Merge "Implement alternate SE RoT provisioning"

     * The returned data is an encoded COSE_Mac0 structure, denoted MacedRootOfTrust in the

     * following CDDL schema.  Note that K_mac is the shared HMAC key used for auth tokens, etc.:

     *

     *     MacedRootOfTrust = [               ; COSE_Mac0 (untagged)

     *     MacedRootOfTrust = #6.17 [         ; COSE_Mac0 (tagged)

     *         protected: bstr .cbor {

     *             1 : 5,                     ; Algorithm : HMAC-256

     *         },

     *         payload : bstr .cbor RootOfTrust,

     *     ]

     *

     *     RootOfTrust = [

     *     RootOfTrust = #6.40001 [           ; Tag 40001 indicates RoT v1.

     *         verifiedBootKey : bstr .size 32,

     *         deviceLocked : bool,

     *         verifiedBootState : &VerifiedBootState,

#include <remote_prov/remote_prov_utils.h>

#include <keymaster/cppcose/cppcose.h>

#include <keymint_support/attestation_record.h>

#include <keymint_support/key_param_output.h>

#include <keymint_support/keymint_utils.h>

#include <keymint_support/openssl_utils.h>

    verify_subject(cert.get(), subject, self_signed);

}

void verify_root_of_trust(const vector<uint8_t>& verified_boot_key, bool device_locked,

                          VerifiedBoot verified_boot_state,

                          const vector<uint8_t>& verified_boot_hash) {

    char property_value[PROPERTY_VALUE_MAX] = {};

    if (avb_verification_enabled()) {

        EXPECT_NE(property_get("ro.boot.vbmeta.digest", property_value, ""), 0);

        string prop_string(property_value);

        EXPECT_EQ(prop_string.size(), 64);

        EXPECT_EQ(prop_string, bin2hex(verified_boot_hash));

        EXPECT_NE(property_get("ro.boot.vbmeta.device_state", property_value, ""), 0);

        if (!strcmp(property_value, "unlocked")) {

            EXPECT_FALSE(device_locked);

        } else {

            EXPECT_TRUE(device_locked);

        }

        // Check that the device is locked if not debuggable, e.g., user build

        // images in CTS. For VTS, debuggable images are used to allow adb root

        // and the device is unlocked.

        if (!property_get_bool("ro.debuggable", false)) {

            EXPECT_TRUE(device_locked);

        } else {

            EXPECT_FALSE(device_locked);

        }

    }

    // Verified boot key should be all 0's if the boot state is not verified or self signed

    std::string empty_boot_key(32, '\0');

    std::string verified_boot_key_str((const char*)verified_boot_key.data(),

                                      verified_boot_key.size());

    EXPECT_NE(property_get("ro.boot.verifiedbootstate", property_value, ""), 0);

    if (!strcmp(property_value, "green")) {

        EXPECT_EQ(verified_boot_state, VerifiedBoot::VERIFIED);

        EXPECT_NE(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),

                            verified_boot_key.size()));

    } else if (!strcmp(property_value, "yellow")) {

        EXPECT_EQ(verified_boot_state, VerifiedBoot::SELF_SIGNED);

        EXPECT_NE(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),

                            verified_boot_key.size()));

    } else if (!strcmp(property_value, "orange")) {

        EXPECT_EQ(verified_boot_state, VerifiedBoot::UNVERIFIED);

        EXPECT_EQ(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),

                            verified_boot_key.size()));

    } else if (!strcmp(property_value, "red")) {

        EXPECT_EQ(verified_boot_state, VerifiedBoot::FAILED);

    } else {

        EXPECT_EQ(verified_boot_state, VerifiedBoot::UNVERIFIED);

        EXPECT_EQ(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),

                            verified_boot_key.size()));

    }

}

bool verify_attestation_record(int32_t aidl_version,                   //

                               const string& challenge,                //

                               const string& app_id,                   //

    EXPECT_EQ(security_level, att_keymint_security_level);

    EXPECT_EQ(security_level, att_attestation_security_level);

    char property_value[PROPERTY_VALUE_MAX] = {};

    // TODO(b/136282179): When running under VTS-on-GSI the TEE-backed

    // keymint implementation will report YYYYMM dates instead of YYYYMMDD

    // for the BOOT_PATCH_LEVEL.

    error = parse_root_of_trust(attest_rec->data, attest_rec->length, &verified_boot_key,

                                &verified_boot_state, &device_locked, &verified_boot_hash);

    EXPECT_EQ(ErrorCode::OK, error);

    if (avb_verification_enabled()) {

        EXPECT_NE(property_get("ro.boot.vbmeta.digest", property_value, ""), 0);

        string prop_string(property_value);

        EXPECT_EQ(prop_string.size(), 64);

        EXPECT_EQ(prop_string, bin2hex(verified_boot_hash));

        EXPECT_NE(property_get("ro.boot.vbmeta.device_state", property_value, ""), 0);

        if (!strcmp(property_value, "unlocked")) {

            EXPECT_FALSE(device_locked);

        } else {

            EXPECT_TRUE(device_locked);

        }

        // Check that the device is locked if not debuggable, e.g., user build

        // images in CTS. For VTS, debuggable images are used to allow adb root

        // and the device is unlocked.

        if (!property_get_bool("ro.debuggable", false)) {

            EXPECT_TRUE(device_locked);

        } else {

            EXPECT_FALSE(device_locked);

        }

    }

    // Verified boot key should be all 0's if the boot state is not verified or self signed

    std::string empty_boot_key(32, '\0');

    std::string verified_boot_key_str((const char*)verified_boot_key.data(),

                                      verified_boot_key.size());

    EXPECT_NE(property_get("ro.boot.verifiedbootstate", property_value, ""), 0);

    if (!strcmp(property_value, "green")) {

        EXPECT_EQ(verified_boot_state, VerifiedBoot::VERIFIED);

        EXPECT_NE(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),

                            verified_boot_key.size()));

    } else if (!strcmp(property_value, "yellow")) {

        EXPECT_EQ(verified_boot_state, VerifiedBoot::SELF_SIGNED);

        EXPECT_NE(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),

                            verified_boot_key.size()));

    } else if (!strcmp(property_value, "orange")) {

        EXPECT_EQ(verified_boot_state, VerifiedBoot::UNVERIFIED);

        EXPECT_EQ(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),

                            verified_boot_key.size()));

    } else if (!strcmp(property_value, "red")) {

        EXPECT_EQ(verified_boot_state, VerifiedBoot::FAILED);

    } else {

        EXPECT_EQ(verified_boot_state, VerifiedBoot::UNVERIFIED);

        EXPECT_EQ(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),

                            verified_boot_key.size()));

    }

    verify_root_of_trust(verified_boot_key, device_locked, verified_boot_state, verified_boot_hash);

    att_sw_enforced.Sort();

    expected_sw_enforced.Sort();

#include <aidl/android/hardware/security/keymint/IKeyMintDevice.h>

#include <aidl/android/hardware/security/keymint/MacedPublicKey.h>

#include <keymint_support/attestation_record.h>

#include <keymint_support/authorization_set.h>

#include <keymint_support/openssl_utils.h>

void verify_subject_and_serial(const Certificate& certificate,  //

                               const uint64_t expected_serial,  //

                               const string& subject, bool self_signed);

void verify_root_of_trust(const vector<uint8_t>& verified_boot_key,  //

                          bool device_locked,                        //

                          VerifiedBoot verified_boot_state,          //

                          const vector<uint8_t>& verified_boot_hash);

bool verify_attestation_record(int aidl_version,                       //

                               const string& challenge,                //

                               const string& app_id,                   //

using std::shared_ptr;

using std::vector;

constexpr int kRoTVersion1 = 40001;

class SecureElementProvisioningTest : public testing::Test {

  protected:

    static void SetUpTestSuite() {

        }

    }

    void validateMacedRootOfTrust(const vector<uint8_t>& rootOfTrust) {

        SCOPED_TRACE(testing::Message() << "RoT: " << bin2hex(rootOfTrust));

        const auto [macItem, macEndPos, macErrMsg] = cppbor::parse(rootOfTrust);

        ASSERT_TRUE(macItem) << "Root of trust parsing failed: " << macErrMsg;

        ASSERT_EQ(macItem->semanticTagCount(), 1);

        ASSERT_EQ(macItem->semanticTag(0), cppcose::kCoseMac0SemanticTag);

        ASSERT_TRUE(macItem->asArray());

        ASSERT_EQ(macItem->asArray()->size(), cppcose::kCoseMac0EntryCount);

        const auto& protectedItem = macItem->asArray()->get(cppcose::kCoseMac0ProtectedParams);

        ASSERT_TRUE(protectedItem);

        ASSERT_TRUE(protectedItem->asBstr());

        const auto [protMap, protEndPos, protErrMsg] = cppbor::parse(protectedItem->asBstr());

        ASSERT_TRUE(protMap);

        ASSERT_TRUE(protMap->asMap());

        ASSERT_EQ(protMap->asMap()->size(), 1);

        const auto& algorithm = protMap->asMap()->get(cppcose::ALGORITHM);

        ASSERT_TRUE(algorithm);

        ASSERT_TRUE(algorithm->asInt());

        ASSERT_EQ(algorithm->asInt()->value(), cppcose::HMAC_256);

        const auto& unprotItem = macItem->asArray()->get(cppcose::kCoseMac0UnprotectedParams);

        ASSERT_TRUE(unprotItem);

        ASSERT_TRUE(unprotItem->asMap());

        ASSERT_EQ(unprotItem->asMap()->size(), 0);

        const auto& payload = macItem->asArray()->get(cppcose::kCoseMac0Payload);

        ASSERT_TRUE(payload);

        ASSERT_TRUE(payload->asBstr());

        validateRootOfTrust(payload->asBstr()->value());

        const auto& tag = macItem->asArray()->get(cppcose::kCoseMac0Tag);

        ASSERT_TRUE(tag);

        ASSERT_TRUE(tag->asBstr());

        ASSERT_EQ(tag->asBstr()->value().size(), 32);

        // Cannot validate tag correctness.  Only the secure side has the necessary key.

    }

    void validateRootOfTrust(const vector<uint8_t>& payload) {

        SCOPED_TRACE(testing::Message() << "RoT payload: " << bin2hex(payload));

        const auto [rot, rotPos, rotErrMsg] = cppbor::parse(payload);

        ASSERT_TRUE(rot);

        ASSERT_EQ(rot->semanticTagCount(), 1);

        ASSERT_EQ(rot->semanticTag(), kRoTVersion1);

        ASSERT_TRUE(rot->asArray());

        ASSERT_EQ(rot->asArray()->size(), 5);

        size_t pos = 0;

        const auto& vbKey = rot->asArray()->get(pos++);

        ASSERT_TRUE(vbKey);

        ASSERT_TRUE(vbKey->asBstr());

        const auto& deviceLocked = rot->asArray()->get(pos++);

        ASSERT_TRUE(deviceLocked);

        ASSERT_TRUE(deviceLocked->asBool());

        const auto& verifiedBootState = rot->asArray()->get(pos++);

        ASSERT_TRUE(verifiedBootState);

        ASSERT_TRUE(verifiedBootState->asInt());

        const auto& verifiedBootHash = rot->asArray()->get(pos++);

        ASSERT_TRUE(verifiedBootHash);

        ASSERT_TRUE(verifiedBootHash->asBstr());

        const auto& bootPatchLevel = rot->asArray()->get(pos++);

        ASSERT_TRUE(bootPatchLevel);

        ASSERT_TRUE(bootPatchLevel->asInt());

        verify_root_of_trust(vbKey->asBstr()->value(), deviceLocked->asBool()->value(),

                             static_cast<VerifiedBoot>(verifiedBootState->asInt()->value()),

                             verifiedBootHash->asBstr()->value());

    }

    int32_t AidlVersion(shared_ptr<IKeyMintDevice> keymint) {

        int32_t version = 0;

        auto status = keymint->getInterfaceVersion(&version);

    vector<uint8_t> rootOfTrust1;

    Status result = tee->getRootOfTrust(challenge1, &rootOfTrust1);

    // TODO: Remove the next line to require TEEs to succeed.

    if (!result.isOk()) return;

    ASSERT_TRUE(result.isOk());

    // TODO:  Parse and validate rootOfTrust1 here

    ASSERT_TRUE(result.isOk()) << "getRootOfTrust returned " << result.getServiceSpecificError();

    validateMacedRootOfTrust(rootOfTrust1);

    vector<uint8_t> rootOfTrust2;

    result = tee->getRootOfTrust(challenge2, &rootOfTrust2);

    ASSERT_TRUE(result.isOk());

    // TODO:  Parse and validate rootOfTrust2 here

    validateMacedRootOfTrust(rootOfTrust2);

    ASSERT_NE(rootOfTrust1, rootOfTrust2);

    vector<uint8_t> rootOfTrust3;

    result = tee->getRootOfTrust(challenge1, &rootOfTrust3);

    ASSERT_TRUE(result.isOk());

    ASSERT_EQ(rootOfTrust1, rootOfTrust3);

    // TODO:  Parse and validate rootOfTrust3 here

}

TEST_F(SecureElementProvisioningTest, TeeDoesNotImplementStrongBoxMethods) {

    result = tee->getRootOfTrust(challenge, &rootOfTrust);

    ASSERT_TRUE(result.isOk());

    // TODO: Verify COSE_Mac0 structure and content here.

    validateMacedRootOfTrust(rootOfTrust);

    result = sb->sendRootOfTrust(rootOfTrust);

    ASSERT_TRUE(result.isOk());

    result = tee->getRootOfTrust(challenge, &rootOfTrust);

    ASSERT_TRUE(result.isOk());

    validateMacedRootOfTrust(rootOfTrust);

    vector<uint8_t> corruptedRootOfTrust = rootOfTrust;

    corruptedRootOfTrust[corruptedRootOfTrust.size() / 2]++;

    result = sb->sendRootOfTrust(corruptedRootOfTrust);