Pass in allow_any_mode when verifying DICE chains
1. allow_any_mode is set as true when the VM RKP instance is being
tested (since the bootloader is unlocked for VTS tests and therefore
the VM DICE chain will necessarily have at least one non-normal
mode.)
2. allow_any_mode is set as true for non-user type builds.
Bug: 318483637
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I15ec3ad32f08eecd8478df14f8efa71fdb0b5d08
diff --git a/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp b/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
index 2dbc73f..f68ff91 100644
--- a/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
+++ b/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
@@ -188,7 +188,8 @@
}
ASSERT_NE(provisionable_, nullptr);
auto status = provisionable_->getHardwareInfo(&rpcHardwareInfo);
- if (GetParam() == RKP_VM_INSTANCE_NAME) {
+ isRkpVmInstance_ = GetParam() == RKP_VM_INSTANCE_NAME;
+ if (isRkpVmInstance_) {
if (status.getExceptionCode() == EX_UNSUPPORTED_OPERATION) {
GTEST_SKIP() << "The RKP VM is not supported on this system.";
}
@@ -209,6 +210,7 @@
protected:
std::shared_ptr<IRemotelyProvisionedComponent> provisionable_;
RpcHardwareInfo rpcHardwareInfo;
+ bool isRkpVmInstance_;
};
/**
@@ -765,7 +767,8 @@
provisionable_->generateCertificateRequestV2({} /* keysToSign */, challenge, &csr);
ASSERT_TRUE(status.isOk()) << status.getDescription();
- auto result = verifyProductionCsr(cppbor::Array(), csr, provisionable_.get(), challenge);
+ auto result = verifyProductionCsr(cppbor::Array(), csr, provisionable_.get(), challenge,
+ isRkpVmInstance_);
ASSERT_TRUE(result) << result.message();
}
}
@@ -786,7 +789,8 @@
auto status = provisionable_->generateCertificateRequestV2(keysToSign_, challenge, &csr);
ASSERT_TRUE(status.isOk()) << status.getDescription();
- auto result = verifyProductionCsr(cborKeysToSign_, csr, provisionable_.get(), challenge);
+ auto result = verifyProductionCsr(cborKeysToSign_, csr, provisionable_.get(), challenge,
+ isRkpVmInstance_);
ASSERT_TRUE(result) << result.message();
}
}
@@ -816,13 +820,15 @@
auto status = provisionable_->generateCertificateRequestV2(keysToSign_, challenge_, &csr);
ASSERT_TRUE(status.isOk()) << status.getDescription();
- auto firstCsr = verifyProductionCsr(cborKeysToSign_, csr, provisionable_.get(), challenge_);
+ auto firstCsr = verifyProductionCsr(cborKeysToSign_, csr, provisionable_.get(), challenge_,
+ isRkpVmInstance_);
ASSERT_TRUE(firstCsr) << firstCsr.message();
status = provisionable_->generateCertificateRequestV2(keysToSign_, challenge_, &csr);
ASSERT_TRUE(status.isOk()) << status.getDescription();
- auto secondCsr = verifyProductionCsr(cborKeysToSign_, csr, provisionable_.get(), challenge_);
+ auto secondCsr = verifyProductionCsr(cborKeysToSign_, csr, provisionable_.get(), challenge_,
+ isRkpVmInstance_);
ASSERT_TRUE(secondCsr) << secondCsr.message();
ASSERT_EQ(**firstCsr, **secondCsr);
@@ -840,7 +846,8 @@
auto status = provisionable_->generateCertificateRequestV2(keysToSign_, challenge_, &csr);
ASSERT_TRUE(status.isOk()) << status.getDescription();
- auto result = verifyProductionCsr(cborKeysToSign_, csr, provisionable_.get(), challenge_);
+ auto result = verifyProductionCsr(cborKeysToSign_, csr, provisionable_.get(), challenge_,
+ isRkpVmInstance_);
ASSERT_TRUE(result) << result.message();
}