commit 3a840454d129e7a9a92580268c9704e98d598c2f
author Seth Moore <sethmo@google.com> Mon Dec 09 22:18:01 2024 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Dec 09 22:18:01 2024 +0000
tree 83142d660a746f171cea787e819031006ad311bb
parent cdf50ec8459748bc136fb2742f93228c5251c10a
parent f923003ca762b902558b4eedeec67c5d8de12523

Merge "Fix tests in remote_prov_utils for hwtrust update" into main

security/keymint/aidl/default/hal/lib.rs

diff --git a/security/keymint/aidl/default/hal/lib.rs b/security/keymint/aidl/default/hal/lib.rs
index 621f077..fad807f 100644
--- a/security/keymint/aidl/default/hal/lib.rs
+++ b/security/keymint/aidl/default/hal/lib.rs
@@ -47,11 +47,9 @@
 
 /// Get boot information based on system properties.
 pub fn get_boot_info() -> kmr_wire::SetBootInfoRequest {
-    // No access to a verified boot key.
-    let verified_boot_key = vec![0; 32];
     let vbmeta_digest = get_property("ro.boot.vbmeta.digest").unwrap_or_else(|_| "00".repeat(32));
     let verified_boot_hash = hex::decode(&vbmeta_digest).unwrap_or_else(|_e| {
-        error!("failed to parse hex data in '{}'", vbmeta_digest);
+        error!("failed to parse VBMeta digest hex data in '{vbmeta_digest}': {_e:?}");
         vec![0; 32]
     });
     let device_boot_locked = match get_property("ro.boot.vbmeta.device_state")
@@ -65,6 +63,18 @@
             false
         }
     };
+    let verified_boot_key_digest =
+        get_property("ro.boot.vbmeta.public_key_digest").unwrap_or_else(|_| "00".repeat(32));
+    let verified_boot_key = match device_boot_locked {
+        true => hex::decode(&verified_boot_key_digest).unwrap_or_else(|_e| {
+            error!("Failed to parse Verified Boot key hex data in '{verified_boot_key_digest}': {_e:?}");
+            vec![0; 32]
+        }),
+        // VTS-16+ requires the attested Verified Boot key to be 32 bytes of zeroes when the
+        // bootloader is unlocked, so we ignore the property's value in that case. Behaviour
+        // prior to VTS-16 is unspecified, so it's fine to return the same.
+        false => vec![0; 32],
+    };
     let verified_boot_state = match get_property("ro.boot.verifiedbootstate")
         .unwrap_or_else(|_| "no-prop".to_string())
         .as_str()

security/keymint/support/remote_prov_utils.cpp

diff --git a/security/keymint/support/remote_prov_utils.cpp b/security/keymint/support/remote_prov_utils.cpp
index e11f021..fdc0f28 100644
--- a/security/keymint/support/remote_prov_utils.cpp
+++ b/security/keymint/support/remote_prov_utils.cpp
@@ -1005,7 +1005,7 @@
 
 ErrMsgOr<hwtrust::DiceChain::Kind> getDiceChainKind() {
     int vendor_api_level = ::android::base::GetIntProperty("ro.vendor.api_level", -1);
-    if (vendor_api_level == __ANDROID_API_T__) {
+    if (vendor_api_level <= __ANDROID_API_T__) {
         return hwtrust::DiceChain::Kind::kVsr13;
     } else if (vendor_api_level == __ANDROID_API_U__) {
         return hwtrust::DiceChain::Kind::kVsr14;