Allow RKP-only devices to pass keymint VTS
Add test paths for HALs that are RKP-only so that they may pass tests.
Fix up a few tests that were just being skipped for RKP-only HALs.
Test: ran VTS against cuttlefish with no factory key
Bug: 329409739
Change-Id: I5400874dd2f9885c061970a30ea44985353d23ed
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
index 3bcdd8f..b65218f 100644
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@@ -37,6 +37,7 @@
#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
#include <aidl/android/hardware/security/keymint/KeyFormat.h>
+#include <keymint_support/authorization_set.h>
#include <keymint_support/key_param_output.h>
#include <keymint_support/openssl_utils.h>
@@ -1146,17 +1147,6 @@
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .RsaKey(key_size, 65537)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@@ -1369,17 +1359,6 @@
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .RsaKey(key_size, 65537)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob);
@@ -1490,17 +1469,6 @@
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .RsaKey(2048, 65537)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
}
@@ -1625,17 +1593,6 @@
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .RsaKey(key_size, 65537)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob);
@@ -1877,17 +1834,6 @@
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(curve)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@@ -2020,17 +1966,6 @@
// Tag not required to be supported by all KeyMint implementations.
continue;
}
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(result, ErrorCode::OK);
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@@ -2082,18 +2017,6 @@
builder.push_back(tag);
auto error = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- error = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
-
device_id_attestation_check_acceptable_error(tag.tag, error);
}
}
@@ -2138,10 +2061,6 @@
AuthorizationSetBuilder builder = base_builder;
builder.push_back(tag);
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
- }
if (result == ErrorCode::CANNOT_ATTEST_IDS && !isDeviceIdAttestationRequired()) {
// ID attestation was optional till api level 32, from api level 33 it is mandatory.
continue;
@@ -2199,16 +2118,6 @@
builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
}
auto result = GenerateKey(builder);
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob_, &key_characteristics_, &cert_chain_);
- }
- }
ASSERT_EQ(ErrorCode::OK, result);
ASSERT_GT(key_blob_.size(), 0U);
@@ -2309,17 +2218,6 @@
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(result, ErrorCode::OK);
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@@ -2404,17 +2302,6 @@
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
}
@@ -2482,17 +2369,6 @@
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
- // Strongbox may not support factory provisioned attestation key.
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob, &key_characteristics);
- }
- }
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@@ -2718,7 +2594,8 @@
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.Authorization(TAG_MIN_MAC_LENGTH, 128),
- &key_blob, &key_characteristics));
+ /*attest_key=*/std::nullopt, &key_blob,
+ &key_characteristics, &cert_chain_));
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@@ -2907,7 +2784,9 @@
.EcbMode()
.Padding(PaddingMode::PKCS7)
.AttestationChallenge(challenge)
- .AttestationApplicationId(app_id)));
+ .AttestationApplicationId(app_id),
+ /*attest_key=*/std::nullopt, &key_blob_,
+ &key_characteristics_, &cert_chain_));
ASSERT_EQ(cert_chain_.size(), 0);
}
@@ -2928,7 +2807,9 @@
.Authorization(TAG_NO_AUTH_REQUIRED)
.Padding(PaddingMode::NONE)
.AttestationChallenge(challenge)
- .AttestationApplicationId(app_id)));
+ .AttestationApplicationId(app_id),
+ /*attest_key=*/std::nullopt, &key_blob_,
+ &key_characteristics_, &cert_chain_));
ASSERT_EQ(cert_chain_.size(), 0);
}
@@ -8510,17 +8391,6 @@
.Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
.SetDefaultValidity();
ErrorCode result = GenerateKey(builder);
-
- if (SecLevel() == SecurityLevel::STRONGBOX) {
- if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
- result = GenerateKeyWithSelfSignedAttestKey(
- AuthorizationSetBuilder()
- .EcdsaKey(EcCurve::P_256)
- .AttestKey()
- .SetDefaultValidity(), /* attest key params */
- builder, &key_blob_, &key_characteristics_, &cert_chain_);
- }
- }
ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
ASSERT_GT(cert_chain_.size(), 0);
X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
@@ -8811,11 +8681,6 @@
KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
- // Strongbox may not support factory attestation. Key creation might fail with
- // ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED
- if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) {
- continue;
- }
ASSERT_GT(keyData.blob.size(), 0U);
AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;