Loading contexthub/OWNERS +0 −1 Original line number Diff line number Diff line # Bug component: 156070 arthuri@google.com bduddie@google.com security/keymint/aidl/default/ta/lib.rs +1 −1 Original line number Diff line number Diff line Loading @@ -86,7 +86,7 @@ pub fn build_ta() -> kmr_ta::KeyMintTa { )); let dev = Implementation { keys, sign_info: Box::new(sign_info), sign_info: Some(Box::new(sign_info)), // HAL populates attestation IDs from properties. attest_ids: None, sdd_mgr: None, Loading security/keymint/aidl/vts/functional/AttestKeyTest.cpp +76 −85 Original line number Diff line number Diff line Loading @@ -20,6 +20,7 @@ #include <cutils/log.h> #include <cutils/properties.h> #include <keymint_support/authorization_set.h> #include <keymint_support/key_param_output.h> #include <keymint_support/openssl_utils.h> Loading Loading @@ -93,7 +94,7 @@ string get_imei(int slot) { class AttestKeyTest : public KeyMintAidlTestBase { public: void SetUp() override { skipAttestKeyTest(); skipAttestKeyTestIfNeeded(); KeyMintAidlTestBase::SetUp(); } }; Loading Loading @@ -273,7 +274,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyMultiPurposeFail) { /* * AttestKeyTest.RsaAttestedAttestKeys * * This test creates an RSA attestation key signed by factory keys, and varifies it can be * This test creates an RSA attestation key signed by factory keys, and verifies it can be * used to sign other RSA and EC keys. */ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) { Loading Loading @@ -305,9 +306,8 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) { .SetDefaultValidity(), {} /* attestation signing key */, &attest_key.keyBlob, &attest_key_characteristics, &attest_key_cert_chain); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; if (isRkpOnly() && result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { GTEST_SKIP() << "RKP-only devices do not have a factory key"; } ASSERT_EQ(ErrorCode::OK, result); KeyBlobDeleter attest_deleter(keymint_, attest_key.keyBlob); Loading Loading @@ -400,30 +400,32 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) { attest_key_opt = attest_key; } auto result = GenerateAttestKey(AuthorizationSetBuilder() AuthorizationSetBuilder auth_set_builder = AuthorizationSetBuilder() .RsaKey(2048, 65537) .AttestKey() .AttestationChallenge("foo") .AttestationApplicationId("bar") .Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(), attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i]); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; .SetDefaultValidity(); // In RKP-only systems, the first key cannot be attested due to lack of batch key if (!isRkpOnly() || i > 0) { auth_set_builder.AttestationChallenge("foo"); } auto result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i]); ASSERT_EQ(ErrorCode::OK, result); deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i])); if (!isRkpOnly() || i > 0) { AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); ASSERT_GT(cert_chain_list[i].size(), 0); ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, SecLevel(), ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, SecLevel(), cert_chain_list[i][0].encodedCertificate)); } if (i > 0) { /* Loading @@ -439,7 +441,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) { } EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i])); EXPECT_GT(cert_chain_list[i].size(), i + 1); EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1)); verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false); } } Loading Loading @@ -475,36 +477,34 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) { attest_key_opt = attest_key; } auto result = GenerateAttestKey(AuthorizationSetBuilder() AuthorizationSetBuilder auth_set_builder = AuthorizationSetBuilder() .EcdsaKey(EcCurve::P_256) .AttestKey() .AttestationChallenge("foo") .AttestationApplicationId("bar") .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .Authorization(TAG_NO_AUTH_REQUIRED) .SetDefaultValidity(), attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i]); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; .SetDefaultValidity(); // In RKP-only systems, the first key cannot be attested due to lack of batch key if (!isRkpOnly() || i > 0) { auth_set_builder.AttestationChallenge("foo"); } auto result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i]); ASSERT_EQ(ErrorCode::OK, result); deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i])); if (!isRkpOnly() || i > 0) { AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); ASSERT_GT(cert_chain_list[i].size(), 0); ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, SecLevel(), ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, SecLevel(), cert_chain_list[i][0].encodedCertificate)); } if (i > 0) { /* * The first key is attestated with factory chain, but all the rest of the keys are * not supposed to be returned in attestation certificate chains. */ EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_list[i])); // Appending the attest_key chain to the attested_key_chain should yield a valid chain. Loading @@ -514,7 +514,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) { } EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i])); EXPECT_GT(cert_chain_list[i].size(), i + 1); EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1)); verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false); } } Loading Loading @@ -576,45 +576,36 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) { attest_key.keyBlob = key_blob_list[i - 1]; attest_key_opt = attest_key; } ErrorCode result; if ((i & 0x1) == 1) { result = GenerateAttestKey(AuthorizationSetBuilder() .EcdsaKey(EcCurve::P_256) .AttestKey() .AttestationChallenge("foo") .AttestationApplicationId("bar") .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .Authorization(TAG_NO_AUTH_REQUIRED) .SetDefaultValidity(), attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i]); } else { result = GenerateAttestKey(AuthorizationSetBuilder() .RsaKey(2048, 65537) AuthorizationSetBuilder auth_set_builder = AuthorizationSetBuilder() .AttestKey() .AttestationChallenge("foo") .AttestationApplicationId("bar") .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .Authorization(TAG_NO_AUTH_REQUIRED) .SetDefaultValidity(), attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i]); .SetDefaultValidity(); // In RKP-only systems, the first key cannot be attested due to lack of batch key if (!isRkpOnly() || i > 0) { auth_set_builder.AttestationChallenge("foo"); } // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; if ((i & 0x1) == 1) { auth_set_builder.EcdsaKey(EcCurve::P_256); } else { auth_set_builder.RsaKey(2048, 65537); } ErrorCode result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i]); ASSERT_EQ(ErrorCode::OK, result); deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i])); if (!isRkpOnly() || i > 0) { AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); ASSERT_GT(cert_chain_list[i].size(), 0); ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, SecLevel(), ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, SecLevel(), cert_chain_list[i][0].encodedCertificate)); } if (i > 0) { /* Loading @@ -630,7 +621,7 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) { } EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i])); EXPECT_GT(cert_chain_list[i].size(), i + 1); EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1)); verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false); } } Loading security/keymint/aidl/vts/functional/AuthTest.cpp +1 −12 Original line number Diff line number Diff line Loading @@ -455,18 +455,7 @@ TEST_P(AuthTest, TimeoutAuthenticationMultiSid) { .Authorization(TAG_AUTH_TIMEOUT, timeout_secs); vector<uint8_t> keyblob; vector<KeyCharacteristics> key_characteristics; vector<Certificate> cert_chain; auto result = GenerateKey(builder, std::nullopt, &keyblob, &key_characteristics, &cert_chain); if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { result = GenerateKeyWithSelfSignedAttestKey(AuthorizationSetBuilder() .EcdsaKey(EcCurve::P_256) .AttestKey() .SetDefaultValidity(), builder, &keyblob, &key_characteristics, &cert_chain); } } auto result = GenerateKey(builder, &keyblob, &key_characteristics); ASSERT_EQ(ErrorCode::OK, result); // Verify first user to get a HAT that should work. Loading security/keymint/aidl/vts/functional/BootloaderStateTest.cpp +0 −12 Original line number Diff line number Diff line Loading @@ -54,18 +54,6 @@ class BootloaderStateTest : public KeyMintAidlTestBase { .Digest(Digest::NONE) .SetDefaultValidity(); auto result = GenerateKey(keyDesc, &key_blob, &key_characteristics); // If factory provisioned attestation key is not supported by Strongbox, // then create a key with self-signed attestation and use it as the // attestation key instead. if (SecLevel() == SecurityLevel::STRONGBOX && result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { result = GenerateKeyWithSelfSignedAttestKey( AuthorizationSetBuilder() .EcdsaKey(EcCurve::P_256) .AttestKey() .SetDefaultValidity(), /* attest key params */ keyDesc, &key_blob, &key_characteristics); } ASSERT_EQ(ErrorCode::OK, result); // Parse attested AVB values. Loading Loading
contexthub/OWNERS +0 −1 Original line number Diff line number Diff line # Bug component: 156070 arthuri@google.com bduddie@google.com
security/keymint/aidl/default/ta/lib.rs +1 −1 Original line number Diff line number Diff line Loading @@ -86,7 +86,7 @@ pub fn build_ta() -> kmr_ta::KeyMintTa { )); let dev = Implementation { keys, sign_info: Box::new(sign_info), sign_info: Some(Box::new(sign_info)), // HAL populates attestation IDs from properties. attest_ids: None, sdd_mgr: None, Loading
security/keymint/aidl/vts/functional/AttestKeyTest.cpp +76 −85 Original line number Diff line number Diff line Loading @@ -20,6 +20,7 @@ #include <cutils/log.h> #include <cutils/properties.h> #include <keymint_support/authorization_set.h> #include <keymint_support/key_param_output.h> #include <keymint_support/openssl_utils.h> Loading Loading @@ -93,7 +94,7 @@ string get_imei(int slot) { class AttestKeyTest : public KeyMintAidlTestBase { public: void SetUp() override { skipAttestKeyTest(); skipAttestKeyTestIfNeeded(); KeyMintAidlTestBase::SetUp(); } }; Loading Loading @@ -273,7 +274,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyMultiPurposeFail) { /* * AttestKeyTest.RsaAttestedAttestKeys * * This test creates an RSA attestation key signed by factory keys, and varifies it can be * This test creates an RSA attestation key signed by factory keys, and verifies it can be * used to sign other RSA and EC keys. */ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) { Loading Loading @@ -305,9 +306,8 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) { .SetDefaultValidity(), {} /* attestation signing key */, &attest_key.keyBlob, &attest_key_characteristics, &attest_key_cert_chain); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; if (isRkpOnly() && result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { GTEST_SKIP() << "RKP-only devices do not have a factory key"; } ASSERT_EQ(ErrorCode::OK, result); KeyBlobDeleter attest_deleter(keymint_, attest_key.keyBlob); Loading Loading @@ -400,30 +400,32 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) { attest_key_opt = attest_key; } auto result = GenerateAttestKey(AuthorizationSetBuilder() AuthorizationSetBuilder auth_set_builder = AuthorizationSetBuilder() .RsaKey(2048, 65537) .AttestKey() .AttestationChallenge("foo") .AttestationApplicationId("bar") .Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .SetDefaultValidity(), attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i]); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; .SetDefaultValidity(); // In RKP-only systems, the first key cannot be attested due to lack of batch key if (!isRkpOnly() || i > 0) { auth_set_builder.AttestationChallenge("foo"); } auto result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i]); ASSERT_EQ(ErrorCode::OK, result); deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i])); if (!isRkpOnly() || i > 0) { AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); ASSERT_GT(cert_chain_list[i].size(), 0); ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, SecLevel(), ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, SecLevel(), cert_chain_list[i][0].encodedCertificate)); } if (i > 0) { /* Loading @@ -439,7 +441,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) { } EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i])); EXPECT_GT(cert_chain_list[i].size(), i + 1); EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1)); verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false); } } Loading Loading @@ -475,36 +477,34 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) { attest_key_opt = attest_key; } auto result = GenerateAttestKey(AuthorizationSetBuilder() AuthorizationSetBuilder auth_set_builder = AuthorizationSetBuilder() .EcdsaKey(EcCurve::P_256) .AttestKey() .AttestationChallenge("foo") .AttestationApplicationId("bar") .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .Authorization(TAG_NO_AUTH_REQUIRED) .SetDefaultValidity(), attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i]); // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; .SetDefaultValidity(); // In RKP-only systems, the first key cannot be attested due to lack of batch key if (!isRkpOnly() || i > 0) { auth_set_builder.AttestationChallenge("foo"); } auto result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i]); ASSERT_EQ(ErrorCode::OK, result); deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i])); if (!isRkpOnly() || i > 0) { AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); ASSERT_GT(cert_chain_list[i].size(), 0); ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, SecLevel(), ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, SecLevel(), cert_chain_list[i][0].encodedCertificate)); } if (i > 0) { /* * The first key is attestated with factory chain, but all the rest of the keys are * not supposed to be returned in attestation certificate chains. */ EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_list[i])); // Appending the attest_key chain to the attested_key_chain should yield a valid chain. Loading @@ -514,7 +514,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) { } EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i])); EXPECT_GT(cert_chain_list[i].size(), i + 1); EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1)); verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false); } } Loading Loading @@ -576,45 +576,36 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) { attest_key.keyBlob = key_blob_list[i - 1]; attest_key_opt = attest_key; } ErrorCode result; if ((i & 0x1) == 1) { result = GenerateAttestKey(AuthorizationSetBuilder() .EcdsaKey(EcCurve::P_256) .AttestKey() .AttestationChallenge("foo") .AttestationApplicationId("bar") .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .Authorization(TAG_NO_AUTH_REQUIRED) .SetDefaultValidity(), attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i]); } else { result = GenerateAttestKey(AuthorizationSetBuilder() .RsaKey(2048, 65537) AuthorizationSetBuilder auth_set_builder = AuthorizationSetBuilder() .AttestKey() .AttestationChallenge("foo") .AttestationApplicationId("bar") .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .Authorization(TAG_NO_AUTH_REQUIRED) .SetDefaultValidity(), attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i]); .SetDefaultValidity(); // In RKP-only systems, the first key cannot be attested due to lack of batch key if (!isRkpOnly() || i > 0) { auth_set_builder.AttestationChallenge("foo"); } // Strongbox may not support factory provisioned attestation key. if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; if ((i & 0x1) == 1) { auth_set_builder.EcdsaKey(EcCurve::P_256); } else { auth_set_builder.RsaKey(2048, 65537); } ErrorCode result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i], &attested_key_characteristics, &cert_chain_list[i]); ASSERT_EQ(ErrorCode::OK, result); deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i])); if (!isRkpOnly() || i > 0) { AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); ASSERT_GT(cert_chain_list[i].size(), 0); ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, SecLevel(), ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, SecLevel(), cert_chain_list[i][0].encodedCertificate)); } if (i > 0) { /* Loading @@ -630,7 +621,7 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) { } EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i])); EXPECT_GT(cert_chain_list[i].size(), i + 1); EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1)); verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false); } } Loading
security/keymint/aidl/vts/functional/AuthTest.cpp +1 −12 Original line number Diff line number Diff line Loading @@ -455,18 +455,7 @@ TEST_P(AuthTest, TimeoutAuthenticationMultiSid) { .Authorization(TAG_AUTH_TIMEOUT, timeout_secs); vector<uint8_t> keyblob; vector<KeyCharacteristics> key_characteristics; vector<Certificate> cert_chain; auto result = GenerateKey(builder, std::nullopt, &keyblob, &key_characteristics, &cert_chain); if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { result = GenerateKeyWithSelfSignedAttestKey(AuthorizationSetBuilder() .EcdsaKey(EcCurve::P_256) .AttestKey() .SetDefaultValidity(), builder, &keyblob, &key_characteristics, &cert_chain); } } auto result = GenerateKey(builder, &keyblob, &key_characteristics); ASSERT_EQ(ErrorCode::OK, result); // Verify first user to get a HAT that should work. Loading
security/keymint/aidl/vts/functional/BootloaderStateTest.cpp +0 −12 Original line number Diff line number Diff line Loading @@ -54,18 +54,6 @@ class BootloaderStateTest : public KeyMintAidlTestBase { .Digest(Digest::NONE) .SetDefaultValidity(); auto result = GenerateKey(keyDesc, &key_blob, &key_characteristics); // If factory provisioned attestation key is not supported by Strongbox, // then create a key with self-signed attestation and use it as the // attestation key instead. if (SecLevel() == SecurityLevel::STRONGBOX && result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { result = GenerateKeyWithSelfSignedAttestKey( AuthorizationSetBuilder() .EcdsaKey(EcCurve::P_256) .AttestKey() .SetDefaultValidity(), /* attest key params */ keyDesc, &key_blob, &key_characteristics); } ASSERT_EQ(ErrorCode::OK, result); // Parse attested AVB values. Loading
