Loading security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp +19 −6 Original line number Diff line number Diff line Loading @@ -1908,16 +1908,29 @@ void verify_root_of_trust(const vector<uint8_t>& verified_boot_key, bool device_ } } if (get_vsr_api_level() > __ANDROID_API_V__) { // The Verified Boot key field should be exactly 32 bytes since it // contains the SHA-256 hash of the key on locked devices or 32 bytes // of zeroes on unlocked devices. This wasn't checked for earlier // versions of the KeyMint HAL, so only only be strict for VSR-16+. EXPECT_EQ(verified_boot_key.size(), 32); } else if (get_vsr_api_level() == __ANDROID_API_V__) { // The Verified Boot key field should be: // - Exactly 32 bytes on locked devices since it should contain // the SHA-256 hash of the key, or // - Up to 32 bytes of zeroes on unlocked devices (behaviour on // unlocked devices isn't specified in the HAL interface // specification). // Thus, we can't check for strict equality in case unlocked devices // report values with less than 32 bytes. This wasn't checked for // earlier versions of the KeyMint HAL, so only check on VSR-15. EXPECT_LE(verified_boot_key.size(), 32); } // Verified Boot key should be all zeroes if the boot state is "orange". std::string empty_boot_key(32, '\0'); std::string verified_boot_key_str((const char*)verified_boot_key.data(), verified_boot_key.size()); if (get_vsr_api_level() >= __ANDROID_API_V__) { // The attestation should contain the SHA-256 hash of the verified boot // key. However, this was not checked for earlier versions of the KeyMint // HAL so only be strict for VSR-V and above. EXPECT_LE(verified_boot_key.size(), 32); } EXPECT_NE(property_get("ro.boot.verifiedbootstate", property_value, ""), 0); if (!strcmp(property_value, "green")) { EXPECT_EQ(verified_boot_state, VerifiedBoot::VERIFIED); Loading security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp +16 −4 Original line number Diff line number Diff line Loading @@ -114,10 +114,22 @@ class SecureElementProvisioningTest : public testing::Test { const auto& vbKey = rot->asArray()->get(pos++); ASSERT_TRUE(vbKey); ASSERT_TRUE(vbKey->asBstr()); if (get_vsr_api_level() >= __ANDROID_API_V__) { // The attestation should contain the SHA-256 hash of the verified boot // key. However, this not was checked for earlier versions of the KeyMint // HAL so only be strict for VSR-V and above. if (get_vsr_api_level() > __ANDROID_API_V__) { // The Verified Boot key field should be exactly 32 bytes since it // contains the SHA-256 hash of the key on locked devices or 32 bytes // of zeroes on unlocked devices. This wasn't checked for earlier // versions of the KeyMint HAL, so only only be strict for VSR-16+. ASSERT_EQ(vbKey->asBstr()->value().size(), 32); } else if (get_vsr_api_level() == __ANDROID_API_V__) { // The Verified Boot key field should be: // - Exactly 32 bytes on locked devices since it should contain // the SHA-256 hash of the key, or // - Up to 32 bytes of zeroes on unlocked devices (behaviour on // unlocked devices isn't specified in the HAL interface // specification). // Thus, we can't check for strict equality in case unlocked devices // report values with less than 32 bytes. This wasn't checked for // earlier versions of the KeyMint HAL, so only check on VSR-15. ASSERT_LE(vbKey->asBstr()->value().size(), 32); } Loading Loading
security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp +19 −6 Original line number Diff line number Diff line Loading @@ -1908,16 +1908,29 @@ void verify_root_of_trust(const vector<uint8_t>& verified_boot_key, bool device_ } } if (get_vsr_api_level() > __ANDROID_API_V__) { // The Verified Boot key field should be exactly 32 bytes since it // contains the SHA-256 hash of the key on locked devices or 32 bytes // of zeroes on unlocked devices. This wasn't checked for earlier // versions of the KeyMint HAL, so only only be strict for VSR-16+. EXPECT_EQ(verified_boot_key.size(), 32); } else if (get_vsr_api_level() == __ANDROID_API_V__) { // The Verified Boot key field should be: // - Exactly 32 bytes on locked devices since it should contain // the SHA-256 hash of the key, or // - Up to 32 bytes of zeroes on unlocked devices (behaviour on // unlocked devices isn't specified in the HAL interface // specification). // Thus, we can't check for strict equality in case unlocked devices // report values with less than 32 bytes. This wasn't checked for // earlier versions of the KeyMint HAL, so only check on VSR-15. EXPECT_LE(verified_boot_key.size(), 32); } // Verified Boot key should be all zeroes if the boot state is "orange". std::string empty_boot_key(32, '\0'); std::string verified_boot_key_str((const char*)verified_boot_key.data(), verified_boot_key.size()); if (get_vsr_api_level() >= __ANDROID_API_V__) { // The attestation should contain the SHA-256 hash of the verified boot // key. However, this was not checked for earlier versions of the KeyMint // HAL so only be strict for VSR-V and above. EXPECT_LE(verified_boot_key.size(), 32); } EXPECT_NE(property_get("ro.boot.verifiedbootstate", property_value, ""), 0); if (!strcmp(property_value, "green")) { EXPECT_EQ(verified_boot_state, VerifiedBoot::VERIFIED); Loading
security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp +16 −4 Original line number Diff line number Diff line Loading @@ -114,10 +114,22 @@ class SecureElementProvisioningTest : public testing::Test { const auto& vbKey = rot->asArray()->get(pos++); ASSERT_TRUE(vbKey); ASSERT_TRUE(vbKey->asBstr()); if (get_vsr_api_level() >= __ANDROID_API_V__) { // The attestation should contain the SHA-256 hash of the verified boot // key. However, this not was checked for earlier versions of the KeyMint // HAL so only be strict for VSR-V and above. if (get_vsr_api_level() > __ANDROID_API_V__) { // The Verified Boot key field should be exactly 32 bytes since it // contains the SHA-256 hash of the key on locked devices or 32 bytes // of zeroes on unlocked devices. This wasn't checked for earlier // versions of the KeyMint HAL, so only only be strict for VSR-16+. ASSERT_EQ(vbKey->asBstr()->value().size(), 32); } else if (get_vsr_api_level() == __ANDROID_API_V__) { // The Verified Boot key field should be: // - Exactly 32 bytes on locked devices since it should contain // the SHA-256 hash of the key, or // - Up to 32 bytes of zeroes on unlocked devices (behaviour on // unlocked devices isn't specified in the HAL interface // specification). // Thus, we can't check for strict equality in case unlocked devices // report values with less than 32 bytes. This wasn't checked for // earlier versions of the KeyMint HAL, so only check on VSR-15. ASSERT_LE(vbKey->asBstr()->value().size(), 32); } Loading
