Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3d571385 authored by Max Bires's avatar Max Bires
Browse files

Adding sanity check for VBMeta device state 

This test should will flag builds running as eng or userdebug that
report back the device is locked during development. This will also
catch the case where the device is a user build but reporting that it
isn't locked. This should help to avoid instances in the future where
userdebug builds report a locked device in the VBMeta information.

This patch also does a little bit of cleanup of the surrounding VBMeta
checking code.

Test: atest VtsHalKeymasterV4_0TargetTest
Change-Id: I3b387ade5eeee6a68b9ff307e503417d264ecbfe
parent 56cda83f

keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp

+12 −6
Original line number Original line Diff line number Diff line
@@ -423,27 +423,33 @@ bool verify_attestation_record(const string& challenge, const string& app_id, 
    EXPECT_EQ(ErrorCode::OK, error);

    EXPECT_EQ(ErrorCode::OK, error);





    if (avb_verification_enabled()) {

    if (avb_verification_enabled()) {

        property_get("ro.boot.vbmeta.digest", property_value, "nogood");

        EXPECT_NE(property_get("ro.boot.vbmeta.digest", property_value, ""), 0);

        EXPECT_NE(strcmp(property_value, "nogood"), 0);

        string prop_string(property_value);

        string prop_string(property_value);

        EXPECT_EQ(prop_string.size(), 64);

        EXPECT_EQ(prop_string.size(), 64);

        EXPECT_EQ(prop_string, bin2hex(verified_boot_hash));

        EXPECT_EQ(prop_string, bin2hex(verified_boot_hash));





        property_get("ro.boot.vbmeta.device_state", property_value, "nogood");

        EXPECT_NE(property_get("ro.boot.vbmeta.device_state", property_value, ""), 0);

        EXPECT_NE(strcmp(property_value, "nogood"), 0);

        if (!strcmp(property_value, "unlocked")) {

        if (!strcmp(property_value, "unlocked")) {

            EXPECT_FALSE(device_locked);

            EXPECT_FALSE(device_locked);

        } else {

        } else {

            EXPECT_TRUE(device_locked);

            EXPECT_TRUE(device_locked);

        }

        }



        // Check that the expected result from VBMeta matches the build type. Only a user build

        // should have AVB reporting the device is locked.

        EXPECT_NE(property_get("ro.build.type", property_value, ""), 0);

        if (!strcmp(property_value, "user")) {

            EXPECT_TRUE(device_locked);

        } else {

            EXPECT_FALSE(device_locked);

        }

    }

    }





    // Verified boot key should be all 0's if the boot state is not verified or self signed

    // Verified boot key should be all 0's if the boot state is not verified or self signed

    std::string empty_boot_key(32, '\0');

    std::string empty_boot_key(32, '\0');

    std::string verified_boot_key_str((const char*)verified_boot_key.data(),

    std::string verified_boot_key_str((const char*)verified_boot_key.data(),

                                      verified_boot_key.size());

                                      verified_boot_key.size());

    property_get("ro.boot.verifiedbootstate", property_value, "nogood");

    EXPECT_NE(property_get("ro.boot.verifiedbootstate", property_value, ""), 0);

    EXPECT_NE(property_value, "nogood");

    if (!strcmp(property_value, "green")) {

    if (!strcmp(property_value, "green")) {

        EXPECT_EQ(verified_boot_state, KM_VERIFIED_BOOT_VERIFIED);

        EXPECT_EQ(verified_boot_state, KM_VERIFIED_BOOT_VERIFIED);

        EXPECT_NE(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),

        EXPECT_NE(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),