Merge "KeyMint VTS: option to skip BOOT_PATCHLEVEL check" am: 8aeb7ef2b4 am: 8a2977f698
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1907696
Change-Id: I870162d04f83a2d424aadf4674a7e475664fccd1
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
index 53a5490..2a7911c 100644
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@@ -69,6 +69,9 @@
namespace {
+// Whether to check that BOOT_PATCHLEVEL is populated.
+bool check_boot_pl = true;
+
// The maximum number of times we'll attempt to verify that corruption
// of an encrypted blob results in an error. Retries are necessary as there
// is a small (roughly 1/256) chance that corrupting ciphertext still results
@@ -527,12 +530,17 @@
EXPECT_TRUE(os_pl);
EXPECT_EQ(*os_pl, os_patch_level());
- // Should include vendor and boot patchlevels.
+ // Should include vendor patchlevel.
auto vendor_pl = auths.GetTagValue(TAG_VENDOR_PATCHLEVEL);
EXPECT_TRUE(vendor_pl);
EXPECT_EQ(*vendor_pl, vendor_patch_level());
- auto boot_pl = auths.GetTagValue(TAG_BOOT_PATCHLEVEL);
- EXPECT_TRUE(boot_pl);
+
+ // Should include boot patchlevel (but there are some test scenarios where this is not
+ // possible).
+ if (check_boot_pl) {
+ auto boot_pl = auths.GetTagValue(TAG_BOOT_PATCHLEVEL);
+ EXPECT_TRUE(boot_pl);
+ }
return auths;
}
@@ -6871,6 +6879,12 @@
} else {
std::cout << "NOT dumping attestations" << std::endl;
}
+ if (std::string(argv[i]) == "--skip_boot_pl_check") {
+ // Allow checks of BOOT_PATCHLEVEL to be disabled, so that the tests can
+ // be run in emulated environments that don't have the normal bootloader
+ // interactions.
+ aidl::android::hardware::security::keymint::test::check_boot_pl = false;
+ }
}
}
return RUN_ALL_TESTS();