Merge "Select the DICE validation rules based on the VSR" into main am: b484308d5c am: 68e76934b2 am: 44d47323f5 Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2678076 Change-Id: Ib46c92fe610b819f18c6ff66aeb9b82c5571ca06 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

commit: 2ac8eb355db8eb3c97067579aad6b648d12d1519 [log] [tgz]
author: Andrew Scull <ascull@google.com> Thu Sep 21 21:28:04 2023 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Thu Sep 21 21:28:04 2023 +0000
tree: a074e030c5b0b67572d7e216fb2af124e34d9cbc
parent: d802e0c06a65904622bb24b68186452ae2789b99 [diff]
parent: 44d47323f5fb34db50967e26278386ade5639c10 [diff]
diff --git a/security/keymint/support/remote_prov_utils.cpp b/security/keymint/support/remote_prov_utils.cpp
index 780c3d2..34f7ce4 100644
--- a/security/keymint/support/remote_prov_utils.cpp
+++ b/security/keymint/support/remote_prov_utils.cpp

@@ -962,6 +962,20 @@
     return signedRequest->value();
 }
 
+ErrMsgOr<hwtrust::DiceChain::Kind> getDiceChainKind() {
+    int vendor_api_level = ::android::base::GetIntProperty("ro.vendor.api_level", -1);
+    switch (vendor_api_level) {
+        case __ANDROID_API_T__:
+            return hwtrust::DiceChain::Kind::kVsr13;
+        case __ANDROID_API_U__:
+            return hwtrust::DiceChain::Kind::kVsr14;
+        case __ANDROID_API_V__:
+            return hwtrust::DiceChain::Kind::kVsr15;
+        default:
+            return "Unsupported vendor API level: " + std::to_string(vendor_api_level);
+    }
+}
+
 ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t>& request,
                                                        const std::vector<uint8_t>& challenge) {
     auto [parsedRequest, _, csrErrMsg] = cppbor::parse(request);
@@ -996,7 +1010,12 @@
     }
 
     // DICE chain is [ pubkey, + DiceChainEntry ].
-    auto diceContents = validateBcc(diceCertChain, hwtrust::DiceChain::Kind::kVsr14);
+    auto diceChainKind = getDiceChainKind();
+    if (!diceChainKind) {
+        return diceChainKind.message();
+    }
+
+    auto diceContents = validateBcc(diceCertChain, *diceChainKind);
     if (!diceContents) {
         return diceContents.message() + "\n" + prettyPrint(diceCertChain);
     }

diff --git a/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl b/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl
index 80f7cbd..15b0442 100644
--- a/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl
+++ b/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl

@@ -90,9 +90,10 @@
 DiceChainEntryPayload = {                    ; CWT [RFC8392]
     1 : tstr,                                ; Issuer
     2 : tstr,                                ; Subject
+    -4670554 : "android.15",                 ; Profile Name
     -4670552 : bstr .cbor PubKeyEd25519 /
             bstr .cbor PubKeyECDSA256 /
-            bstr .cbor PubKeyECDSA384,    ; Subject Public Key
+            bstr .cbor PubKeyECDSA384,       ; Subject Public Key
     -4670553 : bstr                          ; Key Usage
 
     ; NOTE: All of the following fields may be omitted for a "Degenerate DICE Chain", as
commit	2ac8eb355db8eb3c97067579aad6b648d12d1519	[log] [tgz]
author	Andrew Scull <ascull@google.com>	Thu Sep 21 21:28:04 2023 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Thu Sep 21 21:28:04 2023 +0000
tree	a074e030c5b0b67572d7e216fb2af124e34d9cbc
parent	d802e0c06a65904622bb24b68186452ae2789b99 [diff]
parent	44d47323f5fb34db50967e26278386ade5639c10 [diff]