Merge "Add VTS test for attested "rootOfTrust.verifiedBootKey" field on VSR-16+." into main

commit: d5b5dfce44b41093a07cb5c02ae22b3448d855b9 [log] [tgz]
author: Catherine Vlasov <cvlasov@google.com> Wed Dec 04 12:56:38 2024 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Dec 04 12:56:38 2024 +0000
tree: 7164b495d5c622e86426f0672f5ab56bdeba88d8
parent: b2b0ce9512b7159ecf3e8a70e705b43d78b5846a [diff]
parent: b0659edcfe19bd788fdae79f272d20918bdb65bf [diff]
diff --git a/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp b/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp
index 083a9aa..b41da3f 100644
--- a/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp
+++ b/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp

@@ -95,6 +95,18 @@
             << "Verified boot state must be \"UNVERIFIED\" aka \"orange\".";
 }
 
+// Check that the attested Verified Boot key is 32 bytes of zeroes since the bootloader is unlocked.
+TEST_P(BootloaderStateTest, VerifiedBootKeyAllZeroes) {
+    // Gate this test to avoid waiver issues.
+    if (get_vsr_api_level() <= __ANDROID_API_V__) {
+        return;
+    }
+
+    std::vector<uint8_t> expectedVbKey(32, 0);
+    ASSERT_EQ(attestedVbKey_, expectedVbKey) << "Verified Boot key digest must be 32 bytes of "
+                                                "zeroes since the bootloader is unlocked.";
+}
+
 // Following error codes from avb_slot_data() mean that slot data was loaded
 // (even if verification failed).
 static inline bool avb_slot_data_loaded(AvbSlotVerifyResult result) {
commit	d5b5dfce44b41093a07cb5c02ae22b3448d855b9	[log] [tgz]
author	Catherine Vlasov <cvlasov@google.com>	Wed Dec 04 12:56:38 2024 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Wed Dec 04 12:56:38 2024 +0000
tree	7164b495d5c622e86426f0672f5ab56bdeba88d8
parent	b2b0ce9512b7159ecf3e8a70e705b43d78b5846a [diff]
parent	b0659edcfe19bd788fdae79f272d20918bdb65bf [diff]