Allow RKP-only devices to pass keymint VTS
Add test paths for HALs that are RKP-only so that they may pass tests.
Fix up a few tests that were just being skipped for RKP-only HALs.
Test: ran VTS against cuttlefish with no factory key
Bug: 329409739
Change-Id: I5400874dd2f9885c061970a30ea44985353d23ed
diff --git a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
index cc97c13..7fbca36 100644
--- a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
+++ b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
@@ -20,6 +20,7 @@
#include <cutils/log.h>
#include <cutils/properties.h>
+#include <keymint_support/authorization_set.h>
#include <keymint_support/key_param_output.h>
#include <keymint_support/openssl_utils.h>
@@ -93,7 +94,7 @@
class AttestKeyTest : public KeyMintAidlTestBase {
public:
void SetUp() override {
- skipAttestKeyTest();
+ skipAttestKeyTestIfNeeded();
KeyMintAidlTestBase::SetUp();
}
};
@@ -273,7 +274,7 @@
/*
* AttestKeyTest.RsaAttestedAttestKeys
*
- * This test creates an RSA attestation key signed by factory keys, and varifies it can be
+ * This test creates an RSA attestation key signed by factory keys, and verifies it can be
* used to sign other RSA and EC keys.
*/
TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
@@ -305,9 +306,8 @@
.SetDefaultValidity(),
{} /* attestation signing key */, &attest_key.keyBlob,
&attest_key_characteristics, &attest_key_cert_chain);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
+ if (isRkpOnly() && result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
+ GTEST_SKIP() << "RKP-only devices do not have a factory key";
}
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter attest_deleter(keymint_, attest_key.keyBlob);
@@ -400,30 +400,32 @@
attest_key_opt = attest_key;
}
- auto result = GenerateAttestKey(AuthorizationSetBuilder()
- .RsaKey(2048, 65537)
- .AttestKey()
- .AttestationChallenge("foo")
- .AttestationApplicationId("bar")
- .Authorization(TAG_NO_AUTH_REQUIRED)
- .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
- .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
- .SetDefaultValidity(),
- attest_key_opt, &key_blob_list[i],
- &attested_key_characteristics, &cert_chain_list[i]);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
+ AuthorizationSetBuilder auth_set_builder =
+ AuthorizationSetBuilder()
+ .RsaKey(2048, 65537)
+ .AttestKey()
+ .AttestationApplicationId("bar")
+ .Authorization(TAG_NO_AUTH_REQUIRED)
+ .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
+ .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
+ .SetDefaultValidity();
+ // In RKP-only systems, the first key cannot be attested due to lack of batch key
+ if (!isRkpOnly() || i > 0) {
+ auth_set_builder.AttestationChallenge("foo");
}
+ auto result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i],
+ &attested_key_characteristics, &cert_chain_list[i]);
ASSERT_EQ(ErrorCode::OK, result);
deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));
- AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
- AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
- ASSERT_GT(cert_chain_list[i].size(), 0);
- ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
- SecLevel(),
- cert_chain_list[i][0].encodedCertificate));
+ if (!isRkpOnly() || i > 0) {
+ AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
+ AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
+ ASSERT_GT(cert_chain_list[i].size(), 0);
+ ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced,
+ hw_enforced, SecLevel(),
+ cert_chain_list[i][0].encodedCertificate));
+ }
if (i > 0) {
/*
@@ -439,7 +441,7 @@
}
EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));
- EXPECT_GT(cert_chain_list[i].size(), i + 1);
+ EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1));
verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);
}
}
@@ -475,36 +477,34 @@
attest_key_opt = attest_key;
}
- auto result = GenerateAttestKey(AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .AttestationChallenge("foo")
- .AttestationApplicationId("bar")
- .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
- .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
- .Authorization(TAG_NO_AUTH_REQUIRED)
- .SetDefaultValidity(),
- attest_key_opt, &key_blob_list[i],
- &attested_key_characteristics, &cert_chain_list[i]);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
+ AuthorizationSetBuilder auth_set_builder =
+ AuthorizationSetBuilder()
+ .EcdsaKey(EcCurve::P_256)
+ .AttestKey()
+ .AttestationApplicationId("bar")
+ .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
+ .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
+ .Authorization(TAG_NO_AUTH_REQUIRED)
+ .SetDefaultValidity();
+ // In RKP-only systems, the first key cannot be attested due to lack of batch key
+ if (!isRkpOnly() || i > 0) {
+ auth_set_builder.AttestationChallenge("foo");
}
+ auto result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i],
+ &attested_key_characteristics, &cert_chain_list[i]);
ASSERT_EQ(ErrorCode::OK, result);
deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));
- AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
- AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
- ASSERT_GT(cert_chain_list[i].size(), 0);
- ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
- SecLevel(),
- cert_chain_list[i][0].encodedCertificate));
+ if (!isRkpOnly() || i > 0) {
+ AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
+ AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
+ ASSERT_GT(cert_chain_list[i].size(), 0);
+ ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced,
+ hw_enforced, SecLevel(),
+ cert_chain_list[i][0].encodedCertificate));
+ }
if (i > 0) {
- /*
- * The first key is attestated with factory chain, but all the rest of the keys are
- * not supposed to be returned in attestation certificate chains.
- */
EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_list[i]));
// Appending the attest_key chain to the attested_key_chain should yield a valid chain.
@@ -514,7 +514,7 @@
}
EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));
- EXPECT_GT(cert_chain_list[i].size(), i + 1);
+ EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1));
verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);
}
}
@@ -576,45 +576,36 @@
attest_key.keyBlob = key_blob_list[i - 1];
attest_key_opt = attest_key;
}
- ErrorCode result;
+ AuthorizationSetBuilder auth_set_builder =
+ AuthorizationSetBuilder()
+ .AttestKey()
+ .AttestationApplicationId("bar")
+ .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
+ .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
+ .Authorization(TAG_NO_AUTH_REQUIRED)
+ .SetDefaultValidity();
+ // In RKP-only systems, the first key cannot be attested due to lack of batch key
+ if (!isRkpOnly() || i > 0) {
+ auth_set_builder.AttestationChallenge("foo");
+ }
if ((i & 0x1) == 1) {
- result = GenerateAttestKey(AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .AttestationChallenge("foo")
- .AttestationApplicationId("bar")
- .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
- .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
- .Authorization(TAG_NO_AUTH_REQUIRED)
- .SetDefaultValidity(),
- attest_key_opt, &key_blob_list[i],
- &attested_key_characteristics, &cert_chain_list[i]);
+ auth_set_builder.EcdsaKey(EcCurve::P_256);
} else {
- result = GenerateAttestKey(AuthorizationSetBuilder()
- .RsaKey(2048, 65537)
- .AttestKey()
- .AttestationChallenge("foo")
- .AttestationApplicationId("bar")
- .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
- .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
- .Authorization(TAG_NO_AUTH_REQUIRED)
- .SetDefaultValidity(),
- attest_key_opt, &key_blob_list[i],
- &attested_key_characteristics, &cert_chain_list[i]);
+ auth_set_builder.RsaKey(2048, 65537);
}
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
- }
+ ErrorCode result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i],
+ &attested_key_characteristics, &cert_chain_list[i]);
ASSERT_EQ(ErrorCode::OK, result);
deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));
- AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
- AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
- ASSERT_GT(cert_chain_list[i].size(), 0);
- ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
- SecLevel(),
- cert_chain_list[i][0].encodedCertificate));
+ if (!isRkpOnly() || i > 0) {
+ AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
+ AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
+ ASSERT_GT(cert_chain_list[i].size(), 0);
+ ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced,
+ hw_enforced, SecLevel(),
+ cert_chain_list[i][0].encodedCertificate));
+ }
if (i > 0) {
/*
@@ -630,7 +621,7 @@
}
EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));
- EXPECT_GT(cert_chain_list[i].size(), i + 1);
+ EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1));
verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);
}
}
diff --git a/security/keymint/aidl/vts/functional/AuthTest.cpp b/security/keymint/aidl/vts/functional/AuthTest.cpp
index eb5db68..f435513 100644
--- a/security/keymint/aidl/vts/functional/AuthTest.cpp
+++ b/security/keymint/aidl/vts/functional/AuthTest.cpp
@@ -455,18 +455,7 @@
.Authorization(TAG_AUTH_TIMEOUT, timeout_secs);
vector<uint8_t> keyblob;
vector<KeyCharacteristics> key_characteristics;
- vector<Certificate> cert_chain;
- auto result = GenerateKey(builder, std::nullopt, &keyblob, &key_characteristics, &cert_chain);
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .SetDefaultValidity(),
- builder, &keyblob, &key_characteristics,
- &cert_chain);
- }
- }
+ auto result = GenerateKey(builder, &keyblob, &key_characteristics);
ASSERT_EQ(ErrorCode::OK, result);
// Verify first user to get a HAT that should work.
diff --git a/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp b/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp
index 808ed18..c1f6aee 100644
--- a/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp
+++ b/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp
@@ -54,18 +54,6 @@
.Digest(Digest::NONE)
.SetDefaultValidity();
auto result = GenerateKey(keyDesc, &key_blob, &key_characteristics);
- // If factory provisioned attestation key is not supported by Strongbox,
- // then create a key with self-signed attestation and use it as the
- // attestation key instead.
- if (SecLevel() == SecurityLevel::STRONGBOX &&
- result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- keyDesc, &key_blob, &key_characteristics);
- }
ASSERT_EQ(ErrorCode::OK, result);
// Parse attested AVB values.
diff --git a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
index 8e9aded..f669110 100644
--- a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
+++ b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
@@ -73,20 +73,22 @@
vector<KeyCharacteristics> key_characteristics;
// Check RSA implementation
- auto result = GenerateKey(AuthorizationSetBuilder()
- .Authorization(TAG_NO_AUTH_REQUIRED)
- .RsaSigningKey(2048, 65537)
- .Digest(Digest::SHA_2_256)
- .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
- .Authorization(TAG_INCLUDE_UNIQUE_ID)
- .Authorization(TAG_CREATION_DATETIME, 1619621648000)
- .SetDefaultValidity()
- .AttestationChallenge("challenge")
- .AttestationApplicationId("foo")
- .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
- &key_blob, &key_characteristics);
+ auto result =
+ GenerateKey(AuthorizationSetBuilder()
+ .Authorization(TAG_NO_AUTH_REQUIRED)
+ .RsaSigningKey(2048, 65537)
+ .Digest(Digest::SHA_2_256)
+ .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
+ .Authorization(TAG_INCLUDE_UNIQUE_ID)
+ .Authorization(TAG_CREATION_DATETIME, 1619621648000)
+ .SetDefaultValidity()
+ .AttestationChallenge("challenge")
+ .AttestationApplicationId("foo")
+ .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
+ /*attest_key=*/std::nullopt, &key_blob, &key_characteristics, &cert_chain_);
- ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG);
+ ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG)
+ << "Result: " << result;
}
/*
@@ -104,19 +106,21 @@
vector<KeyCharacteristics> key_characteristics;
// Check Ecdsa implementation
- auto result = GenerateKey(AuthorizationSetBuilder()
- .Authorization(TAG_NO_AUTH_REQUIRED)
- .EcdsaSigningKey(EcCurve::P_256)
- .Digest(Digest::SHA_2_256)
- .Authorization(TAG_INCLUDE_UNIQUE_ID)
- .Authorization(TAG_CREATION_DATETIME, 1619621648000)
- .SetDefaultValidity()
- .AttestationChallenge("challenge")
- .AttestationApplicationId("foo")
- .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
- &key_blob, &key_characteristics);
+ auto result =
+ GenerateKey(AuthorizationSetBuilder()
+ .Authorization(TAG_NO_AUTH_REQUIRED)
+ .EcdsaSigningKey(EcCurve::P_256)
+ .Digest(Digest::SHA_2_256)
+ .Authorization(TAG_INCLUDE_UNIQUE_ID)
+ .Authorization(TAG_CREATION_DATETIME, 1619621648000)
+ .SetDefaultValidity()
+ .AttestationChallenge("challenge")
+ .AttestationApplicationId("foo")
+ .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
+ /*attest_key=*/std::nullopt, &key_blob, &key_characteristics, &cert_chain_);
- ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG);
+ ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG)
+ << "Result: " << result;
}
/*
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
index c121d31..332fcd4 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
@@ -20,6 +20,10 @@
#include <fstream>
#include <unordered_set>
#include <vector>
+#include "aidl/android/hardware/security/keymint/AttestationKey.h"
+#include "aidl/android/hardware/security/keymint/ErrorCode.h"
+#include "keymint_support/authorization_set.h"
+#include "keymint_support/keymint_tags.h"
#include <android-base/logging.h>
#include <android/binder_manager.h>
@@ -245,6 +249,13 @@
return AidlVersion() >= 3 && property_get_int32("ro.vendor.api_level", 0) > __ANDROID_API_T__;
}
+bool KeyMintAidlTestBase::isRkpOnly() {
+ if (SecLevel() == SecurityLevel::STRONGBOX) {
+ return property_get_bool("remote_provisioning.strongbox.rkp_only", false);
+ }
+ return property_get_bool("remote_provisioning.tee.rkp_only", false);
+}
+
bool KeyMintAidlTestBase::Curve25519Supported() {
// Strongbox never supports curve 25519.
if (SecLevel() == SecurityLevel::STRONGBOX) {
@@ -295,6 +306,40 @@
}
}
+ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc) {
+ return GenerateKey(key_desc, &key_blob_, &key_characteristics_);
+}
+
+ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
+ vector<uint8_t>* key_blob,
+ vector<KeyCharacteristics>* key_characteristics) {
+ std::optional<AttestationKey> attest_key = std::nullopt;
+ vector<Certificate> attest_cert_chain;
+ // If an attestation is requested, but the system is RKP-only, we need to supply an explicit
+ // attestation key. Else the result is a key without an attestation.
+ if (isRkpOnly() && key_desc.Contains(TAG_ATTESTATION_CHALLENGE)) {
+ skipAttestKeyTestIfNeeded();
+ AuthorizationSet attest_key_desc =
+ AuthorizationSetBuilder().EcdsaKey(EcCurve::P_256).AttestKey().SetDefaultValidity();
+ attest_key.emplace();
+ vector<KeyCharacteristics> attest_key_characteristics;
+ auto error = GenerateAttestKey(attest_key_desc, std::nullopt, &attest_key.value().keyBlob,
+ &attest_key_characteristics, &attest_cert_chain);
+ EXPECT_EQ(error, ErrorCode::OK);
+ EXPECT_EQ(attest_cert_chain.size(), 1);
+ attest_key.value().issuerSubjectName = make_name_from_str("Android Keystore Key");
+ }
+
+ ErrorCode error =
+ GenerateKey(key_desc, attest_key, key_blob, key_characteristics, &cert_chain_);
+
+ if (error == ErrorCode::OK && attest_cert_chain.size() > 0) {
+ cert_chain_.push_back(attest_cert_chain[0]);
+ }
+
+ return error;
+}
+
ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
const optional<AttestationKey>& attest_key,
vector<uint8_t>* key_blob,
@@ -335,36 +380,6 @@
return GetReturnErrorCode(result);
}
-ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
- const optional<AttestationKey>& attest_key) {
- return GenerateKey(key_desc, attest_key, &key_blob_, &key_characteristics_, &cert_chain_);
-}
-
-ErrorCode KeyMintAidlTestBase::GenerateKeyWithSelfSignedAttestKey(
- const AuthorizationSet& attest_key_desc, const AuthorizationSet& key_desc,
- vector<uint8_t>* key_blob, vector<KeyCharacteristics>* key_characteristics,
- vector<Certificate>* cert_chain) {
- skipAttestKeyTest();
- AttestationKey attest_key;
- vector<Certificate> attest_cert_chain;
- vector<KeyCharacteristics> attest_key_characteristics;
- // Generate a key with self signed attestation.
- auto error = GenerateAttestKey(attest_key_desc, std::nullopt, &attest_key.keyBlob,
- &attest_key_characteristics, &attest_cert_chain);
- if (error != ErrorCode::OK) {
- return error;
- }
-
- attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
- // Generate a key, by passing the above self signed attestation key as attest key.
- error = GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain);
- if (error == ErrorCode::OK) {
- // Append the attest_cert_chain to the attested cert_chain to yield a valid cert chain.
- cert_chain->push_back(attest_cert_chain[0]);
- }
- return error;
-}
-
ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
const string& key_material, vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics) {
@@ -1663,7 +1678,7 @@
// Skip a test that involves use of the ATTEST_KEY feature in specific configurations
// where ATTEST_KEY is not supported (for either StrongBox or TEE).
-void KeyMintAidlTestBase::skipAttestKeyTest(void) const {
+void KeyMintAidlTestBase::skipAttestKeyTestIfNeeded() const {
if (shouldSkipAttestKeyTest()) {
GTEST_SKIP() << "Test using ATTEST_KEY is not applicable on waivered device";
}
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
index 4ed7698..b884cc7 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
@@ -104,35 +104,19 @@
uint32_t boot_patch_level();
bool isDeviceIdAttestationRequired();
bool isSecondImeiIdAttestationRequired();
+ bool isRkpOnly();
bool Curve25519Supported();
+ ErrorCode GenerateKey(const AuthorizationSet& key_desc);
+
ErrorCode GenerateKey(const AuthorizationSet& key_desc, vector<uint8_t>* key_blob,
- vector<KeyCharacteristics>* key_characteristics) {
- return GenerateKey(key_desc, std::nullopt /* attest_key */, key_blob, key_characteristics,
- &cert_chain_);
- }
+ vector<KeyCharacteristics>* key_characteristics);
+
ErrorCode GenerateKey(const AuthorizationSet& key_desc,
const optional<AttestationKey>& attest_key, vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics,
vector<Certificate>* cert_chain);
- ErrorCode GenerateKey(const AuthorizationSet& key_desc,
- const optional<AttestationKey>& attest_key = std::nullopt);
-
- // Generate key for implementations which do not support factory attestation.
- ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
- const AuthorizationSet& key_desc,
- vector<uint8_t>* key_blob,
- vector<KeyCharacteristics>* key_characteristics,
- vector<Certificate>* cert_chain);
-
- ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
- const AuthorizationSet& key_desc,
- vector<uint8_t>* key_blob,
- vector<KeyCharacteristics>* key_characteristics) {
- return GenerateKeyWithSelfSignedAttestKey(attest_key_desc, key_desc, key_blob,
- key_characteristics, &cert_chain_);
- }
ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
const string& key_material, vector<uint8_t>* key_blob,
@@ -372,7 +356,7 @@
bool is_strongbox_enabled(void) const;
bool is_chipset_allowed_km4_strongbox(void) const;
bool shouldSkipAttestKeyTest(void) const;
- void skipAttestKeyTest(void) const;
+ void skipAttestKeyTestIfNeeded() const;
void assert_mgf_digests_present_or_not_in_key_characteristics(
const vector<KeyCharacteristics>& key_characteristics,
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
index 3bcdd8f..b65218f 100644
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@@ -37,6 +37,7 @@
#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
#include <aidl/android/hardware/security/keymint/KeyFormat.h>
+#include <keymint_support/authorization_set.h>
#include <keymint_support/key_param_output.h>
#include <keymint_support/openssl_utils.h>
@@ -1146,17 +1147,6 @@
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .RsaKey(key_size, 65537)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@@ -1369,17 +1359,6 @@
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .RsaKey(key_size, 65537)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob);
@@ -1490,17 +1469,6 @@
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .RsaKey(2048, 65537)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
}
@@ -1625,17 +1593,6 @@
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .RsaKey(key_size, 65537)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob);
@@ -1877,17 +1834,6 @@
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(curve)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@@ -2020,17 +1966,6 @@
// Tag not required to be supported by all KeyMint implementations.
continue;
}
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(result, ErrorCode::OK);
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@@ -2082,18 +2017,6 @@
builder.push_back(tag);
auto error = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- error = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
-
device_id_attestation_check_acceptable_error(tag.tag, error);
}
}
@@ -2138,10 +2061,6 @@
AuthorizationSetBuilder builder = base_builder;
builder.push_back(tag);
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
- }
if (result == ErrorCode::CANNOT_ATTEST_IDS && !isDeviceIdAttestationRequired()) {
// ID attestation was optional till api level 32, from api level 33 it is mandatory.
continue;
@@ -2199,16 +2118,6 @@
builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
}
auto result = GenerateKey(builder);
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob_, &key_characteristics_, &cert_chain_);
- }
- }
ASSERT_EQ(ErrorCode::OK, result);
ASSERT_GT(key_blob_.size(), 0U);
@@ -2309,17 +2218,6 @@
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(result, ErrorCode::OK);
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@@ -2404,17 +2302,6 @@
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
}
@@ -2482,17 +2369,6 @@
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@@ -2718,7 +2594,8 @@
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.Authorization(TAG_MIN_MAC_LENGTH, 128),
- &key_blob, &key_characteristics));
+ /*attest_key=*/std::nullopt, &key_blob,
+ &key_characteristics, &cert_chain_));
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@@ -2907,7 +2784,9 @@
.EcbMode()
.Padding(PaddingMode::PKCS7)
.AttestationChallenge(challenge)
- .AttestationApplicationId(app_id)));
+ .AttestationApplicationId(app_id),
+ /*attest_key=*/std::nullopt, &key_blob_,
+ &key_characteristics_, &cert_chain_));
ASSERT_EQ(cert_chain_.size(), 0);
}
@@ -2928,7 +2807,9 @@
.Authorization(TAG_NO_AUTH_REQUIRED)
.Padding(PaddingMode::NONE)
.AttestationChallenge(challenge)
- .AttestationApplicationId(app_id)));
+ .AttestationApplicationId(app_id),
+ /*attest_key=*/std::nullopt, &key_blob_,
+ &key_characteristics_, &cert_chain_));
ASSERT_EQ(cert_chain_.size(), 0);
}
@@ -8510,17 +8391,6 @@
.Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
.SetDefaultValidity();
ErrorCode result = GenerateKey(builder);
-
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob_, &key_characteristics_, &cert_chain_);
- }
- }
ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
ASSERT_GT(cert_chain_.size(), 0);
X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
@@ -8811,11 +8681,6 @@
KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
- // Strongbox may not support factory attestation. Key creation might fail with
- // ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED
- if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) {
- continue;
- }
ASSERT_GT(keyData.blob.size(), 0U);
AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;