Loading current.txt +1 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,7 @@ # Test HALs 717c17cd380bb48710dff601d1a03351d4ebc28028353d5d60489248f506523c android.hardware.tests.lazy@1.0::ILazy 67222a2ed4071b6c232e671ce0f4be4f85c1c6fb017ec2355396adaae1fe26be android.hardware.tests.lazy@1.1::ILazy # HALs released in Android O Loading graphics/composer/2.1/vts/OWNERS +1 −1 Original line number Diff line number Diff line # Graphics team adyabr@google.com lpy@google.com vhau@google.com # VTS team yim@google.com Loading keymaster/4.0/support/attestation_record.cpp +74 −37 Original line number Diff line number Diff line Loading @@ -71,6 +71,7 @@ typedef struct km_auth_list { ASN1_INTEGER_SET* padding; ASN1_INTEGER* ec_curve; ASN1_INTEGER* rsa_public_exponent; ASN1_NULL* rollback_resistance; ASN1_INTEGER* active_date_time; ASN1_INTEGER* origination_expire_date_time; ASN1_INTEGER* usage_expire_date_time; Loading @@ -78,18 +79,25 @@ typedef struct km_auth_list { ASN1_INTEGER* user_auth_type; ASN1_INTEGER* auth_timeout; ASN1_NULL* allow_while_on_body; ASN1_NULL* trusted_user_presence_required; ASN1_NULL* trusted_confirmation_required; ASN1_NULL* unlocked_device_required; ASN1_NULL* all_applications; ASN1_OCTET_STRING* application_id; ASN1_INTEGER* creation_date_time; ASN1_INTEGER* origin; ASN1_NULL* rollback_resistance; KM_ROOT_OF_TRUST* root_of_trust; ASN1_INTEGER* os_version; ASN1_INTEGER* os_patchlevel; ASN1_OCTET_STRING* attestation_application_id; ASN1_NULL* trusted_user_presence_required; ASN1_NULL* trusted_confirmation_required; ASN1_NULL* unlocked_device_required; ASN1_OCTET_STRING* attestation_id_brand; ASN1_OCTET_STRING* attestation_id_device; ASN1_OCTET_STRING* attestation_id_product; ASN1_OCTET_STRING* attestation_id_serial; ASN1_OCTET_STRING* attestation_id_imei; ASN1_OCTET_STRING* attestation_id_meid; ASN1_OCTET_STRING* attestation_id_manufacturer; ASN1_OCTET_STRING* attestation_id_model; ASN1_INTEGER* vendor_patchlevel; ASN1_INTEGER* boot_patchlevel; } KM_AUTH_LIST; Loading @@ -103,7 +111,9 @@ ASN1_SEQUENCE(KM_AUTH_LIST) = { ASN1_EXP_OPT(KM_AUTH_LIST, ec_curve, ASN1_INTEGER, TAG_EC_CURVE.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, rsa_public_exponent, ASN1_INTEGER, TAG_RSA_PUBLIC_EXPONENT.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistance, ASN1_NULL, TAG_ROLLBACK_RESISTANCE.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistance, ASN1_NULL, TAG_ROLLBACK_RESISTANCE.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, active_date_time, ASN1_INTEGER, TAG_ACTIVE_DATETIME.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, origination_expire_date_time, ASN1_INTEGER, TAG_ORIGINATION_EXPIRE_DATETIME.maskedTag()), Loading @@ -112,22 +122,41 @@ ASN1_SEQUENCE(KM_AUTH_LIST) = { ASN1_EXP_OPT(KM_AUTH_LIST, no_auth_required, ASN1_NULL, TAG_NO_AUTH_REQUIRED.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, user_auth_type, ASN1_INTEGER, TAG_USER_AUTH_TYPE.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, auth_timeout, ASN1_INTEGER, TAG_AUTH_TIMEOUT.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, allow_while_on_body, ASN1_NULL, TAG_ALLOW_WHILE_ON_BODY.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, allow_while_on_body, ASN1_NULL, TAG_ALLOW_WHILE_ON_BODY.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, trusted_user_presence_required, ASN1_NULL, TAG_TRUSTED_USER_PRESENCE_REQUIRED.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, trusted_confirmation_required, ASN1_NULL, TAG_TRUSTED_CONFIRMATION_REQUIRED.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, unlocked_device_required, ASN1_NULL, TAG_UNLOCKED_DEVICE_REQUIRED.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, creation_date_time, ASN1_INTEGER, TAG_CREATION_DATETIME.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, creation_date_time, ASN1_INTEGER, TAG_CREATION_DATETIME.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, origin, ASN1_INTEGER, TAG_ORIGIN.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, root_of_trust, KM_ROOT_OF_TRUST, TAG_ROOT_OF_TRUST.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, os_version, ASN1_INTEGER, TAG_OS_VERSION.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, os_patchlevel, ASN1_INTEGER, TAG_OS_PATCHLEVEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, vendor_patchlevel, ASN1_INTEGER, TAG_VENDOR_PATCHLEVEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, boot_patchlevel, ASN1_INTEGER, TAG_BOOT_PATCHLEVEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_application_id, ASN1_OCTET_STRING, TAG_ATTESTATION_APPLICATION_ID.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_brand, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_BRAND.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_device, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_DEVICE.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_product, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_PRODUCT.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_serial, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_SERIAL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_imei, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_IMEI.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_meid, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_MEID.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_manufacturer, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_MANUFACTURER.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_model, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_MODEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, vendor_patchlevel, ASN1_INTEGER, TAG_VENDOR_PATCHLEVEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, boot_patchlevel, ASN1_INTEGER, TAG_BOOT_PATCHLEVEL.maskedTag()), } ASN1_SEQUENCE_END(KM_AUTH_LIST); IMPLEMENT_ASN1_FUNCTIONS(KM_AUTH_LIST); Loading Loading @@ -259,6 +288,14 @@ static ErrorCode extract_auth_list(const KM_AUTH_LIST* record, AuthorizationSet* copyAuthTag(record->usage_expire_date_time, TAG_USAGE_EXPIRE_DATETIME, auth_list); copyAuthTag(record->user_auth_type, TAG_USER_AUTH_TYPE, auth_list); copyAuthTag(record->attestation_application_id, TAG_ATTESTATION_APPLICATION_ID, auth_list); copyAuthTag(record->attestation_id_brand, TAG_ATTESTATION_ID_BRAND, auth_list); copyAuthTag(record->attestation_id_device, TAG_ATTESTATION_ID_DEVICE, auth_list); copyAuthTag(record->attestation_id_product, TAG_ATTESTATION_ID_PRODUCT, auth_list); copyAuthTag(record->attestation_id_serial, TAG_ATTESTATION_ID_SERIAL, auth_list); copyAuthTag(record->attestation_id_imei, TAG_ATTESTATION_ID_IMEI, auth_list); copyAuthTag(record->attestation_id_meid, TAG_ATTESTATION_ID_MEID, auth_list); copyAuthTag(record->attestation_id_manufacturer, TAG_ATTESTATION_ID_MANUFACTURER, auth_list); copyAuthTag(record->attestation_id_model, TAG_ATTESTATION_ID_MODEL, auth_list); copyAuthTag(record->vendor_patchlevel, TAG_VENDOR_PATCHLEVEL, auth_list); copyAuthTag(record->boot_patchlevel, TAG_BOOT_PATCHLEVEL, auth_list); copyAuthTag(record->trusted_user_presence_required, TAG_TRUSTED_USER_PRESENCE_REQUIRED, Loading keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp +101 −0 Original line number Diff line number Diff line Loading @@ -96,6 +96,18 @@ bool contains(hidl_vec<KeyParameter>& set, TypedTag<tag_type, tag>) { return count > 0; } // If the given property is available, add it to the tag set under the given tag ID. template <Tag tag> void add_tag_from_prop(AuthorizationSetBuilder* tags, TypedTag<TagType::BYTES, tag> ttag, const char* prop) { char value[PROPERTY_VALUE_MAX]; int len = property_get(prop, value, /* default = */ ""); if (len > 0) { tags->Authorization(ttag, reinterpret_cast<const uint8_t*>(value), static_cast<size_t>(len)); } } constexpr char hex_value[256] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // Loading Loading @@ -4408,6 +4420,95 @@ TEST_P(AttestationTest, EcAttestation) { SecLevel(), cert_chain[0])); } /* * AttestationTest.EcAttestationID * * Verifies that attesting to EC keys with correct attestation ID fields works and generates the * expected output. */ TEST_P(AttestationTest, EcAttestationID) { ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .EcdsaSigningKey(EcCurve::P_256) .Digest(Digest::SHA_2_256) .Authorization(TAG_INCLUDE_UNIQUE_ID))); // Collection of valid attestation ID tags. auto attestation_id_tags = AuthorizationSetBuilder(); add_tag_from_prop(&attestation_id_tags, TAG_ATTESTATION_ID_BRAND, "ro.product.brand"); add_tag_from_prop(&attestation_id_tags, TAG_ATTESTATION_ID_DEVICE, "ro.product.device"); add_tag_from_prop(&attestation_id_tags, TAG_ATTESTATION_ID_PRODUCT, "ro.product.name"); add_tag_from_prop(&attestation_id_tags, TAG_ATTESTATION_ID_SERIAL, "ro.serial"); add_tag_from_prop(&attestation_id_tags, TAG_ATTESTATION_ID_MANUFACTURER, "ro.product.manufacturer"); add_tag_from_prop(&attestation_id_tags, TAG_ATTESTATION_ID_MODEL, "ro.product.model"); for (const KeyParameter& tag : attestation_id_tags) { AuthorizationSetBuilder builder = AuthorizationSetBuilder() .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge")) .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")); // Include one of the (valid) attestation ID tags. builder.push_back(tag); hidl_vec<hidl_vec<uint8_t>> cert_chain; auto result = AttestKey(builder, &cert_chain); if (result == ErrorCode::CANNOT_ATTEST_IDS) { continue; } ASSERT_EQ(ErrorCode::OK, result); EXPECT_GE(cert_chain.size(), 2U); std::vector<KeyParameter> expected_hw_enforced = key_characteristics_.hardwareEnforced; expected_hw_enforced.push_back(tag); EXPECT_TRUE(verify_attestation_record( "challenge", "foo", key_characteristics_.softwareEnforced, hidl_vec<KeyParameter>(expected_hw_enforced), SecLevel(), cert_chain[0])); } } /* * AttestationTest.EcAttestationMismatchID * * Verifies that attesting to EC keys with incorrect attestation ID fields fails. */ TEST_P(AttestationTest, EcAttestationMismatchID) { ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .EcdsaSigningKey(EcCurve::P_256) .Digest(Digest::SHA_2_256) .Authorization(TAG_INCLUDE_UNIQUE_ID))); // Collection of invalid attestation ID tags. std::string invalid = "completely-invalid"; auto invalid_tags = AuthorizationSetBuilder() .Authorization(V4_0::TAG_ATTESTATION_ID_BRAND, invalid.data(), invalid.size()) .Authorization(V4_0::TAG_ATTESTATION_ID_DEVICE, invalid.data(), invalid.size()) .Authorization(V4_0::TAG_ATTESTATION_ID_PRODUCT, invalid.data(), invalid.size()) .Authorization(V4_0::TAG_ATTESTATION_ID_SERIAL, invalid.data(), invalid.size()) .Authorization(V4_0::TAG_ATTESTATION_ID_IMEI, invalid.data(), invalid.size()) .Authorization(V4_0::TAG_ATTESTATION_ID_MEID, invalid.data(), invalid.size()) .Authorization(V4_0::TAG_ATTESTATION_ID_MANUFACTURER, invalid.data(), invalid.size()) .Authorization(V4_0::TAG_ATTESTATION_ID_MODEL, invalid.data(), invalid.size()); for (const KeyParameter& invalid_tag : invalid_tags) { AuthorizationSetBuilder builder = AuthorizationSetBuilder() .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge")) .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")); // Include one of the invalid attestation ID tags. builder.push_back(invalid_tag); hidl_vec<hidl_vec<uint8_t>> cert_chain; auto result = AttestKey(builder, &cert_chain); EXPECT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS || result == ErrorCode::INVALID_TAG) << "result: " << static_cast<int32_t>(result); } } /* * AttestationTest.EcAttestationRequiresAttestationAppId * Loading keymaster/4.1/support/attestation_record.cpp +40 −8 Original line number Diff line number Diff line Loading @@ -79,6 +79,8 @@ typedef struct km_auth_list { ASN1_INTEGER_SET* padding; ASN1_INTEGER* ec_curve; ASN1_INTEGER* rsa_public_exponent; ASN1_NULL* rollback_resistance; ASN1_NULL* early_boot_only; ASN1_INTEGER* active_date_time; ASN1_INTEGER* origination_expire_date_time; ASN1_INTEGER* usage_expire_date_time; Loading @@ -86,21 +88,27 @@ typedef struct km_auth_list { ASN1_INTEGER* user_auth_type; ASN1_INTEGER* auth_timeout; ASN1_NULL* allow_while_on_body; ASN1_NULL* trusted_user_presence_required; ASN1_NULL* trusted_confirmation_required; ASN1_NULL* unlocked_device_required; ASN1_NULL* all_applications; ASN1_OCTET_STRING* application_id; ASN1_INTEGER* creation_date_time; ASN1_INTEGER* origin; ASN1_NULL* rollback_resistance; KM_ROOT_OF_TRUST* root_of_trust; ASN1_INTEGER* os_version; ASN1_INTEGER* os_patchlevel; ASN1_OCTET_STRING* attestation_application_id; ASN1_NULL* trusted_user_presence_required; ASN1_NULL* trusted_confirmation_required; ASN1_NULL* unlocked_device_required; ASN1_OCTET_STRING* attestation_id_brand; ASN1_OCTET_STRING* attestation_id_device; ASN1_OCTET_STRING* attestation_id_product; ASN1_OCTET_STRING* attestation_id_serial; ASN1_OCTET_STRING* attestation_id_imei; ASN1_OCTET_STRING* attestation_id_meid; ASN1_OCTET_STRING* attestation_id_manufacturer; ASN1_OCTET_STRING* attestation_id_model; ASN1_INTEGER* vendor_patchlevel; ASN1_INTEGER* boot_patchlevel; ASN1_NULL* early_boot_only; ASN1_NULL* device_unique_attestation; ASN1_NULL* identity_credential_key; } KM_AUTH_LIST; Loading @@ -116,6 +124,7 @@ ASN1_SEQUENCE(KM_AUTH_LIST) = { TAG_RSA_PUBLIC_EXPONENT.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistance, ASN1_NULL, TAG_ROLLBACK_RESISTANCE.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, early_boot_only, ASN1_NULL, TAG_EARLY_BOOT_ONLY.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, active_date_time, ASN1_INTEGER, TAG_ACTIVE_DATETIME.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, origination_expire_date_time, ASN1_INTEGER, TAG_ORIGINATION_EXPIRE_DATETIME.maskedTag()), Loading @@ -138,12 +147,27 @@ ASN1_SEQUENCE(KM_AUTH_LIST) = { ASN1_EXP_OPT(KM_AUTH_LIST, root_of_trust, KM_ROOT_OF_TRUST, TAG_ROOT_OF_TRUST.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, os_version, ASN1_INTEGER, TAG_OS_VERSION.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, os_patchlevel, ASN1_INTEGER, TAG_OS_PATCHLEVEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_application_id, ASN1_OCTET_STRING, TAG_ATTESTATION_APPLICATION_ID.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_brand, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_BRAND.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_device, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_DEVICE.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_product, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_PRODUCT.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_serial, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_SERIAL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_imei, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_IMEI.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_meid, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_MEID.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_manufacturer, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_MANUFACTURER.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_model, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_MODEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, vendor_patchlevel, ASN1_INTEGER, TAG_VENDOR_PATCHLEVEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, boot_patchlevel, ASN1_INTEGER, TAG_BOOT_PATCHLEVEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_application_id, ASN1_OCTET_STRING, TAG_ATTESTATION_APPLICATION_ID.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, early_boot_only, ASN1_NULL, TAG_EARLY_BOOT_ONLY.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, device_unique_attestation, ASN1_NULL, TAG_DEVICE_UNIQUE_ATTESTATION.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, identity_credential_key, ASN1_NULL, Loading Loading @@ -279,6 +303,14 @@ static ErrorCode extract_auth_list(const KM_AUTH_LIST* record, AuthorizationSet* copyAuthTag(record->usage_expire_date_time, TAG_USAGE_EXPIRE_DATETIME, auth_list); copyAuthTag(record->user_auth_type, TAG_USER_AUTH_TYPE, auth_list); copyAuthTag(record->attestation_application_id, TAG_ATTESTATION_APPLICATION_ID, auth_list); copyAuthTag(record->attestation_id_brand, TAG_ATTESTATION_ID_BRAND, auth_list); copyAuthTag(record->attestation_id_device, TAG_ATTESTATION_ID_DEVICE, auth_list); copyAuthTag(record->attestation_id_product, TAG_ATTESTATION_ID_PRODUCT, auth_list); copyAuthTag(record->attestation_id_serial, TAG_ATTESTATION_ID_SERIAL, auth_list); copyAuthTag(record->attestation_id_imei, TAG_ATTESTATION_ID_IMEI, auth_list); copyAuthTag(record->attestation_id_meid, TAG_ATTESTATION_ID_MEID, auth_list); copyAuthTag(record->attestation_id_manufacturer, TAG_ATTESTATION_ID_MANUFACTURER, auth_list); copyAuthTag(record->attestation_id_model, TAG_ATTESTATION_ID_MODEL, auth_list); copyAuthTag(record->vendor_patchlevel, TAG_VENDOR_PATCHLEVEL, auth_list); copyAuthTag(record->boot_patchlevel, TAG_BOOT_PATCHLEVEL, auth_list); copyAuthTag(record->trusted_user_presence_required, TAG_TRUSTED_USER_PRESENCE_REQUIRED, Loading Loading
current.txt +1 −0 Original line number Diff line number Diff line Loading @@ -4,6 +4,7 @@ # Test HALs 717c17cd380bb48710dff601d1a03351d4ebc28028353d5d60489248f506523c android.hardware.tests.lazy@1.0::ILazy 67222a2ed4071b6c232e671ce0f4be4f85c1c6fb017ec2355396adaae1fe26be android.hardware.tests.lazy@1.1::ILazy # HALs released in Android O Loading
graphics/composer/2.1/vts/OWNERS +1 −1 Original line number Diff line number Diff line # Graphics team adyabr@google.com lpy@google.com vhau@google.com # VTS team yim@google.com Loading
keymaster/4.0/support/attestation_record.cpp +74 −37 Original line number Diff line number Diff line Loading @@ -71,6 +71,7 @@ typedef struct km_auth_list { ASN1_INTEGER_SET* padding; ASN1_INTEGER* ec_curve; ASN1_INTEGER* rsa_public_exponent; ASN1_NULL* rollback_resistance; ASN1_INTEGER* active_date_time; ASN1_INTEGER* origination_expire_date_time; ASN1_INTEGER* usage_expire_date_time; Loading @@ -78,18 +79,25 @@ typedef struct km_auth_list { ASN1_INTEGER* user_auth_type; ASN1_INTEGER* auth_timeout; ASN1_NULL* allow_while_on_body; ASN1_NULL* trusted_user_presence_required; ASN1_NULL* trusted_confirmation_required; ASN1_NULL* unlocked_device_required; ASN1_NULL* all_applications; ASN1_OCTET_STRING* application_id; ASN1_INTEGER* creation_date_time; ASN1_INTEGER* origin; ASN1_NULL* rollback_resistance; KM_ROOT_OF_TRUST* root_of_trust; ASN1_INTEGER* os_version; ASN1_INTEGER* os_patchlevel; ASN1_OCTET_STRING* attestation_application_id; ASN1_NULL* trusted_user_presence_required; ASN1_NULL* trusted_confirmation_required; ASN1_NULL* unlocked_device_required; ASN1_OCTET_STRING* attestation_id_brand; ASN1_OCTET_STRING* attestation_id_device; ASN1_OCTET_STRING* attestation_id_product; ASN1_OCTET_STRING* attestation_id_serial; ASN1_OCTET_STRING* attestation_id_imei; ASN1_OCTET_STRING* attestation_id_meid; ASN1_OCTET_STRING* attestation_id_manufacturer; ASN1_OCTET_STRING* attestation_id_model; ASN1_INTEGER* vendor_patchlevel; ASN1_INTEGER* boot_patchlevel; } KM_AUTH_LIST; Loading @@ -103,7 +111,9 @@ ASN1_SEQUENCE(KM_AUTH_LIST) = { ASN1_EXP_OPT(KM_AUTH_LIST, ec_curve, ASN1_INTEGER, TAG_EC_CURVE.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, rsa_public_exponent, ASN1_INTEGER, TAG_RSA_PUBLIC_EXPONENT.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistance, ASN1_NULL, TAG_ROLLBACK_RESISTANCE.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistance, ASN1_NULL, TAG_ROLLBACK_RESISTANCE.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, active_date_time, ASN1_INTEGER, TAG_ACTIVE_DATETIME.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, origination_expire_date_time, ASN1_INTEGER, TAG_ORIGINATION_EXPIRE_DATETIME.maskedTag()), Loading @@ -112,22 +122,41 @@ ASN1_SEQUENCE(KM_AUTH_LIST) = { ASN1_EXP_OPT(KM_AUTH_LIST, no_auth_required, ASN1_NULL, TAG_NO_AUTH_REQUIRED.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, user_auth_type, ASN1_INTEGER, TAG_USER_AUTH_TYPE.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, auth_timeout, ASN1_INTEGER, TAG_AUTH_TIMEOUT.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, allow_while_on_body, ASN1_NULL, TAG_ALLOW_WHILE_ON_BODY.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, allow_while_on_body, ASN1_NULL, TAG_ALLOW_WHILE_ON_BODY.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, trusted_user_presence_required, ASN1_NULL, TAG_TRUSTED_USER_PRESENCE_REQUIRED.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, trusted_confirmation_required, ASN1_NULL, TAG_TRUSTED_CONFIRMATION_REQUIRED.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, unlocked_device_required, ASN1_NULL, TAG_UNLOCKED_DEVICE_REQUIRED.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, creation_date_time, ASN1_INTEGER, TAG_CREATION_DATETIME.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, creation_date_time, ASN1_INTEGER, TAG_CREATION_DATETIME.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, origin, ASN1_INTEGER, TAG_ORIGIN.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, root_of_trust, KM_ROOT_OF_TRUST, TAG_ROOT_OF_TRUST.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, os_version, ASN1_INTEGER, TAG_OS_VERSION.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, os_patchlevel, ASN1_INTEGER, TAG_OS_PATCHLEVEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, vendor_patchlevel, ASN1_INTEGER, TAG_VENDOR_PATCHLEVEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, boot_patchlevel, ASN1_INTEGER, TAG_BOOT_PATCHLEVEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_application_id, ASN1_OCTET_STRING, TAG_ATTESTATION_APPLICATION_ID.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_brand, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_BRAND.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_device, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_DEVICE.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_product, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_PRODUCT.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_serial, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_SERIAL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_imei, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_IMEI.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_meid, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_MEID.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_manufacturer, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_MANUFACTURER.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_model, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_MODEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, vendor_patchlevel, ASN1_INTEGER, TAG_VENDOR_PATCHLEVEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, boot_patchlevel, ASN1_INTEGER, TAG_BOOT_PATCHLEVEL.maskedTag()), } ASN1_SEQUENCE_END(KM_AUTH_LIST); IMPLEMENT_ASN1_FUNCTIONS(KM_AUTH_LIST); Loading Loading @@ -259,6 +288,14 @@ static ErrorCode extract_auth_list(const KM_AUTH_LIST* record, AuthorizationSet* copyAuthTag(record->usage_expire_date_time, TAG_USAGE_EXPIRE_DATETIME, auth_list); copyAuthTag(record->user_auth_type, TAG_USER_AUTH_TYPE, auth_list); copyAuthTag(record->attestation_application_id, TAG_ATTESTATION_APPLICATION_ID, auth_list); copyAuthTag(record->attestation_id_brand, TAG_ATTESTATION_ID_BRAND, auth_list); copyAuthTag(record->attestation_id_device, TAG_ATTESTATION_ID_DEVICE, auth_list); copyAuthTag(record->attestation_id_product, TAG_ATTESTATION_ID_PRODUCT, auth_list); copyAuthTag(record->attestation_id_serial, TAG_ATTESTATION_ID_SERIAL, auth_list); copyAuthTag(record->attestation_id_imei, TAG_ATTESTATION_ID_IMEI, auth_list); copyAuthTag(record->attestation_id_meid, TAG_ATTESTATION_ID_MEID, auth_list); copyAuthTag(record->attestation_id_manufacturer, TAG_ATTESTATION_ID_MANUFACTURER, auth_list); copyAuthTag(record->attestation_id_model, TAG_ATTESTATION_ID_MODEL, auth_list); copyAuthTag(record->vendor_patchlevel, TAG_VENDOR_PATCHLEVEL, auth_list); copyAuthTag(record->boot_patchlevel, TAG_BOOT_PATCHLEVEL, auth_list); copyAuthTag(record->trusted_user_presence_required, TAG_TRUSTED_USER_PRESENCE_REQUIRED, Loading
keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp +101 −0 Original line number Diff line number Diff line Loading @@ -96,6 +96,18 @@ bool contains(hidl_vec<KeyParameter>& set, TypedTag<tag_type, tag>) { return count > 0; } // If the given property is available, add it to the tag set under the given tag ID. template <Tag tag> void add_tag_from_prop(AuthorizationSetBuilder* tags, TypedTag<TagType::BYTES, tag> ttag, const char* prop) { char value[PROPERTY_VALUE_MAX]; int len = property_get(prop, value, /* default = */ ""); if (len > 0) { tags->Authorization(ttag, reinterpret_cast<const uint8_t*>(value), static_cast<size_t>(len)); } } constexpr char hex_value[256] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, // Loading Loading @@ -4408,6 +4420,95 @@ TEST_P(AttestationTest, EcAttestation) { SecLevel(), cert_chain[0])); } /* * AttestationTest.EcAttestationID * * Verifies that attesting to EC keys with correct attestation ID fields works and generates the * expected output. */ TEST_P(AttestationTest, EcAttestationID) { ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .EcdsaSigningKey(EcCurve::P_256) .Digest(Digest::SHA_2_256) .Authorization(TAG_INCLUDE_UNIQUE_ID))); // Collection of valid attestation ID tags. auto attestation_id_tags = AuthorizationSetBuilder(); add_tag_from_prop(&attestation_id_tags, TAG_ATTESTATION_ID_BRAND, "ro.product.brand"); add_tag_from_prop(&attestation_id_tags, TAG_ATTESTATION_ID_DEVICE, "ro.product.device"); add_tag_from_prop(&attestation_id_tags, TAG_ATTESTATION_ID_PRODUCT, "ro.product.name"); add_tag_from_prop(&attestation_id_tags, TAG_ATTESTATION_ID_SERIAL, "ro.serial"); add_tag_from_prop(&attestation_id_tags, TAG_ATTESTATION_ID_MANUFACTURER, "ro.product.manufacturer"); add_tag_from_prop(&attestation_id_tags, TAG_ATTESTATION_ID_MODEL, "ro.product.model"); for (const KeyParameter& tag : attestation_id_tags) { AuthorizationSetBuilder builder = AuthorizationSetBuilder() .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge")) .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")); // Include one of the (valid) attestation ID tags. builder.push_back(tag); hidl_vec<hidl_vec<uint8_t>> cert_chain; auto result = AttestKey(builder, &cert_chain); if (result == ErrorCode::CANNOT_ATTEST_IDS) { continue; } ASSERT_EQ(ErrorCode::OK, result); EXPECT_GE(cert_chain.size(), 2U); std::vector<KeyParameter> expected_hw_enforced = key_characteristics_.hardwareEnforced; expected_hw_enforced.push_back(tag); EXPECT_TRUE(verify_attestation_record( "challenge", "foo", key_characteristics_.softwareEnforced, hidl_vec<KeyParameter>(expected_hw_enforced), SecLevel(), cert_chain[0])); } } /* * AttestationTest.EcAttestationMismatchID * * Verifies that attesting to EC keys with incorrect attestation ID fields fails. */ TEST_P(AttestationTest, EcAttestationMismatchID) { ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() .Authorization(TAG_NO_AUTH_REQUIRED) .EcdsaSigningKey(EcCurve::P_256) .Digest(Digest::SHA_2_256) .Authorization(TAG_INCLUDE_UNIQUE_ID))); // Collection of invalid attestation ID tags. std::string invalid = "completely-invalid"; auto invalid_tags = AuthorizationSetBuilder() .Authorization(V4_0::TAG_ATTESTATION_ID_BRAND, invalid.data(), invalid.size()) .Authorization(V4_0::TAG_ATTESTATION_ID_DEVICE, invalid.data(), invalid.size()) .Authorization(V4_0::TAG_ATTESTATION_ID_PRODUCT, invalid.data(), invalid.size()) .Authorization(V4_0::TAG_ATTESTATION_ID_SERIAL, invalid.data(), invalid.size()) .Authorization(V4_0::TAG_ATTESTATION_ID_IMEI, invalid.data(), invalid.size()) .Authorization(V4_0::TAG_ATTESTATION_ID_MEID, invalid.data(), invalid.size()) .Authorization(V4_0::TAG_ATTESTATION_ID_MANUFACTURER, invalid.data(), invalid.size()) .Authorization(V4_0::TAG_ATTESTATION_ID_MODEL, invalid.data(), invalid.size()); for (const KeyParameter& invalid_tag : invalid_tags) { AuthorizationSetBuilder builder = AuthorizationSetBuilder() .Authorization(TAG_ATTESTATION_CHALLENGE, HidlBuf("challenge")) .Authorization(TAG_ATTESTATION_APPLICATION_ID, HidlBuf("foo")); // Include one of the invalid attestation ID tags. builder.push_back(invalid_tag); hidl_vec<hidl_vec<uint8_t>> cert_chain; auto result = AttestKey(builder, &cert_chain); EXPECT_TRUE(result == ErrorCode::CANNOT_ATTEST_IDS || result == ErrorCode::INVALID_TAG) << "result: " << static_cast<int32_t>(result); } } /* * AttestationTest.EcAttestationRequiresAttestationAppId * Loading
keymaster/4.1/support/attestation_record.cpp +40 −8 Original line number Diff line number Diff line Loading @@ -79,6 +79,8 @@ typedef struct km_auth_list { ASN1_INTEGER_SET* padding; ASN1_INTEGER* ec_curve; ASN1_INTEGER* rsa_public_exponent; ASN1_NULL* rollback_resistance; ASN1_NULL* early_boot_only; ASN1_INTEGER* active_date_time; ASN1_INTEGER* origination_expire_date_time; ASN1_INTEGER* usage_expire_date_time; Loading @@ -86,21 +88,27 @@ typedef struct km_auth_list { ASN1_INTEGER* user_auth_type; ASN1_INTEGER* auth_timeout; ASN1_NULL* allow_while_on_body; ASN1_NULL* trusted_user_presence_required; ASN1_NULL* trusted_confirmation_required; ASN1_NULL* unlocked_device_required; ASN1_NULL* all_applications; ASN1_OCTET_STRING* application_id; ASN1_INTEGER* creation_date_time; ASN1_INTEGER* origin; ASN1_NULL* rollback_resistance; KM_ROOT_OF_TRUST* root_of_trust; ASN1_INTEGER* os_version; ASN1_INTEGER* os_patchlevel; ASN1_OCTET_STRING* attestation_application_id; ASN1_NULL* trusted_user_presence_required; ASN1_NULL* trusted_confirmation_required; ASN1_NULL* unlocked_device_required; ASN1_OCTET_STRING* attestation_id_brand; ASN1_OCTET_STRING* attestation_id_device; ASN1_OCTET_STRING* attestation_id_product; ASN1_OCTET_STRING* attestation_id_serial; ASN1_OCTET_STRING* attestation_id_imei; ASN1_OCTET_STRING* attestation_id_meid; ASN1_OCTET_STRING* attestation_id_manufacturer; ASN1_OCTET_STRING* attestation_id_model; ASN1_INTEGER* vendor_patchlevel; ASN1_INTEGER* boot_patchlevel; ASN1_NULL* early_boot_only; ASN1_NULL* device_unique_attestation; ASN1_NULL* identity_credential_key; } KM_AUTH_LIST; Loading @@ -116,6 +124,7 @@ ASN1_SEQUENCE(KM_AUTH_LIST) = { TAG_RSA_PUBLIC_EXPONENT.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistance, ASN1_NULL, TAG_ROLLBACK_RESISTANCE.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, early_boot_only, ASN1_NULL, TAG_EARLY_BOOT_ONLY.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, active_date_time, ASN1_INTEGER, TAG_ACTIVE_DATETIME.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, origination_expire_date_time, ASN1_INTEGER, TAG_ORIGINATION_EXPIRE_DATETIME.maskedTag()), Loading @@ -138,12 +147,27 @@ ASN1_SEQUENCE(KM_AUTH_LIST) = { ASN1_EXP_OPT(KM_AUTH_LIST, root_of_trust, KM_ROOT_OF_TRUST, TAG_ROOT_OF_TRUST.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, os_version, ASN1_INTEGER, TAG_OS_VERSION.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, os_patchlevel, ASN1_INTEGER, TAG_OS_PATCHLEVEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_application_id, ASN1_OCTET_STRING, TAG_ATTESTATION_APPLICATION_ID.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_brand, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_BRAND.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_device, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_DEVICE.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_product, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_PRODUCT.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_serial, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_SERIAL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_imei, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_IMEI.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_meid, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_MEID.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_manufacturer, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_MANUFACTURER.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_id_model, ASN1_OCTET_STRING, TAG_ATTESTATION_ID_MODEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, vendor_patchlevel, ASN1_INTEGER, TAG_VENDOR_PATCHLEVEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, boot_patchlevel, ASN1_INTEGER, TAG_BOOT_PATCHLEVEL.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, attestation_application_id, ASN1_OCTET_STRING, TAG_ATTESTATION_APPLICATION_ID.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, early_boot_only, ASN1_NULL, TAG_EARLY_BOOT_ONLY.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, device_unique_attestation, ASN1_NULL, TAG_DEVICE_UNIQUE_ATTESTATION.maskedTag()), ASN1_EXP_OPT(KM_AUTH_LIST, identity_credential_key, ASN1_NULL, Loading Loading @@ -279,6 +303,14 @@ static ErrorCode extract_auth_list(const KM_AUTH_LIST* record, AuthorizationSet* copyAuthTag(record->usage_expire_date_time, TAG_USAGE_EXPIRE_DATETIME, auth_list); copyAuthTag(record->user_auth_type, TAG_USER_AUTH_TYPE, auth_list); copyAuthTag(record->attestation_application_id, TAG_ATTESTATION_APPLICATION_ID, auth_list); copyAuthTag(record->attestation_id_brand, TAG_ATTESTATION_ID_BRAND, auth_list); copyAuthTag(record->attestation_id_device, TAG_ATTESTATION_ID_DEVICE, auth_list); copyAuthTag(record->attestation_id_product, TAG_ATTESTATION_ID_PRODUCT, auth_list); copyAuthTag(record->attestation_id_serial, TAG_ATTESTATION_ID_SERIAL, auth_list); copyAuthTag(record->attestation_id_imei, TAG_ATTESTATION_ID_IMEI, auth_list); copyAuthTag(record->attestation_id_meid, TAG_ATTESTATION_ID_MEID, auth_list); copyAuthTag(record->attestation_id_manufacturer, TAG_ATTESTATION_ID_MANUFACTURER, auth_list); copyAuthTag(record->attestation_id_model, TAG_ATTESTATION_ID_MODEL, auth_list); copyAuthTag(record->vendor_patchlevel, TAG_VENDOR_PATCHLEVEL, auth_list); copyAuthTag(record->boot_patchlevel, TAG_BOOT_PATCHLEVEL, auth_list); copyAuthTag(record->trusted_user_presence_required, TAG_TRUSTED_USER_PRESENCE_REQUIRED, Loading
