Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fac02e63 authored by David Drysdale's avatar David Drysdale Committed by Automerger Merge Worker
Browse files

Merge "Test for patchlevels and too much entropy" am: b5ee70f1 

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1673208

Change-Id: I94118fa43ccaf13d87908c37eefc38a1171d8569
parents 232fe779 b5ee70f1

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp

+1 −0
Original line number Diff line number Diff line
@@ -170,6 +170,7 @@ void KeyMintAidlTestBase::InitializeKeyMint(std::shared_ptr<IKeyMintDevice> keyM 


    os_version_ = getOsVersion();

    os_patch_level_ = getOsPatchlevel();

    vendor_patch_level_ = getVendorPatchlevel();

}



void KeyMintAidlTestBase::SetUp() {

security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h

+2 −0
Original line number Diff line number Diff line
@@ -71,6 +71,7 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> { 
    IKeyMintDevice& keyMint() { return *keymint_; }

    uint32_t os_version() { return os_version_; }

    uint32_t os_patch_level() { return os_patch_level_; }

    uint32_t vendor_patch_level() { return vendor_patch_level_; }



    ErrorCode GetReturnErrorCode(const Status& result);
@@ -266,6 +267,7 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> { 
    std::shared_ptr<IKeyMintDevice> keymint_;

    uint32_t os_version_;

    uint32_t os_patch_level_;

    uint32_t vendor_patch_level_;



    SecurityLevel securityLevel_;

    string name_;

security/keymint/aidl/vts/functional/KeyMintTest.cpp

+25 −0
Original line number Diff line number Diff line
@@ -67,6 +67,8 @@ namespace aidl::android::hardware::security::keymint::test { 


namespace {



bool check_patchLevels = false;



template <TagType tag_type, Tag tag, typename ValueT>

bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag> ttag,

              ValueT expected_value) {
@@ -330,6 +332,15 @@ class NewKeyGenerationTest : public KeyMintAidlTestBase { 
        EXPECT_TRUE(os_pl);

        EXPECT_EQ(*os_pl, os_patch_level());



        if (check_patchLevels) {

            // Should include vendor and boot patchlevels.

            auto vendor_pl = auths.GetTagValue(TAG_VENDOR_PATCHLEVEL);

            EXPECT_TRUE(vendor_pl);

            EXPECT_EQ(*vendor_pl, vendor_patch_level());

            auto boot_pl = auths.GetTagValue(TAG_BOOT_PATCHLEVEL);

            EXPECT_TRUE(boot_pl);

        }



        return auths;

    }

};
@@ -5312,6 +5323,16 @@ TEST_P(AddEntropyTest, AddLargeEntropy) { 
    EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf(string(2 * 1024, 'a'))).isOk());

}



/*

 * AddEntropyTest.AddTooLargeEntropy

 *

 * Verifies that the addRngEntropy method rejects more than 2KiB  of data.

 */

TEST_P(AddEntropyTest, AddTooLargeEntropy) {

    ErrorCode rc = GetReturnErrorCode(keyMint().addRngEntropy(AidlBuf(string(2 * 1024 + 1, 'a'))));

    EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, rc);

}



INSTANTIATE_KEYMINT_AIDL_TEST(AddEntropyTest);



typedef KeyMintAidlTestBase KeyDeletionTest;
@@ -5765,6 +5786,10 @@ int main(int argc, char** argv) { 
            } else {

                std::cout << "NOT dumping attestations" << std::endl;

            }

            // TODO(drysdale): Remove this flag when available KeyMint devices comply with spec

            if (std::string(argv[i]) == "--check_patchLevels") {

                aidl::android::hardware::security::keymint::test::check_patchLevels = true;

            }

        }

    }

    return RUN_ALL_TESTS();

security/keymint/support/include/keymint_support/keymint_utils.h

+1 −0
Original line number Diff line number Diff line
@@ -38,5 +38,6 @@ vector<uint8_t> authToken2vector(const HardwareAuthToken& token); 


uint32_t getOsVersion();

uint32_t getOsPatchlevel();

uint32_t getVendorPatchlevel();



}  // namespace aidl::android::hardware::security::keymint

security/keymint/support/keymint_utils.cpp

+13 −8
Original line number Diff line number Diff line
@@ -31,10 +31,11 @@ constexpr size_t kSubminorVersionMatch = 5; 
constexpr size_t kPlatformVersionMatchCount = kSubminorVersionMatch + 1;



constexpr char kPlatformPatchlevelProp[] = "ro.build.version.security_patch";

constexpr char kPlatformPatchlevelRegex[] = "^([0-9]{4})-([0-9]{2})-[0-9]{2}$";

constexpr char kVendorPatchlevelProp[] = "ro.vendor.build.security_patch";

constexpr char kPatchlevelRegex[] = "^([0-9]{4})-([0-9]{2})-[0-9]{2}$";

constexpr size_t kYearMatch = 1;

constexpr size_t kMonthMatch = 2;

constexpr size_t kPlatformPatchlevelMatchCount = kMonthMatch + 1;

constexpr size_t kPatchlevelMatchCount = kMonthMatch + 1;



uint32_t match_to_uint32(const char* expression, const regmatch_t& match) {

    if (match.rm_so == -1) return 0;
@@ -80,15 +81,14 @@ uint32_t getOsVersion() { 
    return getOsVersion(version.c_str());

}



uint32_t getOsPatchlevel(const char* patchlevel_str) {

uint32_t getPatchlevel(const char* patchlevel_str) {

    regex_t regex;

    if (regcomp(&regex, kPlatformPatchlevelRegex, REG_EXTENDED) != 0) {

    if (regcomp(&regex, kPatchlevelRegex, REG_EXTENDED) != 0) {

        return 0;

    }



    regmatch_t matches[kPlatformPatchlevelMatchCount];

    int not_match =

            regexec(&regex, patchlevel_str, kPlatformPatchlevelMatchCount, matches, 0 /* flags */);

    regmatch_t matches[kPatchlevelMatchCount];

    int not_match = regexec(&regex, patchlevel_str, kPatchlevelMatchCount, matches, 0 /* flags */);

    regfree(&regex);

    if (not_match) {

        return 0;
@@ -105,7 +105,12 @@ uint32_t getOsPatchlevel(const char* patchlevel_str) { 


uint32_t getOsPatchlevel() {

    std::string patchlevel = wait_and_get_property(kPlatformPatchlevelProp);

    return getOsPatchlevel(patchlevel.c_str());

    return getPatchlevel(patchlevel.c_str());

}



uint32_t getVendorPatchlevel() {

    std::string patchlevel = wait_and_get_property(kVendorPatchlevelProp);

    return getPatchlevel(patchlevel.c_str());

}



}  // namespace aidl::android::hardware::security::keymint