Add VTS test that checks for substring "keymint"
This CL exposes a function that allows the checking for a
a substring of the component name in the configuration
descriptor of the leaf certificate for the DICE chain in a
CSR.
The aim is to use this function to check for the substring
"keymint" in the primary KeyMint ("default") instance.
In the bug referenced below, look at third bullet in
comment#13.
Test: m libhwtrust_cxx
atest libkeymint_remote_prov_support_test
Bug: 376297620
Change-Id: Ic81bf8d074b5afeec011513e7dfbc55a1e5da435
diff --git a/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp b/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
index d9bd0d8..11abd45 100644
--- a/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
+++ b/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
@@ -238,6 +238,7 @@
* on the device.
*/
// @VsrTest = 3.10-015
+// @VsrTest = 3.10-018.001
TEST(NonParameterizedTests, requireDiceOnDefaultInstanceIfStrongboxPresent) {
int vsr_api_level = get_vsr_api_level();
if (vsr_api_level < 35) {
@@ -270,12 +271,10 @@
// @VsrTest = 7.1-003.001
TEST(NonParameterizedTests, equalUdsPubInDiceCertChainForRkpVmAndPrimaryKeyMintInstances) {
int apiLevel = get_vsr_api_level();
- if (apiLevel < 202504) {
- if (!AServiceManager_isDeclared(RKPVM_INSTANCE_NAME.c_str())) {
- GTEST_SKIP() << "The RKP VM (" << RKPVM_INSTANCE_NAME
- << ") is not present on this device.";
- }
- } else {
+ if (apiLevel < 202504 && !AServiceManager_isDeclared(RKPVM_INSTANCE_NAME.c_str())) {
+ GTEST_SKIP() << "The RKP VM (" << RKPVM_INSTANCE_NAME << ") is not present on this device.";
+ }
+ if (apiLevel >= 202504) {
ASSERT_TRUE(AServiceManager_isDeclared(RKPVM_INSTANCE_NAME.c_str()));
}
@@ -311,6 +310,40 @@
ASSERT_TRUE(*equal) << "Primary KeyMint and RKP VM RPCs have different UDS public keys";
}
+/**
+ * Suppose that there is a StrongBox KeyMint instance on the device.
+ *
+ * Then, this test verifies that "keymint" is a substring of the component name in the configuration
+ * descriptor in the leaf certificate of the DICE chain for the primary ("default") KeyMint
+ * instance.
+ */
+// @VsrTest = 3.10-018.003
+TEST(NonParameterizedTests, componentNameInConfigurationDescriptorForPrimaryKeyMintInstance) {
+ int vsr_api_level = get_vsr_api_level();
+ if (vsr_api_level < 202504) {
+ GTEST_SKIP() << "Applies only to VSR API level 202504 or newer, this device is: "
+ << vsr_api_level;
+ }
+
+ if (!AServiceManager_isDeclared(KEYMINT_STRONGBOX_INSTANCE_NAME.c_str())) {
+ GTEST_SKIP() << "Strongbox is not present on this device.";
+ }
+
+ ::ndk::SpAIBinder binder(AServiceManager_waitForService(DEFAULT_INSTANCE_NAME.c_str()));
+ std::shared_ptr<IRemotelyProvisionedComponent> rpc =
+ IRemotelyProvisionedComponent::fromBinder(binder);
+ ASSERT_NE(rpc, nullptr);
+
+ bytevec challenge = randomBytes(64);
+ bytevec csr;
+ auto status = rpc->generateCertificateRequestV2({} /* keysToSign */, challenge, &csr);
+ EXPECT_TRUE(status.isOk()) << status.getDescription();
+
+ auto result = verifyComponentNameInKeyMintDiceChain(csr);
+ ASSERT_TRUE(result) << result.message();
+ ASSERT_TRUE(*result);
+}
+
using GetHardwareInfoTests = VtsRemotelyProvisionedComponentTests;
INSTANTIATE_REM_PROV_AIDL_TEST(GetHardwareInfoTests);