Merge "Test for patchlevels and too much entropy" am: b5ee70f125 (fac02e63) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -170,6 +170,7 @@ void KeyMintAidlTestBase::InitializeKeyMint(std::shared_ptr<IKeyMintDevice> keyM

	os_version_ = getOsVersion();		os_version_ = getOsVersion();
	os_patch_level_ = getOsPatchlevel();		os_patch_level_ = getOsPatchlevel();
			vendor_patch_level_ = getVendorPatchlevel();
	}		}

	void KeyMintAidlTestBase::SetUp() {		void KeyMintAidlTestBase::SetUp() {

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h

+2 −0

Original line number	Original line	Diff line number	Diff line
	@@ -71,6 +71,7 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
	IKeyMintDevice& keyMint() { return *keymint_; }		IKeyMintDevice& keyMint() { return *keymint_; }
	uint32_t os_version() { return os_version_; }		uint32_t os_version() { return os_version_; }
	uint32_t os_patch_level() { return os_patch_level_; }		uint32_t os_patch_level() { return os_patch_level_; }
			uint32_t vendor_patch_level() { return vendor_patch_level_; }

	ErrorCode GetReturnErrorCode(const Status& result);		ErrorCode GetReturnErrorCode(const Status& result);

	@@ -266,6 +267,7 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
	std::shared_ptr<IKeyMintDevice> keymint_;		std::shared_ptr<IKeyMintDevice> keymint_;
	uint32_t os_version_;		uint32_t os_version_;
	uint32_t os_patch_level_;		uint32_t os_patch_level_;
			uint32_t vendor_patch_level_;

	SecurityLevel securityLevel_;		SecurityLevel securityLevel_;
	string name_;		string name_;

security/keymint/aidl/vts/functional/KeyMintTest.cpp

+25 −0

Original line number	Original line	Diff line number	Diff line
	@@ -67,6 +67,8 @@ namespace aidl::android::hardware::security::keymint::test {

	namespace {		namespace {

			bool check_patchLevels = false;

	template <TagType tag_type, Tag tag, typename ValueT>		template <TagType tag_type, Tag tag, typename ValueT>
	bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag> ttag,		bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag> ttag,
	ValueT expected_value) {		ValueT expected_value) {
	@@ -330,6 +332,15 @@ class NewKeyGenerationTest : public KeyMintAidlTestBase {
	EXPECT_TRUE(os_pl);		EXPECT_TRUE(os_pl);
	EXPECT_EQ(*os_pl, os_patch_level());		EXPECT_EQ(*os_pl, os_patch_level());

			if (check_patchLevels) {
			// Should include vendor and boot patchlevels.
			auto vendor_pl = auths.GetTagValue(TAG_VENDOR_PATCHLEVEL);
			EXPECT_TRUE(vendor_pl);
			EXPECT_EQ(*vendor_pl, vendor_patch_level());
			auto boot_pl = auths.GetTagValue(TAG_BOOT_PATCHLEVEL);
			EXPECT_TRUE(boot_pl);
			}

	return auths;		return auths;
	}		}
	};		};
	@@ -5312,6 +5323,16 @@ TEST_P(AddEntropyTest, AddLargeEntropy) {
	EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf(string(2 * 1024, 'a'))).isOk());		EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf(string(2 * 1024, 'a'))).isOk());
	}		}

			/*
			* AddEntropyTest.AddTooLargeEntropy
			*
			* Verifies that the addRngEntropy method rejects more than 2KiB of data.
			*/
			TEST_P(AddEntropyTest, AddTooLargeEntropy) {
			ErrorCode rc = GetReturnErrorCode(keyMint().addRngEntropy(AidlBuf(string(2 * 1024 + 1, 'a'))));
			EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, rc);
			}

	INSTANTIATE_KEYMINT_AIDL_TEST(AddEntropyTest);		INSTANTIATE_KEYMINT_AIDL_TEST(AddEntropyTest);

	typedef KeyMintAidlTestBase KeyDeletionTest;		typedef KeyMintAidlTestBase KeyDeletionTest;
	@@ -5765,6 +5786,10 @@ int main(int argc, char** argv) {
	} else {		} else {
	std::cout << "NOT dumping attestations" << std::endl;		std::cout << "NOT dumping attestations" << std::endl;
	}		}
			// TODO(drysdale): Remove this flag when available KeyMint devices comply with spec
			if (std::string(argv[i]) == "--check_patchLevels") {
			aidl::android::hardware::security::keymint::test::check_patchLevels = true;
			}
	}		}
	}		}
	return RUN_ALL_TESTS();		return RUN_ALL_TESTS();

security/keymint/support/include/keymint_support/keymint_utils.h

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -38,5 +38,6 @@ vector<uint8_t> authToken2vector(const HardwareAuthToken& token);

	uint32_t getOsVersion();		uint32_t getOsVersion();
	uint32_t getOsPatchlevel();		uint32_t getOsPatchlevel();
			uint32_t getVendorPatchlevel();

	} // namespace aidl::android::hardware::security::keymint		} // namespace aidl::android::hardware::security::keymint

security/keymint/support/keymint_utils.cpp

+13 −8

Original line number	Original line	Diff line number	Diff line
	@@ -31,10 +31,11 @@ constexpr size_t kSubminorVersionMatch = 5;
	constexpr size_t kPlatformVersionMatchCount = kSubminorVersionMatch + 1;		constexpr size_t kPlatformVersionMatchCount = kSubminorVersionMatch + 1;

	constexpr char kPlatformPatchlevelProp[] = "ro.build.version.security_patch";		constexpr char kPlatformPatchlevelProp[] = "ro.build.version.security_patch";
	constexpr char kPlatformPatchlevelRegex[] = "^([0-9]{4})-([0-9]{2})-[0-9]{2}$";		constexpr char kVendorPatchlevelProp[] = "ro.vendor.build.security_patch";
			constexpr char kPatchlevelRegex[] = "^([0-9]{4})-([0-9]{2})-[0-9]{2}$";
	constexpr size_t kYearMatch = 1;		constexpr size_t kYearMatch = 1;
	constexpr size_t kMonthMatch = 2;		constexpr size_t kMonthMatch = 2;
	constexpr size_t kPlatformPatchlevelMatchCount = kMonthMatch + 1;		constexpr size_t kPatchlevelMatchCount = kMonthMatch + 1;

	uint32_t match_to_uint32(const char* expression, const regmatch_t& match) {		uint32_t match_to_uint32(const char* expression, const regmatch_t& match) {
	if (match.rm_so == -1) return 0;		if (match.rm_so == -1) return 0;
	@@ -80,15 +81,14 @@ uint32_t getOsVersion() {
	return getOsVersion(version.c_str());		return getOsVersion(version.c_str());
	}		}

	uint32_t getOsPatchlevel(const char* patchlevel_str) {		uint32_t getPatchlevel(const char* patchlevel_str) {
	regex_t regex;		regex_t regex;
	if (regcomp(&regex, kPlatformPatchlevelRegex, REG_EXTENDED) != 0) {		if (regcomp(&regex, kPatchlevelRegex, REG_EXTENDED) != 0) {
	return 0;		return 0;
	}		}

	regmatch_t matches[kPlatformPatchlevelMatchCount];		regmatch_t matches[kPatchlevelMatchCount];
	int not_match =		int not_match = regexec(&regex, patchlevel_str, kPatchlevelMatchCount, matches, 0 /* flags */);
	regexec(&regex, patchlevel_str, kPlatformPatchlevelMatchCount, matches, 0 /* flags */);
	regfree(&regex);		regfree(&regex);
	if (not_match) {		if (not_match) {
	return 0;		return 0;
	@@ -105,7 +105,12 @@ uint32_t getOsPatchlevel(const char* patchlevel_str) {

	uint32_t getOsPatchlevel() {		uint32_t getOsPatchlevel() {
	std::string patchlevel = wait_and_get_property(kPlatformPatchlevelProp);		std::string patchlevel = wait_and_get_property(kPlatformPatchlevelProp);
	return getOsPatchlevel(patchlevel.c_str());		return getPatchlevel(patchlevel.c_str());
			}

			uint32_t getVendorPatchlevel() {
			std::string patchlevel = wait_and_get_property(kVendorPatchlevelProp);
			return getPatchlevel(patchlevel.c_str());
	}		}

	} // namespace aidl::android::hardware::security::keymint		} // namespace aidl::android::hardware::security::keymint