestations.

     */

security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp

+4 −1
Original line number Diff line number Diff line
@@ -42,8 +42,11 @@ class DeviceUniqueAttestationTest : public KeyMintAidlTestBase { 


        EXPECT_TRUE(crypto_params.Contains(TAG_KEY_SIZE, key_size)) << "Key size missing";



        // The device-unique attestation chain should contain exactly two certificates:

        // * The leaf with the attestation extension.

        // * A self-signed root, signed using the device-unique key.

        ASSERT_EQ(cert_chain_.size(), 2);

        EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));

        ASSERT_GT(cert_chain_.size(), 0);



        AuthorizationSet sw_enforced = SwEnforcedAuthorizations(key_characteristics);

        EXPECT_TRUE(verify_attestation_record("challenge", "foo", sw_enforced, hw_enforced,