Merge "Bluetooth HCI: Add VTS requirement for HCI 4.2 - Annotations" into main
diff --git a/camera/device/default/ExternalCameraDeviceSession.cpp b/camera/device/default/ExternalCameraDeviceSession.cpp
index a6ec4c7..126b782 100644
--- a/camera/device/default/ExternalCameraDeviceSession.cpp
+++ b/camera/device/default/ExternalCameraDeviceSession.cpp
@@ -789,8 +789,10 @@
outputBuffer.bufferId = buffer.bufferId;
outputBuffer.status = BufferStatus::ERROR;
if (buffer.acquireFence >= 0) {
- outputBuffer.releaseFence.fds.resize(1);
- outputBuffer.releaseFence.fds.at(0).set(buffer.acquireFence);
+ native_handle_t* handle = native_handle_create(/*numFds*/ 1, /*numInts*/ 0);
+ handle->data[0] = buffer.acquireFence;
+ outputBuffer.releaseFence = android::dupToAidl(handle);
+ native_handle_delete(handle);
}
} else {
offlineBuffers.push_back(buffer);
@@ -1768,8 +1770,10 @@
result.outputBuffers[i].bufferId = req->buffers[i].bufferId;
result.outputBuffers[i].status = BufferStatus::ERROR;
if (req->buffers[i].acquireFence >= 0) {
- result.outputBuffers[i].releaseFence.fds.resize(1);
- result.outputBuffers[i].releaseFence.fds.at(0).set(req->buffers[i].acquireFence);
+ native_handle_t* handle = native_handle_create(/*numFds*/ 1, /*numInts*/ 0);
+ handle->data[0] = req->buffers[i].acquireFence;
+ result.outputBuffers[i].releaseFence = android::dupToAidl(handle);
+ native_handle_delete(handle);
}
}
@@ -1813,16 +1817,20 @@
if (req->buffers[i].fenceTimeout) {
result.outputBuffers[i].status = BufferStatus::ERROR;
if (req->buffers[i].acquireFence >= 0) {
- result.outputBuffers[i].releaseFence.fds.resize(1);
- result.outputBuffers[i].releaseFence.fds.at(0).set(req->buffers[i].acquireFence);
+ native_handle_t* handle = native_handle_create(/*numFds*/ 1, /*numInts*/ 0);
+ handle->data[0] = req->buffers[i].acquireFence;
+ result.outputBuffers[i].releaseFence = android::dupToAidl(handle);
+ native_handle_delete(handle);
}
notifyError(req->frameNumber, req->buffers[i].streamId, ErrorCode::ERROR_BUFFER);
} else {
result.outputBuffers[i].status = BufferStatus::OK;
// TODO: refactor
if (req->buffers[i].acquireFence >= 0) {
- result.outputBuffers[i].releaseFence.fds.resize(1);
- result.outputBuffers[i].releaseFence.fds.at(0).set(req->buffers[i].acquireFence);
+ native_handle_t* handle = native_handle_create(/*numFds*/ 1, /*numInts*/ 0);
+ handle->data[0] = req->buffers[i].acquireFence;
+ result.outputBuffers[i].releaseFence = android::dupToAidl(handle);
+ native_handle_delete(handle);
}
}
}
diff --git a/camera/device/default/ExternalCameraOfflineSession.cpp b/camera/device/default/ExternalCameraOfflineSession.cpp
index 53bd44f..536fa47 100644
--- a/camera/device/default/ExternalCameraOfflineSession.cpp
+++ b/camera/device/default/ExternalCameraOfflineSession.cpp
@@ -110,7 +110,7 @@
if (req->buffers[i].acquireFence >= 0) {
native_handle_t* handle = native_handle_create(/*numFds*/ 1, /*numInts*/ 0);
handle->data[0] = req->buffers[i].acquireFence;
- result.outputBuffers[i].releaseFence = android::makeToAidl(handle);
+ result.outputBuffers[i].releaseFence = android::dupToAidl(handle);
}
notifyError(req->frameNumber, req->buffers[i].streamId, ErrorCode::ERROR_BUFFER);
} else {
@@ -119,7 +119,7 @@
if (req->buffers[i].acquireFence >= 0) {
native_handle_t* handle = native_handle_create(/*numFds*/ 1, /*numInts*/ 0);
handle->data[0] = req->buffers[i].acquireFence;
- outputBuffer.releaseFence = android::makeToAidl(handle);
+ outputBuffer.releaseFence = android::dupToAidl(handle);
}
}
}
@@ -247,7 +247,7 @@
if (req->buffers[i].acquireFence >= 0) {
native_handle_t* handle = native_handle_create(/*numFds*/ 1, /*numInts*/ 0);
handle->data[0] = req->buffers[i].acquireFence;
- outputBuffer.releaseFence = makeToAidl(handle);
+ outputBuffer.releaseFence = dupToAidl(handle);
}
}
diff --git a/camera/device/default/ExternalCameraUtils.cpp b/camera/device/default/ExternalCameraUtils.cpp
index 30c216f..2dc3c77 100644
--- a/camera/device/default/ExternalCameraUtils.cpp
+++ b/camera/device/default/ExternalCameraUtils.cpp
@@ -750,18 +750,12 @@
void freeReleaseFences(std::vector<CaptureResult>& results) {
for (auto& result : results) {
- native_handle_t* inputReleaseFence =
- ::android::makeFromAidl(result.inputBuffer.releaseFence);
- if (inputReleaseFence != nullptr) {
- native_handle_close(inputReleaseFence);
- native_handle_delete(inputReleaseFence);
- }
+ // NativeHandles free fd's on desctruction. Simply delete the objects!
+ result.inputBuffer.releaseFence.fds.clear(); // Implicitly closes fds
+ result.inputBuffer.releaseFence.ints.clear();
for (auto& buf : result.outputBuffers) {
- native_handle_t* outReleaseFence = ::android::makeFromAidl(buf.releaseFence);
- if (outReleaseFence != nullptr) {
- native_handle_close(outReleaseFence);
- native_handle_delete(outReleaseFence);
- }
+ buf.releaseFence.fds.clear(); // Implicitly closes fds
+ buf.releaseFence.ints.clear();
}
}
}
diff --git a/security/keymint/support/include/remote_prov/remote_prov_utils.h b/security/keymint/support/include/remote_prov/remote_prov_utils.h
index b8c69eb..1d7db6a 100644
--- a/security/keymint/support/include/remote_prov/remote_prov_utils.h
+++ b/security/keymint/support/include/remote_prov/remote_prov_utils.h
@@ -183,4 +183,7 @@
const cppbor::Array& keysToSign, const std::vector<uint8_t>& csr,
IRemotelyProvisionedComponent* provisionable, const std::vector<uint8_t>& challenge);
+/** Checks whether the CSR has a proper DICE chain. */
+ErrMsgOr<bool> isCsrWithProperDiceChain(const std::vector<uint8_t>& csr);
+
} // namespace aidl::android::hardware::security::keymint::remote_prov
diff --git a/security/keymint/support/remote_prov_utils.cpp b/security/keymint/support/remote_prov_utils.cpp
index a830041..b74fd59 100644
--- a/security/keymint/support/remote_prov_utils.cpp
+++ b/security/keymint/support/remote_prov_utils.cpp
@@ -1081,4 +1081,40 @@
return verifyCsr(keysToSign, csr, provisionable, challenge, /*isFactory=*/false);
}
+ErrMsgOr<bool> isCsrWithProperDiceChain(const std::vector<uint8_t>& csr) {
+ auto [parsedRequest, _, csrErrMsg] = cppbor::parse(csr);
+ if (!parsedRequest) {
+ return csrErrMsg;
+ }
+ if (!parsedRequest->asArray()) {
+ return "AuthenticatedRequest is not a CBOR array.";
+ }
+ if (parsedRequest->asArray()->size() != 4U) {
+ return "AuthenticatedRequest must contain version, UDS certificates, DICE chain, and "
+ "signed data. However, the parsed AuthenticatedRequest has " +
+ std::to_string(parsedRequest->asArray()->size()) + " entries.";
+ }
+
+ auto version = parsedRequest->asArray()->get(0)->asUint();
+ auto diceCertChain = parsedRequest->asArray()->get(2)->asArray();
+
+ if (!version || version->value() != 1U) {
+ return "AuthenticatedRequest version must be an unsigned integer and must be equal to 1.";
+ }
+ if (!diceCertChain) {
+ return "AuthenticatedRequest DiceCertChain must be an Array.";
+ }
+
+ // DICE chain is [ pubkey, + DiceChainEntry ].
+ auto diceChainKind = getDiceChainKind();
+ if (!diceChainKind) {
+ return diceChainKind.message();
+ }
+
+ auto encodedDiceChain = diceCertChain->encode();
+ auto chain = hwtrust::DiceChain::Verify(encodedDiceChain, *diceChainKind);
+ if (!chain.ok()) return chain.error().message();
+ return chain->IsProper();
+}
+
} // namespace aidl::android::hardware::security::keymint::remote_prov
diff --git a/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp b/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
index 68b966c..2a8fd96 100644
--- a/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
+++ b/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
@@ -55,8 +55,12 @@
constexpr uint8_t MIN_CHALLENGE_SIZE = 0;
constexpr uint8_t MAX_CHALLENGE_SIZE = 64;
+const string DEFAULT_INSTANCE_NAME =
+ "android.hardware.security.keymint.IRemotelyProvisionedComponent/default";
const string RKP_VM_INSTANCE_NAME =
"android.hardware.security.keymint.IRemotelyProvisionedComponent/avf";
+const string KEYMINT_STRONGBOX_INSTANCE_NAME =
+ "android.hardware.security.keymint.IKeyMintDevice/strongbox";
#define INSTANTIATE_REM_PROV_AIDL_TEST(name) \
GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(name); \
@@ -230,6 +234,37 @@
}
}
+/**
+ * Verify that the default implementation supports DICE if there is a StrongBox KeyMint instance
+ * on the device.
+ */
+// @VsrTest = 3.10-015
+TEST(NonParameterizedTests, requireDiceOnDefaultInstanceIfStrongboxPresent) {
+ int vsr_api_level = get_vsr_api_level();
+ if (vsr_api_level < 35) {
+ GTEST_SKIP() << "Applies only to VSR API level 35 or newer, this device is: "
+ << vsr_api_level;
+ }
+
+ if (!AServiceManager_isDeclared(KEYMINT_STRONGBOX_INSTANCE_NAME.c_str())) {
+ GTEST_SKIP() << "Strongbox is not present on this device.";
+ }
+
+ ::ndk::SpAIBinder binder(AServiceManager_waitForService(DEFAULT_INSTANCE_NAME.c_str()));
+ std::shared_ptr<IRemotelyProvisionedComponent> rpc =
+ IRemotelyProvisionedComponent::fromBinder(binder);
+ ASSERT_NE(rpc, nullptr);
+
+ bytevec challenge = randomBytes(64);
+ bytevec csr;
+ auto status = rpc->generateCertificateRequestV2({} /* keysToSign */, challenge, &csr);
+ EXPECT_TRUE(status.isOk()) << status.getDescription();
+
+ auto result = isCsrWithProperDiceChain(csr);
+ ASSERT_TRUE(result) << result.message();
+ ASSERT_TRUE(*result);
+}
+
using GetHardwareInfoTests = VtsRemotelyProvisionedComponentTests;
INSTANTIATE_REM_PROV_AIDL_TEST(GetHardwareInfoTests);