Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 39cb59847214ff3e96a0b047ad16888864e06aad^! / .
commit39cb59847214ff3e96a0b047ad16888864e06aad[log] [tgz]
authorRajesh Nyamagoud <nyamagoud@google.com>Wed Jan 08 20:59:27 2025 +0000
committerRajesh Nyamagoud <nyamagoud@google.com>Fri Jan 10 18:19:47 2025 +0000
treeb497540c73626c367a92845866563ff1df5b1404
parenteb181a269ee5e4f3a295a0113ec870e87584cf25 [diff]
Skip tests on Strongbox with GSI build on devices with vendor-api-level
< Android-V to avoid failures.

Bug: 385800086
Test: atest VtsAidlKeyMintTargetTest
Change-Id: I41fc5575af31593cdf3e68519daeb38b2263579d

diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
index 743928e..2f34b9d 100644
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp

@@ -2269,10 +2269,19 @@
     get_unique_id(app_id, min_date - 1, &unique_id8);
     EXPECT_NE(unique_id, unique_id8);
 
-    // Marking RESET_SINCE_ID_ROTATION should give a different unique ID.
-    vector<uint8_t> unique_id9;
-    get_unique_id(app_id, cert_date, &unique_id9, /* reset_id = */ true);
-    EXPECT_NE(unique_id, unique_id9);
+    // Some StrongBox implementations did not correctly handle RESET_SINCE_ID_ROTATION when
+    // combined with use of an ATTEST_KEY, but this was not previously tested. Tests under GSI
+    // were updated to implicitly use ATTEST_KEYS (because rkp-only status cannot be determined),
+    // uncovering the problem. Skip this test for older implementations in that situation
+    // (cf. b/385800086).
+    int vendor_api_level = get_vendor_api_level();
+    if (!(is_gsi_image() && SecLevel() == SecurityLevel::STRONGBOX &&
+          vendor_api_level < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__))) {
+        // Marking RESET_SINCE_ID_ROTATION should give a different unique ID.
+        vector<uint8_t> unique_id9;
+        get_unique_id(app_id, cert_date, &unique_id9, /* reset_id = */ true);
+        EXPECT_NE(unique_id, unique_id9);
+    }
 }
 
 /*
@@ -2281,6 +2290,16 @@
  * Verifies that creation of an attested ECDSA key does not include APPLICATION_ID.
  */
 TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
+    int vendor_api_level = get_vendor_api_level();
+    if (is_gsi_image() && SecLevel() == SecurityLevel::STRONGBOX &&
+        vendor_api_level < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+        // Some StrongBox implementations did not correctly handle missing APPLICATION_ID when
+        // combined with use of an ATTEST_KEY, but this was not previously tested. Tests under
+        // GSI were updated to implicitly use ATTEST_KEYS (because rkp-only status cannot be
+        // determined), uncovering the problem. Skip this test for older implementations in that
+        // situation (cf. b/385800086).
+        GTEST_SKIP() << "Skip test on StrongBox device with vendor-api-level < __ANDROID_API_V__";
+    }
     auto challenge = "hello";
     auto attest_app_id = "foo";
     auto subject = "cert subj 2";