Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / c1bf5f8a6d640cadf8b9c5ca7afbe1f2c1710a65^! / . / security / keymint / aidl / default
commitc1bf5f8a6d640cadf8b9c5ca7afbe1f2c1710a65[log] [tgz]
authorCatherine Vlasov <cvlasov@google.com>Mon Nov 18 10:56:18 2024 +0000
committerCatherine Vlasov <cvlasov@google.com>Mon Dec 09 15:26:15 2024 +0000
tree88a5aad625ecebad8337c9953b7c305de76bda23
parent584871b6972c84a5a2695731ee8dfc8f50cf2cc3 [diff]
Read Verified Boot key from system property in default KeyMint implementation.

Even though this (insecure) implementation technically has access to
the Verified Boot key on unlocked builds, it should only send this
value if the bootloader is locked (in order to pass the VTS-16+ test
that checks that the attested "rootOfTrust.verifiedBootKey" value is
32 bytes of zeroes on unlocked devices).

Bug: 220834466
Test: atest VtsAidlKeyMintTargetTest (uses the KeyMint I'm updating)
Change-Id: I30e82165792facef85e9d66d4e6ebe8f64e1086b

diff --git a/security/keymint/aidl/default/hal/lib.rs b/security/keymint/aidl/default/hal/lib.rs
index 621f077..fad807f 100644
--- a/security/keymint/aidl/default/hal/lib.rs
+++ b/security/keymint/aidl/default/hal/lib.rs

@@ -47,11 +47,9 @@
 
 /// Get boot information based on system properties.
 pub fn get_boot_info() -> kmr_wire::SetBootInfoRequest {
-    // No access to a verified boot key.
-    let verified_boot_key = vec![0; 32];
     let vbmeta_digest = get_property("ro.boot.vbmeta.digest").unwrap_or_else(|_| "00".repeat(32));
     let verified_boot_hash = hex::decode(&vbmeta_digest).unwrap_or_else(|_e| {
-        error!("failed to parse hex data in '{}'", vbmeta_digest);
+        error!("failed to parse VBMeta digest hex data in '{vbmeta_digest}': {_e:?}");
         vec![0; 32]
     });
     let device_boot_locked = match get_property("ro.boot.vbmeta.device_state")
@@ -65,6 +63,18 @@
             false
         }
     };
+    let verified_boot_key_digest =
+        get_property("ro.boot.vbmeta.public_key_digest").unwrap_or_else(|_| "00".repeat(32));
+    let verified_boot_key = match device_boot_locked {
+        true => hex::decode(&verified_boot_key_digest).unwrap_or_else(|_e| {
+            error!("Failed to parse Verified Boot key hex data in '{verified_boot_key_digest}': {_e:?}");
+            vec![0; 32]
+        }),
+        // VTS-16+ requires the attested Verified Boot key to be 32 bytes of zeroes when the
+        // bootloader is unlocked, so we ignore the property's value in that case. Behaviour
+        // prior to VTS-16 is unspecified, so it's fine to return the same.
+        false => vec![0; 32],
+    };
     let verified_boot_state = match get_property("ro.boot.verifiedbootstate")
         .unwrap_or_else(|_| "no-prop".to_string())
         .as_str()