Loading security/keymint/aidl/vts/functional/Android.bp +3 −0 Original line number Diff line number Diff line Loading @@ -43,8 +43,11 @@ cc_defaults { "android.hardware.gatekeeper-V1-ndk", "android.hardware.security.rkp-V3-ndk", "android.hardware.security.secureclock-V1-ndk", "libavb_user", "libavb", "libcppbor_external", "libcppcose_rkp", "libfs_mgr", "libjsoncpp", "libkeymint", "libkeymint_remote_prov_support", Loading security/keymint/aidl/vts/functional/BootloaderStateTest.cpp +113 −41 Original line number Diff line number Diff line Loading @@ -21,7 +21,11 @@ #include <string> #include <vector> #include <android-base/properties.h> #include <android/binder_manager.h> #include <fstab/fstab.h> #include <libavb/libavb.h> #include <libavb_user/avb_ops_user.h> #include <remote_prov/remote_prov_utils.h> #include "KeyMintAidlTestBase.h" Loading @@ -34,10 +38,11 @@ using ::std::vector; // Since this test needs to talk to KeyMint HAL, it can only run as root. Thus, // bootloader can not be locked. class BootloaderStateTest : public KeyMintAidlTestBase {}; class BootloaderStateTest : public KeyMintAidlTestBase { public: virtual void SetUp() override { KeyMintAidlTestBase::SetUp(); // Check that attested bootloader state is set to unlocked. TEST_P(BootloaderStateTest, IsUnlocked) { // Generate a key with attestation. vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; Loading Loading @@ -70,14 +75,81 @@ TEST_P(BootloaderStateTest, IsUnlocked) { ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get()); ASSERT_TRUE(attest_rec); vector<uint8_t> key; VerifiedBoot attestedVbState; bool attestedBootloaderState; vector<uint8_t> attestedVbmetaDigest; auto error = parse_root_of_trust(attest_rec->data, attest_rec->length, &key, &attestedVbState, &attestedBootloaderState, &attestedVbmetaDigest); auto error = parse_root_of_trust(attest_rec->data, attest_rec->length, &attestedVbKey_, &attestedVbState_, &attestedBootloaderState_, &attestedVbmetaDigest_); ASSERT_EQ(error, ErrorCode::OK); ASSERT_FALSE(attestedBootloaderState) << "This test runs as root. Bootloader must be unlocked."; } vector<uint8_t> attestedVbKey_; VerifiedBoot attestedVbState_; bool attestedBootloaderState_; vector<uint8_t> attestedVbmetaDigest_; }; // Check that attested bootloader state is set to unlocked. TEST_P(BootloaderStateTest, BootloaderIsUnlocked) { ASSERT_FALSE(attestedBootloaderState_) << "This test runs as root. Bootloader must be unlocked."; } // Check that verified boot state is set to "unverified", i.e. "orange". TEST_P(BootloaderStateTest, VbStateIsUnverified) { // Unlocked bootloader implies that verified boot state must be "unverified". ASSERT_EQ(attestedVbState_, VerifiedBoot::UNVERIFIED) << "Verified boot state must be \"UNVERIFIED\" aka \"orange\"."; // AVB spec stipulates that bootloader must set "androidboot.verifiedbootstate" parameter // on the kernel command-line. This parameter is exposed to userspace as // "ro.boot.verifiedbootstate" property. auto vbStateProp = ::android::base::GetProperty("ro.boot.verifiedbootstate", ""); ASSERT_EQ(vbStateProp, "orange") << "Verified boot state must be \"UNVERIFIED\" aka \"orange\"."; } // Following error codes from avb_slot_data() mean that slot data was loaded // (even if verification failed). static inline bool avb_slot_data_loaded(AvbSlotVerifyResult result) { switch (result) { case AVB_SLOT_VERIFY_RESULT_OK: case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION: case AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX: case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED: return true; default: return false; } } // Check that attested vbmeta digest is correct. TEST_P(BootloaderStateTest, VbmetaDigest) { AvbSlotVerifyData* avbSlotData; auto suffix = fs_mgr_get_slot_suffix(); const char* partitions[] = {nullptr}; auto avbOps = avb_ops_user_new(); // For VTS, devices run with vendor_boot-debug.img, which is not release key // signed. Use AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR to bypass avb // verification errors. This is OK since we only care about the digest for // this test case. auto result = avb_slot_verify(avbOps, partitions, suffix.c_str(), AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR, AVB_HASHTREE_ERROR_MODE_EIO, &avbSlotData); ASSERT_TRUE(avb_slot_data_loaded(result)) << "Failed to load avb slot data"; // Unfortunately, bootloader is not required to report the algorithm used // to calculate the digest. There are only two supported options though, // SHA256 and SHA512. Attested VBMeta digest must match one of these. vector<uint8_t> digest256(AVB_SHA256_DIGEST_SIZE); vector<uint8_t> digest512(AVB_SHA512_DIGEST_SIZE); avb_slot_verify_data_calculate_vbmeta_digest(avbSlotData, AVB_DIGEST_TYPE_SHA256, digest256.data()); avb_slot_verify_data_calculate_vbmeta_digest(avbSlotData, AVB_DIGEST_TYPE_SHA512, digest512.data()); ASSERT_TRUE((attestedVbmetaDigest_ == digest256) || (attestedVbmetaDigest_ == digest512)) << "Attested digest does not match computed digest."; } INSTANTIATE_KEYMINT_AIDL_TEST(BootloaderStateTest); Loading Loading
security/keymint/aidl/vts/functional/Android.bp +3 −0 Original line number Diff line number Diff line Loading @@ -43,8 +43,11 @@ cc_defaults { "android.hardware.gatekeeper-V1-ndk", "android.hardware.security.rkp-V3-ndk", "android.hardware.security.secureclock-V1-ndk", "libavb_user", "libavb", "libcppbor_external", "libcppcose_rkp", "libfs_mgr", "libjsoncpp", "libkeymint", "libkeymint_remote_prov_support", Loading
security/keymint/aidl/vts/functional/BootloaderStateTest.cpp +113 −41 Original line number Diff line number Diff line Loading @@ -21,7 +21,11 @@ #include <string> #include <vector> #include <android-base/properties.h> #include <android/binder_manager.h> #include <fstab/fstab.h> #include <libavb/libavb.h> #include <libavb_user/avb_ops_user.h> #include <remote_prov/remote_prov_utils.h> #include "KeyMintAidlTestBase.h" Loading @@ -34,10 +38,11 @@ using ::std::vector; // Since this test needs to talk to KeyMint HAL, it can only run as root. Thus, // bootloader can not be locked. class BootloaderStateTest : public KeyMintAidlTestBase {}; class BootloaderStateTest : public KeyMintAidlTestBase { public: virtual void SetUp() override { KeyMintAidlTestBase::SetUp(); // Check that attested bootloader state is set to unlocked. TEST_P(BootloaderStateTest, IsUnlocked) { // Generate a key with attestation. vector<uint8_t> key_blob; vector<KeyCharacteristics> key_characteristics; Loading Loading @@ -70,14 +75,81 @@ TEST_P(BootloaderStateTest, IsUnlocked) { ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get()); ASSERT_TRUE(attest_rec); vector<uint8_t> key; VerifiedBoot attestedVbState; bool attestedBootloaderState; vector<uint8_t> attestedVbmetaDigest; auto error = parse_root_of_trust(attest_rec->data, attest_rec->length, &key, &attestedVbState, &attestedBootloaderState, &attestedVbmetaDigest); auto error = parse_root_of_trust(attest_rec->data, attest_rec->length, &attestedVbKey_, &attestedVbState_, &attestedBootloaderState_, &attestedVbmetaDigest_); ASSERT_EQ(error, ErrorCode::OK); ASSERT_FALSE(attestedBootloaderState) << "This test runs as root. Bootloader must be unlocked."; } vector<uint8_t> attestedVbKey_; VerifiedBoot attestedVbState_; bool attestedBootloaderState_; vector<uint8_t> attestedVbmetaDigest_; }; // Check that attested bootloader state is set to unlocked. TEST_P(BootloaderStateTest, BootloaderIsUnlocked) { ASSERT_FALSE(attestedBootloaderState_) << "This test runs as root. Bootloader must be unlocked."; } // Check that verified boot state is set to "unverified", i.e. "orange". TEST_P(BootloaderStateTest, VbStateIsUnverified) { // Unlocked bootloader implies that verified boot state must be "unverified". ASSERT_EQ(attestedVbState_, VerifiedBoot::UNVERIFIED) << "Verified boot state must be \"UNVERIFIED\" aka \"orange\"."; // AVB spec stipulates that bootloader must set "androidboot.verifiedbootstate" parameter // on the kernel command-line. This parameter is exposed to userspace as // "ro.boot.verifiedbootstate" property. auto vbStateProp = ::android::base::GetProperty("ro.boot.verifiedbootstate", ""); ASSERT_EQ(vbStateProp, "orange") << "Verified boot state must be \"UNVERIFIED\" aka \"orange\"."; } // Following error codes from avb_slot_data() mean that slot data was loaded // (even if verification failed). static inline bool avb_slot_data_loaded(AvbSlotVerifyResult result) { switch (result) { case AVB_SLOT_VERIFY_RESULT_OK: case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION: case AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX: case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED: return true; default: return false; } } // Check that attested vbmeta digest is correct. TEST_P(BootloaderStateTest, VbmetaDigest) { AvbSlotVerifyData* avbSlotData; auto suffix = fs_mgr_get_slot_suffix(); const char* partitions[] = {nullptr}; auto avbOps = avb_ops_user_new(); // For VTS, devices run with vendor_boot-debug.img, which is not release key // signed. Use AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR to bypass avb // verification errors. This is OK since we only care about the digest for // this test case. auto result = avb_slot_verify(avbOps, partitions, suffix.c_str(), AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR, AVB_HASHTREE_ERROR_MODE_EIO, &avbSlotData); ASSERT_TRUE(avb_slot_data_loaded(result)) << "Failed to load avb slot data"; // Unfortunately, bootloader is not required to report the algorithm used // to calculate the digest. There are only two supported options though, // SHA256 and SHA512. Attested VBMeta digest must match one of these. vector<uint8_t> digest256(AVB_SHA256_DIGEST_SIZE); vector<uint8_t> digest512(AVB_SHA512_DIGEST_SIZE); avb_slot_verify_data_calculate_vbmeta_digest(avbSlotData, AVB_DIGEST_TYPE_SHA256, digest256.data()); avb_slot_verify_data_calculate_vbmeta_digest(avbSlotData, AVB_DIGEST_TYPE_SHA512, digest512.data()); ASSERT_TRUE((attestedVbmetaDigest_ == digest256) || (attestedVbmetaDigest_ == digest512)) << "Attested digest does not match computed digest."; } INSTANTIATE_KEYMINT_AIDL_TEST(BootloaderStateTest); Loading
