Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit eb94a4f9 authored by Tri Vo's avatar Tri Vo Committed by Gerrit Code Review
Browse files

Merge "Test for bootloader state"

parents 09e267b8 bf75a407
Loading
Loading
Loading
Loading
+1 −0
Original line number Diff line number Diff line
@@ -63,6 +63,7 @@ cc_test {
    srcs: [
        "AttestKeyTest.cpp",
        "AuthTest.cpp",
        "BootloaderStateTest.cpp",
        "DeviceUniqueAttestationTest.cpp",
        "KeyBlobUpgradeTest.cpp",
        "KeyMintTest.cpp",
+86 −0
Original line number Diff line number Diff line
/*
 * Copyright (C) 2023 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#define LOG_TAG "keymint_1_bootloader_test"

#include <memory>
#include <optional>
#include <string>
#include <vector>

#include <android/binder_manager.h>
#include <remote_prov/remote_prov_utils.h>

#include "KeyMintAidlTestBase.h"

namespace aidl::android::hardware::security::keymint::test {

using ::android::getAidlHalInstanceNames;
using ::std::string;
using ::std::vector;

// Since this test needs to talk to KeyMint HAL, it can only run as root. Thus,
// bootloader can not be locked.
class BootloaderStateTest : public testing::TestWithParam<std::string> {
  public:
    virtual void SetUp() override {
        ::ndk::SpAIBinder binder(AServiceManager_waitForService(GetParam().c_str()));
        keyMint_ = IKeyMintDevice::fromBinder(binder);
        ASSERT_TRUE(keyMint_) << "Failed to get KM device";
    }

    std::shared_ptr<IKeyMintDevice> keyMint_;
};

// Check that attested bootloader state is set to unlocked.
TEST_P(BootloaderStateTest, IsUnlocked) {
    // Generate a key with attestation.
    AuthorizationSet keyDesc = AuthorizationSetBuilder()
                                       .Authorization(TAG_NO_AUTH_REQUIRED)
                                       .EcdsaSigningKey(EcCurve::P_256)
                                       .AttestationChallenge("foo")
                                       .AttestationApplicationId("bar")
                                       .Digest(Digest::NONE)
                                       .SetDefaultValidity();
    KeyCreationResult creationResult;
    auto kmStatus = keyMint_->generateKey(keyDesc.vector_data(), std::nullopt, &creationResult);
    ASSERT_TRUE(kmStatus.isOk());

    vector<Certificate> key_cert_chain = std::move(creationResult.certificateChain);

    // Parse attested AVB values.
    const auto& attestation_cert = key_cert_chain[0].encodedCertificate;
    X509_Ptr cert(parse_cert_blob(attestation_cert));
    ASSERT_TRUE(cert.get());

    ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get());
    ASSERT_TRUE(attest_rec);

    vector<uint8_t> key;
    VerifiedBoot attestedVbState;
    bool attestedBootloaderState;
    vector<uint8_t> attestedVbmetaDigest;
    auto error = parse_root_of_trust(attest_rec->data, attest_rec->length, &key, &attestedVbState,
                                     &attestedBootloaderState, &attestedVbmetaDigest);
    ASSERT_EQ(error, ErrorCode::OK);
    ASSERT_FALSE(attestedBootloaderState) << "This test runs as root. Bootloader must be unlocked.";
}

INSTANTIATE_TEST_SUITE_P(PerInstance, BootloaderStateTest,
                         testing::ValuesIn(getAidlHalInstanceNames(IKeyMintDevice::descriptor)),
                         ::android::PrintInstanceNameToString);

}  // namespace aidl::android::hardware::security::keymint::test