Use consistent, correct terminology for vendor API levels in VTS tests.
And make the RKP VTS tests refer to the SDK API levels consistently
(though it's nice to see that in a few places those tests refer to
the correct vendor API levels with the new YYYYMM format). I left
the YYYYMM references as-is since we'll do a proper refactor later
across all VTS tests, but used the __ANDROID_API_<foo>__ constants
everywhere else to be consistent with all the other VTS tests.
From what I can tell, there is no official notion of "VSR API level",
only "vendor API level". VSR refers to the Vendor Software Requirements,
so it makes sense to refer to "VSR-15" (for example) since that refers
to a specific version of the requirements. It therefore doesn't really
make sense to refer to "VSR-15 devices" (as opposed to "devices with vendor
API level 35" (in the same way that we don't refer to "CTS-15 devices", but
rather to "devices with SDK API level 35").
Bug: 384021501
Test: atest VtsAidlKeyMintTargetTest
Change-Id: I3914c26f81b3bdc886d06cc17f238b5de597ccfc
diff --git a/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp b/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp
index 62215f3..a799ab1 100644
--- a/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp
+++ b/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp
@@ -99,7 +99,7 @@
// Check that the attested Verified Boot key is 32 bytes of zeroes since the bootloader is unlocked.
TEST_P(BootloaderStateTest, VerifiedBootKeyAllZeroes) {
// Gate this test to avoid waiver issues.
- if (get_vsr_api_level() <= AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ if (get_vendor_api_level() <= AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
return;
}
@@ -142,13 +142,13 @@
avb_slot_verify_data_calculate_vbmeta_digest(avbSlotData, AVB_DIGEST_TYPE_SHA256,
sha256Digest.data());
- if (get_vsr_api_level() >= AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ if (get_vendor_api_level() >= AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
ASSERT_TRUE(attestedVbmetaDigest_ == sha256Digest)
<< "Attested VBMeta digest (" << bin2hex(attestedVbmetaDigest_)
<< ") does not match the expected SHA-256 digest (" << bin2hex(sha256Digest)
<< ").";
} else {
- // Prior to VSR-V, there was no MUST requirement for the algorithm used by the bootloader
+ // Prior to VSR-15, there was no MUST requirement for the algorithm used by the bootloader
// to calculate the VBMeta digest. However, the only two supported options are SHA-256 and
// SHA-512, so we expect the attested VBMeta digest to match one of these.
vector<uint8_t> sha512Digest(AVB_SHA512_DIGEST_SIZE);
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
index 4429816..06e0f58 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
@@ -1435,12 +1435,11 @@
}
bool KeyMintAidlTestBase::IsRkpSupportRequired() const {
- // This is technically not a match to the requirements for S chipsets,
- // however when S shipped there was a bug in the test that skipped the
- // tests if KeyMint 2 was not on the system. So we allowed many chipests
- // to ship without RKP support. In T we hardened the requirements around
- // support for RKP, so relax the test to match.
- return get_vsr_api_level() >= __ANDROID_API_T__;
+ // This is technically weaker than the VSR-12 requirements, but when
+ // Android 12 shipped, there was a bug that skipped the tests if KeyMint
+ // 2 was not present. As a result, many chipsets were allowed to ship
+ // without RKP support. The RKP requirements were hardened in VSR-13.
+ return get_vendor_api_level() >= __ANDROID_API_T__;
}
vector<uint32_t> KeyMintAidlTestBase::ValidKeySizes(Algorithm algorithm) {
@@ -1691,11 +1690,11 @@
vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics,
vector<Certificate>* cert_chain) {
- // The original specification for KeyMint v1 required ATTEST_KEY not be combined
- // with any other key purpose, but the original VTS tests incorrectly did exactly that.
- // This means that a device that launched prior to Android T (API level 33) may
- // accept or even require KeyPurpose::SIGN too.
- if (get_vsr_api_level() < __ANDROID_API_T__) {
+ // The original specification for KeyMint v1 (introduced in Android 12) required ATTEST_KEY not
+ // be combined with any other key purpose, but the original VTS-12 tests incorrectly did exactly
+ // that. The tests were fixed in VTS-13 (vendor API level 33). This means that devices with
+ // vendor API level < 33 may accept or even require KeyPurpose::SIGN too.
+ if (get_vendor_api_level() < __ANDROID_API_T__) {
AuthorizationSet key_desc_plus_sign = key_desc;
key_desc_plus_sign.push_back(TAG_PURPOSE, KeyPurpose::SIGN);
@@ -1820,13 +1819,19 @@
OPENSSL_free(cert_issuer);
}
-int get_vsr_api_level() {
+int get_vendor_api_level() {
+ // Android 13+ builds have the `ro.vendor.api_level` system property. See
+ // https://source.android.com/docs/core/architecture/api-flags#determine_vendor_api_level_android_13.
int vendor_api_level = ::android::base::GetIntProperty("ro.vendor.api_level", -1);
if (vendor_api_level != -1) {
return vendor_api_level;
}
- // Android S and older devices do not define ro.vendor.api_level
+ // Android 12 builds have the `ro.board.api_level` and `ro.board.first_api_level` system
+ // properties, which are only expected to be populated for GRF SoCs on Android 12 builds. Note
+ // that they are populated automatically by the build system starting in Android 15, but we use
+ // `ro.vendor.api_level` on such builds (see above). For details, see
+ // https://docs.partner.android.com/gms/building/integrating/extending-os-upgrade-support-windows#new-system-properties.
vendor_api_level = ::android::base::GetIntProperty("ro.board.api_level", -1);
if (vendor_api_level == -1) {
vendor_api_level = ::android::base::GetIntProperty("ro.board.first_api_level", -1);
@@ -1838,11 +1843,12 @@
EXPECT_NE(product_api_level, -1) << "Could not find ro.build.version.sdk";
}
- // VSR API level is the minimum of vendor_api_level and product_api_level.
- if (vendor_api_level == -1 || vendor_api_level > product_api_level) {
+ // If the `ro.board.api_level` and `ro.board.first_api_level` properties aren't populated, it
+ // means the build doesn't have a GRF SoC, so the product API level should be used.
+ if (vendor_api_level == -1) {
return product_api_level;
}
- return vendor_api_level;
+ return std::min(product_api_level, vendor_api_level);
}
bool is_gsi_image() {
@@ -1909,13 +1915,13 @@
}
}
- if (get_vsr_api_level() > AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ if (get_vendor_api_level() > AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
// The Verified Boot key field should be exactly 32 bytes since it
// contains the SHA-256 hash of the key on locked devices or 32 bytes
// of zeroes on unlocked devices. This wasn't checked for earlier
- // versions of the KeyMint HAL, so only only be strict for VSR-16+.
+ // versions of the KeyMint HAL, so we version-gate the strict check.
EXPECT_EQ(verified_boot_key.size(), 32);
- } else if (get_vsr_api_level() == AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ } else if (get_vendor_api_level() == AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
// The Verified Boot key field should be:
// - Exactly 32 bytes on locked devices since it should contain
// the SHA-256 hash of the key, or
@@ -1924,7 +1930,7 @@
// specification).
// Thus, we can't check for strict equality in case unlocked devices
// report values with less than 32 bytes. This wasn't checked for
- // earlier versions of the KeyMint HAL, so only check on VSR-15.
+ // earlier versions of the KeyMint HAL, so we version-gate the check.
EXPECT_LE(verified_boot_key.size(), 32);
}
@@ -2416,7 +2422,7 @@
} else if (result == ErrorCode::INVALID_TAG) {
// Depending on the situation, other error codes may be acceptable. First, allow older
// implementations to use INVALID_TAG.
- ASSERT_FALSE(get_vsr_api_level() > __ANDROID_API_T__)
+ ASSERT_FALSE(get_vendor_api_level() > __ANDROID_API_T__)
<< "It is a specification violation for INVALID_TAG to be returned due to ID "
<< "mismatch in a Device ID Attestation call. INVALID_TAG is only intended to "
<< "be used for a case where updateAad() is called after update(). As of "
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
index 1c12136..6c327bb 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
@@ -406,8 +406,8 @@
add_tag(tags, ttag, ::android::base::GetProperty(prop, /* default= */ ""));
}
-// Return the VSR API level for this device.
-int get_vsr_api_level();
+// Return the vendor API level for this device.
+int get_vendor_api_level();
// Indicate whether the test is running on a GSI image.
bool is_gsi_image();
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
index e8a767b..743928e 100644
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@@ -4158,13 +4158,15 @@
* when the EC_CURVE is not explicitly specified.
*/
TEST_P(ImportKeyTest, EcdsaSuccessCurveNotSpecified) {
- if (get_vsr_api_level() < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
/*
* The KeyMint spec was previously not clear as to whether EC_CURVE was optional on import
- * of EC keys. However, this was not checked at the time so we can only be strict about
- * checking this for implementations at VSR-V or later.
+ * of EC keys. However, this was not checked at the time, so we version-gate the strict
+ * check.
*/
- GTEST_SKIP() << "Skipping EC_CURVE on import only strict >= VSR-V";
+ GTEST_SKIP() << "Applies only to vendor API level >= 202404, but this device is: "
+ << vendor_api_level;
}
ASSERT_EQ(ErrorCode::OK, ImportKey(AuthorizationSetBuilder()
@@ -5316,15 +5318,15 @@
"8564");
TEST_P(ImportWrappedKeyTest, RsaKey) {
- int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
/*
* The Keymaster v4 spec introduced `importWrappedKey()` and did not restrict it to
* just symmetric keys. However, the import of asymmetric wrapped keys was not tested
- * at the time, so we can only be strict about checking this for implementations claiming
- * support for VSR API level 35 and above.
+ * at the time, so we version-gate the strict check.
*/
- GTEST_SKIP() << "Applies only to VSR API level 35, this device is: " << vsr_api_level;
+ GTEST_SKIP() << "Applies only to vendor API level >= 202404, but this device is: "
+ << vendor_api_level;
}
auto wrapping_key_desc = AuthorizationSetBuilder()
@@ -5347,15 +5349,15 @@
}
TEST_P(ImportWrappedKeyTest, EcKey) {
- int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
/*
* The Keymaster v4 spec introduced `importWrappedKey()` and did not restrict it to
* just symmetric keys. However, the import of asymmetric wrapped keys was not tested
- * at the time, so we can only be strict about checking this for implementations claiming
- * support for VSR API level 35 and above.
+ * at the time, so we version-gate the strict check.
*/
- GTEST_SKIP() << "Applies only to VSR API level 35, this device is: " << vsr_api_level;
+ GTEST_SKIP() << "Applies only to vendor API level >= 202404, but this device is: "
+ << vendor_api_level;
}
auto wrapping_key_desc = AuthorizationSetBuilder()
@@ -8945,27 +8947,30 @@
// @VsrTest = VSR-3.10-008
TEST_P(VsrRequirementTest, Vsr13Test) {
- int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level < __ANDROID_API_T__) {
- GTEST_SKIP() << "Applies only to VSR API level 33, this device is: " << vsr_api_level;
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level < __ANDROID_API_T__) {
+ GTEST_SKIP() << "Applies only to vendor API level >= 33, but this device is: "
+ << vendor_api_level;
}
EXPECT_GE(AidlVersion(), 2) << "VSR 13+ requires KeyMint version 2";
}
// @VsrTest = VSR-3.10-013.001
TEST_P(VsrRequirementTest, Vsr14Test) {
- int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level < __ANDROID_API_U__) {
- GTEST_SKIP() << "Applies only to VSR API level 34, this device is: " << vsr_api_level;
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level < __ANDROID_API_U__) {
+ GTEST_SKIP() << "Applies only to vendor API level >= 34, but this device is: "
+ << vendor_api_level;
}
EXPECT_GE(AidlVersion(), 3) << "VSR 14+ requires KeyMint version 3";
}
// @VsrTest = GMS-VSR-3.10-019
TEST_P(VsrRequirementTest, Vsr16Test) {
- int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level <= AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
- GTEST_SKIP() << "Applies only to VSR API level > 35, this device is: " << vsr_api_level;
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level <= AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ GTEST_SKIP() << "Applies only to vendor API level > 202404, but this device is: "
+ << vendor_api_level;
}
if (SecLevel() == SecurityLevel::STRONGBOX) {
GTEST_SKIP() << "Applies only to TEE KeyMint, not StrongBox KeyMint";
diff --git a/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp b/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp
index 1f09328..5888644 100644
--- a/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp
+++ b/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp
@@ -115,13 +115,14 @@
const auto& vbKey = rot->asArray()->get(pos++);
ASSERT_TRUE(vbKey);
ASSERT_TRUE(vbKey->asBstr());
- if (get_vsr_api_level() > AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ if (get_vendor_api_level() > AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
// The Verified Boot key field should be exactly 32 bytes since it
// contains the SHA-256 hash of the key on locked devices or 32 bytes
// of zeroes on unlocked devices. This wasn't checked for earlier
- // versions of the KeyMint HAL, so only only be strict for VSR-16+.
+ // versions of the KeyMint HAL, so we version-gate the strict check.
ASSERT_EQ(vbKey->asBstr()->value().size(), 32);
- } else if (get_vsr_api_level() == AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
+ } else if (get_vendor_api_level() ==
+ AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
// The Verified Boot key field should be:
// - Exactly 32 bytes on locked devices since it should contain
// the SHA-256 hash of the key, or
@@ -130,7 +131,7 @@
// specification).
// Thus, we can't check for strict equality in case unlocked devices
// report values with less than 32 bytes. This wasn't checked for
- // earlier versions of the KeyMint HAL, so only check on VSR-15.
+ // earlier versions of the KeyMint HAL, so we version-gate the check.
ASSERT_LE(vbKey->asBstr()->value().size(), 32);
}
diff --git a/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp b/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
index f40a752..810cc38 100644
--- a/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
+++ b/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
@@ -186,10 +186,10 @@
if (status.getExceptionCode() == EX_UNSUPPORTED_OPERATION) {
GTEST_SKIP() << "The RKP VM is not supported on this system.";
}
- int apiLevel = get_vsr_api_level();
- if (apiLevel < __ANDROID_API_V__) {
- GTEST_SKIP() << "The RKP VM is supported only on V+ devices. Vendor API level: "
- << apiLevel;
+ int vendorApiLevel = get_vendor_api_level();
+ if (vendorApiLevel < __ANDROID_API_V__) {
+ GTEST_SKIP() << "The RKP VM is supported only on vendor API level >= 202404. This "
+ << "device has vendor API level: " << vendorApiLevel;
}
}
ASSERT_TRUE(status.isOk());
@@ -240,10 +240,10 @@
// @VsrTest = 3.10-015
// @VsrTest = 3.10-018.001
TEST(NonParameterizedTests, requireDiceOnDefaultInstanceIfStrongboxPresent) {
- int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level < 35) {
- GTEST_SKIP() << "Applies only to VSR API level 35 or newer, this device is: "
- << vsr_api_level;
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level < __ANDROID_API_V__) {
+ GTEST_SKIP() << "Applies only to vendor API level >= 202404, but this device is: "
+ << vendor_api_level;
}
if (!AServiceManager_isDeclared(KEYMINT_STRONGBOX_INSTANCE_NAME.c_str())) {
@@ -270,11 +270,11 @@
*/
// @VsrTest = 7.1-003.001
TEST(NonParameterizedTests, equalUdsPubInDiceCertChainForRkpVmAndPrimaryKeyMintInstances) {
- int apiLevel = get_vsr_api_level();
- if (apiLevel < 202504 && !AServiceManager_isDeclared(RKPVM_INSTANCE_NAME.c_str())) {
+ int vendorApiLevel = get_vendor_api_level();
+ if (vendorApiLevel < 202504 && !AServiceManager_isDeclared(RKPVM_INSTANCE_NAME.c_str())) {
GTEST_SKIP() << "The RKP VM (" << RKPVM_INSTANCE_NAME << ") is not present on this device.";
}
- if (apiLevel >= 202504) {
+ if (vendorApiLevel >= 202504) {
ASSERT_TRUE(AServiceManager_isDeclared(RKPVM_INSTANCE_NAME.c_str()));
}
@@ -319,10 +319,10 @@
*/
// @VsrTest = 3.10-018.003
TEST(NonParameterizedTests, componentNameInConfigurationDescriptorForPrimaryKeyMintInstance) {
- int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level < 202504) {
- GTEST_SKIP() << "Applies only to VSR API level 202504 or newer, this device is: "
- << vsr_api_level;
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level < 202504) {
+ GTEST_SKIP() << "Applies only to vendor API level >= 202504, but this device is: "
+ << vendor_api_level;
}
if (!AServiceManager_isDeclared(KEYMINT_STRONGBOX_INSTANCE_NAME.c_str())) {
@@ -1155,10 +1155,10 @@
TEST_P(VsrRequirementTest, VsrEnforcementTest) {
RpcHardwareInfo hwInfo;
ASSERT_TRUE(provisionable_->getHardwareInfo(&hwInfo).isOk());
- int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level < 34) {
- GTEST_SKIP() << "Applies only to VSR API level 34 or newer, this device is: "
- << vsr_api_level;
+ int vendor_api_level = get_vendor_api_level();
+ if (vendor_api_level < __ANDROID_API_U__) {
+ GTEST_SKIP() << "Applies only to vendor API level >= 34, but this device is: "
+ << vendor_api_level;
}
EXPECT_GE(hwInfo.versionNumber, 3)
<< "VSR 14+ requires IRemotelyProvisionedComponent v3 or newer.";