Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 1ca978f373cdbfd3e7a44672bf84c28076b832e5^! / .
commit1ca978f373cdbfd3e7a44672bf84c28076b832e5[log] [tgz]
authorAndrew Scull <ascull@google.com>Wed Jul 26 18:24:46 2023 +0000
committerAndrew Scull <ascull@google.com>Wed Sep 20 14:30:48 2023 +0000
tree2f35ace64df452b3b749ee3b608da8a90172223a
parent801c76b13ef4c89325ce0b9c1f4784a13f8c9872 [diff]
Select the DICE validation rules based on the VSR

Check the VSR of the device to select the DICE validation rules that
will be appropriate to use for VTS.

Test: TH
Change-Id: Iff19debd1e442a0b318da1a4d8a08d470efba0ae

diff --git a/security/keymint/support/remote_prov_utils.cpp b/security/keymint/support/remote_prov_utils.cpp
index 780c3d2..34f7ce4 100644
--- a/security/keymint/support/remote_prov_utils.cpp
+++ b/security/keymint/support/remote_prov_utils.cpp

@@ -962,6 +962,20 @@
     return signedRequest->value();
 }
 
+ErrMsgOr<hwtrust::DiceChain::Kind> getDiceChainKind() {
+    int vendor_api_level = ::android::base::GetIntProperty("ro.vendor.api_level", -1);
+    switch (vendor_api_level) {
+        case __ANDROID_API_T__:
+            return hwtrust::DiceChain::Kind::kVsr13;
+        case __ANDROID_API_U__:
+            return hwtrust::DiceChain::Kind::kVsr14;
+        case __ANDROID_API_V__:
+            return hwtrust::DiceChain::Kind::kVsr15;
+        default:
+            return "Unsupported vendor API level: " + std::to_string(vendor_api_level);
+    }
+}
+
 ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t>& request,
                                                        const std::vector<uint8_t>& challenge) {
     auto [parsedRequest, _, csrErrMsg] = cppbor::parse(request);
@@ -996,7 +1010,12 @@
     }
 
     // DICE chain is [ pubkey, + DiceChainEntry ].
-    auto diceContents = validateBcc(diceCertChain, hwtrust::DiceChain::Kind::kVsr14);
+    auto diceChainKind = getDiceChainKind();
+    if (!diceChainKind) {
+        return diceChainKind.message();
+    }
+
+    auto diceContents = validateBcc(diceCertChain, *diceChainKind);
     if (!diceContents) {
         return diceContents.message() + "\n" + prettyPrint(diceCertChain);
     }

diff --git a/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl b/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl
index 80f7cbd..15b0442 100644
--- a/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl
+++ b/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl

@@ -90,9 +90,10 @@
 DiceChainEntryPayload = {                    ; CWT [RFC8392]
     1 : tstr,                                ; Issuer
     2 : tstr,                                ; Subject
+    -4670554 : "android.15",                 ; Profile Name
     -4670552 : bstr .cbor PubKeyEd25519 /
             bstr .cbor PubKeyECDSA256 /
-            bstr .cbor PubKeyECDSA384,    ; Subject Public Key
+            bstr .cbor PubKeyECDSA384,       ; Subject Public Key
     -4670553 : bstr                          ; Key Usage
 
     ; NOTE: All of the following fields may be omitted for a "Degenerate DICE Chain", as