Merge changes from topic "bt-cs-hal-v2" into main
* changes:
Update default service for channel sounding HAL v2
Update the channel sounding HAL API
diff --git a/audio/aidl/default/apex/com.android.hardware.audio/Android.bp b/audio/aidl/default/apex/com.android.hardware.audio/Android.bp
index ee92512..8fa429a 100644
--- a/audio/aidl/default/apex/com.android.hardware.audio/Android.bp
+++ b/audio/aidl/default/apex/com.android.hardware.audio/Android.bp
@@ -48,4 +48,11 @@
"android.hardware.audio.service-aidl.xml",
"android.hardware.bluetooth.audio.xml",
],
+ required: [
+ "aidl_audio_set_configurations_bfbs",
+ "aidl_default_audio_set_configurations_json",
+ "aidl_audio_set_scenarios_bfbs",
+ "aidl_default_audio_set_scenarios_json",
+ "hfp_codec_capabilities_xml",
+ ],
}
diff --git a/power/OWNERS b/power/OWNERS
index 7229b22..95778a4 100644
--- a/power/OWNERS
+++ b/power/OWNERS
@@ -3,3 +3,4 @@
# ADPF virtual team
lpy@google.com
wvw@google.com
+file:platform/frameworks/base:/ADPF_OWNERS
diff --git a/security/keymint/aidl/default/Android.bp b/security/keymint/aidl/default/Android.bp
index a7066de..ff2393c 100644
--- a/security/keymint/aidl/default/Android.bp
+++ b/security/keymint/aidl/default/Android.bp
@@ -111,6 +111,13 @@
src: "android.hardware.hardware_keystore.xml",
}
+prebuilt_etc {
+ name: "android.hardware.hardware_keystore_V3.xml",
+ sub_dir: "permissions",
+ vendor: true,
+ src: "android.hardware.hardware_keystore_V3.xml",
+}
+
rust_library {
name: "libkmr_hal_nonsecure",
crate_name: "kmr_hal_nonsecure",
diff --git a/security/keymint/aidl/default/android.hardware.hardware_keystore_V3.xml b/security/keymint/aidl/default/android.hardware.hardware_keystore_V3.xml
new file mode 100644
index 0000000..4c75596
--- /dev/null
+++ b/security/keymint/aidl/default/android.hardware.hardware_keystore_V3.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2021 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<permissions>
+ <feature name="android.hardware.hardware_keystore" version="300" />
+</permissions>
diff --git a/security/keymint/support/Android.bp b/security/keymint/support/Android.bp
index f313cf3..271e36c 100644
--- a/security/keymint/support/Android.bp
+++ b/security/keymint/support/Android.bp
@@ -114,6 +114,7 @@
cc_test {
name: "libkeymint_remote_prov_support_test",
+ cpp_std: "c++20",
srcs: ["remote_prov_utils_test.cpp"],
static_libs: [
"android.hardware.security.rkp-V3-ndk",
diff --git a/security/keymint/support/fuzzer/keymint_remote_prov_fuzzer.cpp b/security/keymint/support/fuzzer/keymint_remote_prov_fuzzer.cpp
index 9b74fbb..ebccf25 100644
--- a/security/keymint/support/fuzzer/keymint_remote_prov_fuzzer.cpp
+++ b/security/keymint/support/fuzzer/keymint_remote_prov_fuzzer.cpp
@@ -74,16 +74,20 @@
uint8_t challengeSize = mFdp.ConsumeIntegralInRange<uint8_t>(kMinSize, kChallengeSize);
std::vector<uint8_t> challenge = mFdp.ConsumeBytes<uint8_t>(challengeSize);
+ RpcHardwareInfo rpcHardwareInfo;
+ gRPC->getHardwareInfo(&rpcHardwareInfo);
+
std::vector<uint8_t> csr;
gRPC->generateCertificateRequestV2(keysToSign, challenge, &csr);
while (mFdp.remaining_bytes()) {
auto invokeProvAPI = mFdp.PickValueInArray<const std::function<void()>>({
[&]() {
- verifyFactoryCsr(cborKeysToSign, csr, gRPC.get(), kServiceName, challenge);
+ verifyFactoryCsr(cborKeysToSign, csr, rpcHardwareInfo, kServiceName, challenge);
},
[&]() {
- verifyProductionCsr(cborKeysToSign, csr, gRPC.get(), kServiceName, challenge);
+ verifyProductionCsr(cborKeysToSign, csr, rpcHardwareInfo, kServiceName,
+ challenge);
},
[&]() { isCsrWithProperDiceChain(csr, kServiceName); },
});
diff --git a/security/keymint/support/include/remote_prov/MockIRemotelyProvisionedComponent.h b/security/keymint/support/include/remote_prov/MockIRemotelyProvisionedComponent.h
deleted file mode 100644
index 4fa39c2..0000000
--- a/security/keymint/support/include/remote_prov/MockIRemotelyProvisionedComponent.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright 2024 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#pragma once
-
-#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
-#include <aidl/android/hardware/security/keymint/RpcHardwareInfo.h>
-#include <android-base/properties.h>
-#include <gmock/gmock.h>
-#include <gtest/gtest.h>
-
-#include <cstdint>
-
-namespace aidl::android::hardware::security::keymint::remote_prov {
-
-using ::ndk::ScopedAStatus;
-
-class MockIRemotelyProvisionedComponent : public IRemotelyProvisionedComponentDefault {
- public:
- MOCK_METHOD(ScopedAStatus, getHardwareInfo, (RpcHardwareInfo * _aidl_return), (override));
- MOCK_METHOD(ScopedAStatus, generateEcdsaP256KeyPair,
- (bool in_testMode, MacedPublicKey* out_macedPublicKey,
- std::vector<uint8_t>* _aidl_return),
- (override));
- MOCK_METHOD(ScopedAStatus, generateCertificateRequest,
- (bool in_testMode, const std::vector<MacedPublicKey>& in_keysToSign,
- const std::vector<uint8_t>& in_endpointEncryptionCertChain,
- const std::vector<uint8_t>& in_challenge, DeviceInfo* out_deviceInfo,
- ProtectedData* out_protectedData, std::vector<uint8_t>* _aidl_return),
- (override));
- MOCK_METHOD(ScopedAStatus, generateCertificateRequestV2,
- (const std::vector<MacedPublicKey>& in_keysToSign,
- const std::vector<uint8_t>& in_challenge, std::vector<uint8_t>* _aidl_return),
- (override));
- MOCK_METHOD(ScopedAStatus, getInterfaceVersion, (int32_t* _aidl_return), (override));
- MOCK_METHOD(ScopedAStatus, getInterfaceHash, (std::string * _aidl_return), (override));
-};
-
-} // namespace aidl::android::hardware::security::keymint::remote_prov
\ No newline at end of file
diff --git a/security/keymint/support/include/remote_prov/remote_prov_utils.h b/security/keymint/support/include/remote_prov/remote_prov_utils.h
index caeb7ff..6cb00f2 100644
--- a/security/keymint/support/include/remote_prov/remote_prov_utils.h
+++ b/security/keymint/support/include/remote_prov/remote_prov_utils.h
@@ -99,7 +99,7 @@
* e.g. for "android.hardware.security.keymint.IRemotelyProvisionedComponent/avf",
* it returns "avf".
*/
-std::string deviceSuffix(const std::string& name);
+std::string_view deviceSuffix(std::string_view name);
struct EekChain {
bytevec chain;
@@ -153,7 +153,7 @@
* is parsed in the manufacturing process.
*/
ErrMsgOr<std::unique_ptr<cppbor::Map>> parseAndValidateFactoryDeviceInfo(
- const std::vector<uint8_t>& deviceInfoBytes, IRemotelyProvisionedComponent* provisionable);
+ const std::vector<uint8_t>& deviceInfoBytes, const RpcHardwareInfo& info);
/**
* Parses a DeviceInfo structure from the given CBOR data. The parsed data is then validated to
@@ -162,7 +162,7 @@
* suitable for the end user.
*/
ErrMsgOr<std::unique_ptr<cppbor::Map>> parseAndValidateProductionDeviceInfo(
- const std::vector<uint8_t>& deviceInfoBytes, IRemotelyProvisionedComponent* provisionable);
+ const std::vector<uint8_t>& deviceInfoBytes, const RpcHardwareInfo& info);
/**
* Verify the protected data as if the device is still early in the factory process and may not
@@ -171,36 +171,39 @@
ErrMsgOr<std::vector<BccEntryData>> verifyFactoryProtectedData(
const DeviceInfo& deviceInfo, const cppbor::Array& keysToSign,
const std::vector<uint8_t>& keysToSignMac, const ProtectedData& protectedData,
- const EekChain& eekChain, const std::vector<uint8_t>& eekId, int32_t supportedEekCurve,
- IRemotelyProvisionedComponent* provisionable, const std::string& instanceName,
- const std::vector<uint8_t>& challenge);
+ const EekChain& eekChain, const std::vector<uint8_t>& eekId, const RpcHardwareInfo& info,
+ const std::string& instanceName, const std::vector<uint8_t>& challenge);
/**
* Verify the protected data as if the device is a final production sample.
*/
ErrMsgOr<std::vector<BccEntryData>> verifyProductionProtectedData(
const DeviceInfo& deviceInfo, const cppbor::Array& keysToSign,
const std::vector<uint8_t>& keysToSignMac, const ProtectedData& protectedData,
- const EekChain& eekChain, const std::vector<uint8_t>& eekId, int32_t supportedEekCurve,
- IRemotelyProvisionedComponent* provisionable, const std::string& instanceName,
- const std::vector<uint8_t>& challenge, bool allowAnyMode = false);
+ const EekChain& eekChain, const std::vector<uint8_t>& eekId, const RpcHardwareInfo& info,
+ const std::string& instanceName, const std::vector<uint8_t>& challenge,
+ bool allowAnyMode = false);
/**
* Verify the CSR as if the device is still early in the factory process and may not
* have all device identifiers provisioned yet.
*/
-ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyFactoryCsr(
- const cppbor::Array& keysToSign, const std::vector<uint8_t>& csr,
- IRemotelyProvisionedComponent* provisionable, const std::string& instanceName,
- const std::vector<uint8_t>& challenge, bool allowDegenerate = true,
- bool requireUdsCerts = false);
+ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyFactoryCsr(const cppbor::Array& keysToSign,
+ const std::vector<uint8_t>& csr,
+ const RpcHardwareInfo& info,
+ const std::string& instanceName,
+ const std::vector<uint8_t>& challenge,
+ bool allowDegenerate = true,
+ bool requireUdsCerts = false);
/**
* Verify the CSR as if the device is a final production sample.
*/
-ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyProductionCsr(
- const cppbor::Array& keysToSign, const std::vector<uint8_t>& csr,
- IRemotelyProvisionedComponent* provisionable, const std::string& instanceName,
- const std::vector<uint8_t>& challenge, bool allowAnyMode = false);
+ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyProductionCsr(const cppbor::Array& keysToSign,
+ const std::vector<uint8_t>& csr,
+ const RpcHardwareInfo& info,
+ const std::string& instanceName,
+ const std::vector<uint8_t>& challenge,
+ bool allowAnyMode = false);
/** Checks whether the CSR has a proper DICE chain. */
ErrMsgOr<bool> isCsrWithProperDiceChain(const std::vector<uint8_t>& csr,
diff --git a/security/keymint/support/remote_prov_utils.cpp b/security/keymint/support/remote_prov_utils.cpp
index 464d912..e11f021 100644
--- a/security/keymint/support/remote_prov_utils.cpp
+++ b/security/keymint/support/remote_prov_utils.cpp
@@ -52,8 +52,8 @@
using X509_Ptr = bssl::UniquePtr<X509>;
using CRYPTO_BUFFER_Ptr = bssl::UniquePtr<CRYPTO_BUFFER>;
-std::string deviceSuffix(const std::string& name) {
- size_t pos = name.rfind('/');
+std::string_view deviceSuffix(std::string_view name) {
+ auto pos = name.rfind('/');
if (pos == std::string::npos) {
return name;
}
@@ -483,7 +483,7 @@
}
ErrMsgOr<std::unique_ptr<cppbor::Map>> parseAndValidateDeviceInfo(
- const std::vector<uint8_t>& deviceInfoBytes, IRemotelyProvisionedComponent* provisionable,
+ const std::vector<uint8_t>& deviceInfoBytes, const RpcHardwareInfo& rpcHardwareInfo,
bool isFactory) {
const cppbor::Array kValidVbStates = {"green", "yellow", "orange"};
const cppbor::Array kValidBootloaderStates = {"locked", "unlocked"};
@@ -530,9 +530,7 @@
return "DeviceInfo ordering is non-canonical.";
}
- RpcHardwareInfo info;
- provisionable->getHardwareInfo(&info);
- if (info.versionNumber < 3) {
+ if (rpcHardwareInfo.versionNumber < 3) {
const std::unique_ptr<cppbor::Item>& version = parsed->get("version");
if (!version) {
return "Device info is missing version";
@@ -540,10 +538,10 @@
if (!version->asUint()) {
return "version must be an unsigned integer";
}
- if (version->asUint()->value() != info.versionNumber) {
+ if (version->asUint()->value() != rpcHardwareInfo.versionNumber) {
return "DeviceInfo version (" + std::to_string(version->asUint()->value()) +
") does not match the remotely provisioned component version (" +
- std::to_string(info.versionNumber) + ").";
+ std::to_string(rpcHardwareInfo.versionNumber) + ").";
}
}
// Bypasses the device info validation since the device info in AVF is currently
@@ -552,14 +550,14 @@
// TODO(b/300911665): This check is temporary and will be replaced once the markers
// on the DICE chain become available. We need to determine if the CSR is from the
// RKP VM using the markers on the DICE chain.
- if (info.uniqueId == "AVF Remote Provisioning 1") {
+ if (rpcHardwareInfo.uniqueId == "AVF Remote Provisioning 1") {
return std::move(parsed);
}
std::string error;
std::string tmp;
std::set<std::string_view> previousKeys;
- switch (info.versionNumber) {
+ switch (rpcHardwareInfo.versionNumber) {
case 3:
if (isTeeDeviceInfo(*parsed) && parsed->size() != kNumTeeDeviceInfoEntries) {
error += fmt::format(
@@ -626,7 +624,7 @@
kValidAttIdStates);
break;
default:
- return "Unrecognized version: " + std::to_string(info.versionNumber);
+ return "Unrecognized version: " + std::to_string(rpcHardwareInfo.versionNumber);
}
if (!error.empty()) {
@@ -637,13 +635,13 @@
}
ErrMsgOr<std::unique_ptr<cppbor::Map>> parseAndValidateFactoryDeviceInfo(
- const std::vector<uint8_t>& deviceInfoBytes, IRemotelyProvisionedComponent* provisionable) {
- return parseAndValidateDeviceInfo(deviceInfoBytes, provisionable, /*isFactory=*/true);
+ const std::vector<uint8_t>& deviceInfoBytes, const RpcHardwareInfo& rpcHardwareInfo) {
+ return parseAndValidateDeviceInfo(deviceInfoBytes, rpcHardwareInfo, /*isFactory=*/true);
}
ErrMsgOr<std::unique_ptr<cppbor::Map>> parseAndValidateProductionDeviceInfo(
- const std::vector<uint8_t>& deviceInfoBytes, IRemotelyProvisionedComponent* provisionable) {
- return parseAndValidateDeviceInfo(deviceInfoBytes, provisionable, /*isFactory=*/false);
+ const std::vector<uint8_t>& deviceInfoBytes, const RpcHardwareInfo& rpcHardwareInfo) {
+ return parseAndValidateDeviceInfo(deviceInfoBytes, rpcHardwareInfo, /*isFactory=*/false);
}
ErrMsgOr<bytevec> getSessionKey(ErrMsgOr<std::pair<bytevec, bytevec>>& senderPubkey,
@@ -661,8 +659,8 @@
ErrMsgOr<std::vector<BccEntryData>> verifyProtectedData(
const DeviceInfo& deviceInfo, const cppbor::Array& keysToSign,
const std::vector<uint8_t>& keysToSignMac, const ProtectedData& protectedData,
- const EekChain& eekChain, const std::vector<uint8_t>& eekId, int32_t supportedEekCurve,
- IRemotelyProvisionedComponent* provisionable, const std::string& instanceName,
+ const EekChain& eekChain, const std::vector<uint8_t>& eekId,
+ const RpcHardwareInfo& rpcHardwareInfo, const std::string& instanceName,
const std::vector<uint8_t>& challenge, bool isFactory, bool allowAnyMode = false) {
auto [parsedProtectedData, _, protDataErrMsg] = cppbor::parse(protectedData.protectedData);
if (!parsedProtectedData) {
@@ -685,7 +683,7 @@
return "The COSE_encrypt recipient does not match the expected EEK identifier";
}
- auto sessionKey = getSessionKey(senderPubkey, eekChain, supportedEekCurve);
+ auto sessionKey = getSessionKey(senderPubkey, eekChain, rpcHardwareInfo.supportedEekCurve);
if (!sessionKey) {
return sessionKey.message();
}
@@ -726,7 +724,7 @@
}
auto deviceInfoResult =
- parseAndValidateDeviceInfo(deviceInfo.deviceInfo, provisionable, isFactory);
+ parseAndValidateDeviceInfo(deviceInfo.deviceInfo, rpcHardwareInfo, isFactory);
if (!deviceInfoResult) {
return deviceInfoResult.message();
}
@@ -762,22 +760,22 @@
ErrMsgOr<std::vector<BccEntryData>> verifyFactoryProtectedData(
const DeviceInfo& deviceInfo, const cppbor::Array& keysToSign,
const std::vector<uint8_t>& keysToSignMac, const ProtectedData& protectedData,
- const EekChain& eekChain, const std::vector<uint8_t>& eekId, int32_t supportedEekCurve,
- IRemotelyProvisionedComponent* provisionable, const std::string& instanceName,
+ const EekChain& eekChain, const std::vector<uint8_t>& eekId,
+ const RpcHardwareInfo& rpcHardwareInfo, const std::string& instanceName,
const std::vector<uint8_t>& challenge) {
return verifyProtectedData(deviceInfo, keysToSign, keysToSignMac, protectedData, eekChain,
- eekId, supportedEekCurve, provisionable, instanceName, challenge,
+ eekId, rpcHardwareInfo, instanceName, challenge,
/*isFactory=*/true);
}
ErrMsgOr<std::vector<BccEntryData>> verifyProductionProtectedData(
const DeviceInfo& deviceInfo, const cppbor::Array& keysToSign,
const std::vector<uint8_t>& keysToSignMac, const ProtectedData& protectedData,
- const EekChain& eekChain, const std::vector<uint8_t>& eekId, int32_t supportedEekCurve,
- IRemotelyProvisionedComponent* provisionable, const std::string& instanceName,
+ const EekChain& eekChain, const std::vector<uint8_t>& eekId,
+ const RpcHardwareInfo& rpcHardwareInfo, const std::string& instanceName,
const std::vector<uint8_t>& challenge, bool allowAnyMode) {
return verifyProtectedData(deviceInfo, keysToSign, keysToSignMac, protectedData, eekChain,
- eekId, supportedEekCurve, provisionable, instanceName, challenge,
+ eekId, rpcHardwareInfo, instanceName, challenge,
/*isFactory=*/false, allowAnyMode);
}
@@ -912,7 +910,7 @@
ErrMsgOr<std::unique_ptr<cppbor::Array>> parseAndValidateCsrPayload(
const cppbor::Array& keysToSign, const std::vector<uint8_t>& csrPayload,
- IRemotelyProvisionedComponent* provisionable, bool isFactory) {
+ const RpcHardwareInfo& rpcHardwareInfo, bool isFactory) {
auto [parsedCsrPayload, _, errMsg] = cppbor::parse(csrPayload);
if (!parsedCsrPayload) {
return errMsg;
@@ -949,7 +947,8 @@
return "Keys must be an Array.";
}
- auto result = parseAndValidateDeviceInfo(signedDeviceInfo->encode(), provisionable, isFactory);
+ auto result =
+ parseAndValidateDeviceInfo(signedDeviceInfo->encode(), rpcHardwareInfo, isFactory);
if (!result) {
return result.message();
}
@@ -1100,13 +1099,12 @@
ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyCsr(
const cppbor::Array& keysToSign, const std::vector<uint8_t>& csr,
- IRemotelyProvisionedComponent* provisionable, const std::string& instanceName,
+ const RpcHardwareInfo& rpcHardwareInfo, const std::string& instanceName,
const std::vector<uint8_t>& challenge, bool isFactory, bool allowAnyMode = false,
bool allowDegenerate = true, bool requireUdsCerts = false) {
- RpcHardwareInfo info;
- provisionable->getHardwareInfo(&info);
- if (info.versionNumber != 3) {
- return "Remotely provisioned component version (" + std::to_string(info.versionNumber) +
+ if (rpcHardwareInfo.versionNumber != 3) {
+ return "Remotely provisioned component version (" +
+ std::to_string(rpcHardwareInfo.versionNumber) +
") does not match expected version (3).";
}
@@ -1117,61 +1115,46 @@
return csrPayload.message();
}
- return parseAndValidateCsrPayload(keysToSign, *csrPayload, provisionable, isFactory);
+ return parseAndValidateCsrPayload(keysToSign, *csrPayload, rpcHardwareInfo, isFactory);
}
ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyFactoryCsr(
const cppbor::Array& keysToSign, const std::vector<uint8_t>& csr,
- IRemotelyProvisionedComponent* provisionable, const std::string& instanceName,
+ const RpcHardwareInfo& rpcHardwareInfo, const std::string& instanceName,
const std::vector<uint8_t>& challenge, bool allowDegenerate, bool requireUdsCerts) {
- return verifyCsr(keysToSign, csr, provisionable, instanceName, challenge, /*isFactory=*/true,
+ return verifyCsr(keysToSign, csr, rpcHardwareInfo, instanceName, challenge, /*isFactory=*/true,
/*allowAnyMode=*/false, allowDegenerate, requireUdsCerts);
}
-ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyProductionCsr(
- const cppbor::Array& keysToSign, const std::vector<uint8_t>& csr,
- IRemotelyProvisionedComponent* provisionable, const std::string& instanceName,
- const std::vector<uint8_t>& challenge, bool allowAnyMode) {
- return verifyCsr(keysToSign, csr, provisionable, instanceName, challenge, /*isFactory=*/false,
+ErrMsgOr<std::unique_ptr<cppbor::Array>> verifyProductionCsr(const cppbor::Array& keysToSign,
+ const std::vector<uint8_t>& csr,
+ const RpcHardwareInfo& rpcHardwareInfo,
+ const std::string& instanceName,
+ const std::vector<uint8_t>& challenge,
+ bool allowAnyMode) {
+ return verifyCsr(keysToSign, csr, rpcHardwareInfo, instanceName, challenge, /*isFactory=*/false,
allowAnyMode);
}
-ErrMsgOr<bool> isCsrWithProperDiceChain(const std::vector<uint8_t>& csr,
+ErrMsgOr<bool> isCsrWithProperDiceChain(const std::vector<uint8_t>& encodedCsr,
const std::string& instanceName) {
- auto [parsedRequest, _, csrErrMsg] = cppbor::parse(csr);
- if (!parsedRequest) {
- return csrErrMsg;
- }
- if (!parsedRequest->asArray()) {
- return "AuthenticatedRequest is not a CBOR array.";
- }
- if (parsedRequest->asArray()->size() != 4U) {
- return "AuthenticatedRequest must contain version, UDS certificates, DICE chain, and "
- "signed data. However, the parsed AuthenticatedRequest has " +
- std::to_string(parsedRequest->asArray()->size()) + " entries.";
- }
-
- auto version = parsedRequest->asArray()->get(0)->asUint();
- auto diceCertChain = parsedRequest->asArray()->get(2)->asArray();
-
- if (!version || version->value() != 1U) {
- return "AuthenticatedRequest version must be an unsigned integer and must be equal to 1.";
- }
- if (!diceCertChain) {
- return "AuthenticatedRequest DiceCertChain must be an Array.";
- }
-
- // DICE chain is [ pubkey, + DiceChainEntry ].
auto diceChainKind = getDiceChainKind();
if (!diceChainKind) {
return diceChainKind.message();
}
- auto encodedDiceChain = diceCertChain->encode();
- auto chain = hwtrust::DiceChain::Verify(encodedDiceChain, *diceChainKind,
- /*allowAnyMode=*/false, deviceSuffix(instanceName));
- if (!chain.ok()) return chain.error().message();
- return chain->IsProper();
+ auto csr = hwtrust::Csr::validate(encodedCsr, *diceChainKind, false /*allowAnyMode*/,
+ deviceSuffix(instanceName));
+ if (!csr.ok()) {
+ return csr.error().message();
+ }
+
+ auto diceChain = csr->getDiceChain();
+ if (!diceChain.ok()) {
+ return diceChain.error().message();
+ }
+
+ return diceChain->IsProper();
}
} // namespace aidl::android::hardware::security::keymint::remote_prov
diff --git a/security/keymint/support/remote_prov_utils_test.cpp b/security/keymint/support/remote_prov_utils_test.cpp
index 8ffb149..6f6a2d6 100644
--- a/security/keymint/support/remote_prov_utils_test.cpp
+++ b/security/keymint/support/remote_prov_utils_test.cpp
@@ -25,7 +25,6 @@
#include <keymaster/logger.h>
#include <keymaster/remote_provisioning_utils.h>
#include <openssl/curve25519.h>
-#include <remote_prov/MockIRemotelyProvisionedComponent.h>
#include <remote_prov/remote_prov_utils.h>
#include <algorithm>
@@ -82,6 +81,76 @@
0x50, 0x12, 0x82, 0x37, 0xfe, 0xa4, 0x07, 0xc3, 0xd5, 0xc3, 0x78, 0xcc, 0xf9, 0xef, 0xe1,
0x95, 0x38, 0x9f, 0xb0, 0x79, 0x16, 0x4c, 0x4a, 0x23, 0xc4, 0xdc, 0x35, 0x4e, 0x0f};
+inline const std::vector<uint8_t> kCsrWithDegenerateDiceChain{
+ 0x85, 0x01, 0xa0, 0x82, 0xa6, 0x01, 0x02, 0x03, 0x26, 0x20, 0x01, 0x21, 0x58, 0x20, 0x65,
+ 0xe0, 0x51, 0x62, 0x45, 0x17, 0xcc, 0xa8, 0x40, 0x41, 0x6d, 0xc0, 0x86, 0x7a, 0x15, 0x6e,
+ 0xee, 0x04, 0xae, 0xbd, 0x05, 0x13, 0x36, 0xcb, 0xd2, 0x8d, 0xd8, 0x80, 0x16, 0xc1, 0x69,
+ 0x0d, 0x22, 0x58, 0x20, 0xea, 0xa1, 0x37, 0xd5, 0x01, 0xbd, 0xe0, 0x25, 0x6a, 0x3d, 0x4c,
+ 0xcd, 0x31, 0xa1, 0x4d, 0xa6, 0x80, 0x82, 0x03, 0x40, 0xe2, 0x88, 0x81, 0x53, 0xc3, 0xb3,
+ 0x6d, 0xf7, 0xf4, 0x10, 0xde, 0x96, 0x23, 0x58, 0x20, 0x24, 0x69, 0x44, 0x6e, 0xf5, 0xcc,
+ 0x18, 0xfe, 0x63, 0xac, 0x5e, 0x85, 0x9c, 0xfc, 0x9d, 0xfa, 0x90, 0xee, 0x6c, 0xc2, 0x22,
+ 0x49, 0x02, 0xc7, 0x93, 0xf4, 0x30, 0xf1, 0x51, 0x11, 0x20, 0x33, 0x84, 0x43, 0xa1, 0x01,
+ 0x26, 0xa0, 0x58, 0x97, 0xa5, 0x01, 0x66, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x02, 0x67,
+ 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x3a, 0x00, 0x47, 0x44, 0x56, 0x41, 0x01, 0x3a,
+ 0x00, 0x47, 0x44, 0x57, 0x58, 0x70, 0xa6, 0x01, 0x02, 0x03, 0x26, 0x20, 0x01, 0x21, 0x58,
+ 0x20, 0x65, 0xe0, 0x51, 0x62, 0x45, 0x17, 0xcc, 0xa8, 0x40, 0x41, 0x6d, 0xc0, 0x86, 0x7a,
+ 0x15, 0x6e, 0xee, 0x04, 0xae, 0xbd, 0x05, 0x13, 0x36, 0xcb, 0xd2, 0x8d, 0xd8, 0x80, 0x16,
+ 0xc1, 0x69, 0x0d, 0x22, 0x58, 0x20, 0xea, 0xa1, 0x37, 0xd5, 0x01, 0xbd, 0xe0, 0x25, 0x6a,
+ 0x3d, 0x4c, 0xcd, 0x31, 0xa1, 0x4d, 0xa6, 0x80, 0x82, 0x03, 0x40, 0xe2, 0x88, 0x81, 0x53,
+ 0xc3, 0xb3, 0x6d, 0xf7, 0xf4, 0x10, 0xde, 0x96, 0x23, 0x58, 0x20, 0x24, 0x69, 0x44, 0x6e,
+ 0xf5, 0xcc, 0x18, 0xfe, 0x63, 0xac, 0x5e, 0x85, 0x9c, 0xfc, 0x9d, 0xfa, 0x90, 0xee, 0x6c,
+ 0xc2, 0x22, 0x49, 0x02, 0xc7, 0x93, 0xf4, 0x30, 0xf1, 0x51, 0x11, 0x20, 0x33, 0x3a, 0x00,
+ 0x47, 0x44, 0x58, 0x41, 0x20, 0x58, 0x40, 0x16, 0xb9, 0x51, 0xdf, 0x31, 0xad, 0xa0, 0x3d,
+ 0x98, 0x40, 0x85, 0xdf, 0xd9, 0xbe, 0xf6, 0x79, 0x62, 0x36, 0x8b, 0x60, 0xaa, 0x79, 0x8e,
+ 0x52, 0x04, 0xdd, 0xba, 0x39, 0xa2, 0x58, 0x9c, 0x60, 0xd5, 0x96, 0x51, 0x42, 0xe2, 0xa5,
+ 0x57, 0x58, 0xb4, 0x89, 0x2c, 0x94, 0xb9, 0xda, 0xe7, 0x93, 0x85, 0xda, 0x64, 0xa0, 0x52,
+ 0xfc, 0x6b, 0xb1, 0x0a, 0xa8, 0x13, 0xd9, 0x84, 0xfb, 0x34, 0x77, 0x84, 0x43, 0xa1, 0x01,
+ 0x26, 0xa0, 0x59, 0x02, 0x0f, 0x82, 0x58, 0x20, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,
+ 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x59, 0x01, 0xe9, 0x84, 0x03,
+ 0x67, 0x6b, 0x65, 0x79, 0x6d, 0x69, 0x6e, 0x74, 0xae, 0x65, 0x62, 0x72, 0x61, 0x6e, 0x64,
+ 0x66, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x65, 0x66, 0x75, 0x73, 0x65, 0x64, 0x01, 0x65,
+ 0x6d, 0x6f, 0x64, 0x65, 0x6c, 0x65, 0x6d, 0x6f, 0x64, 0x65, 0x6c, 0x66, 0x64, 0x65, 0x76,
+ 0x69, 0x63, 0x65, 0x66, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x67, 0x70, 0x72, 0x6f, 0x64,
+ 0x75, 0x63, 0x74, 0x65, 0x70, 0x69, 0x78, 0x65, 0x6c, 0x68, 0x76, 0x62, 0x5f, 0x73, 0x74,
+ 0x61, 0x74, 0x65, 0x65, 0x67, 0x72, 0x65, 0x65, 0x6e, 0x6a, 0x6f, 0x73, 0x5f, 0x76, 0x65,
+ 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x62, 0x31, 0x32, 0x6c, 0x6d, 0x61, 0x6e, 0x75, 0x66, 0x61,
+ 0x63, 0x74, 0x75, 0x72, 0x65, 0x72, 0x66, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x6d, 0x76,
+ 0x62, 0x6d, 0x65, 0x74, 0x61, 0x5f, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x4f, 0x11, 0x22,
+ 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x6e, 0x73,
+ 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x5f, 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x63, 0x74,
+ 0x65, 0x65, 0x70, 0x62, 0x6f, 0x6f, 0x74, 0x5f, 0x70, 0x61, 0x74, 0x63, 0x68, 0x5f, 0x6c,
+ 0x65, 0x76, 0x65, 0x6c, 0x1a, 0x01, 0x34, 0x8c, 0x62, 0x70, 0x62, 0x6f, 0x6f, 0x74, 0x6c,
+ 0x6f, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x65, 0x66, 0x6c, 0x6f, 0x63,
+ 0x6b, 0x65, 0x64, 0x72, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x5f, 0x70, 0x61, 0x74, 0x63,
+ 0x68, 0x5f, 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x1a, 0x01, 0x34, 0x8c, 0x61, 0x72, 0x76, 0x65,
+ 0x6e, 0x64, 0x6f, 0x72, 0x5f, 0x70, 0x61, 0x74, 0x63, 0x68, 0x5f, 0x6c, 0x65, 0x76, 0x65,
+ 0x6c, 0x1a, 0x01, 0x34, 0x8c, 0x63, 0x82, 0xa6, 0x01, 0x02, 0x03, 0x26, 0x20, 0x01, 0x21,
+ 0x58, 0x20, 0x46, 0xbd, 0xfc, 0xed, 0xa6, 0x94, 0x9a, 0xc4, 0x5e, 0x27, 0xcf, 0x24, 0x25,
+ 0xc5, 0x0c, 0x7d, 0xed, 0x8f, 0x21, 0xe0, 0x47, 0x81, 0x5a, 0xdc, 0x3b, 0xd4, 0x9e, 0x13,
+ 0xb6, 0x06, 0x36, 0x70, 0x22, 0x58, 0x20, 0x0a, 0xbd, 0xbc, 0x0d, 0x19, 0xba, 0xcc, 0xdc,
+ 0x00, 0x64, 0x31, 0x4c, 0x84, 0x66, 0x1d, 0xfb, 0x50, 0xd0, 0xe3, 0xf8, 0x78, 0x9d, 0xf9,
+ 0x77, 0x2b, 0x40, 0x6b, 0xb5, 0x8e, 0xd3, 0xf8, 0xa9, 0x23, 0x58, 0x21, 0x00, 0x9c, 0x42,
+ 0x3f, 0x79, 0x76, 0xa0, 0xd1, 0x98, 0x58, 0xbb, 0x9b, 0x9e, 0xfb, 0x3b, 0x08, 0xf2, 0xe1,
+ 0xa3, 0xfe, 0xf4, 0x21, 0x5b, 0x97, 0x2d, 0xcb, 0x9a, 0x55, 0x1a, 0x7f, 0xa7, 0xc1, 0xa8,
+ 0xa6, 0x01, 0x02, 0x03, 0x26, 0x20, 0x01, 0x21, 0x58, 0x20, 0xef, 0xd3, 0x88, 0xc4, 0xbc,
+ 0xce, 0x51, 0x4d, 0x4b, 0xd3, 0x81, 0x26, 0xc6, 0xcc, 0x66, 0x3b, 0x12, 0x38, 0xbf, 0x23,
+ 0x7a, 0x2e, 0x7f, 0x82, 0xa7, 0x81, 0x74, 0x21, 0xc0, 0x12, 0x79, 0xf4, 0x22, 0x58, 0x20,
+ 0xdc, 0x85, 0x6c, 0x1c, 0xcc, 0xf9, 0xf3, 0xe8, 0xff, 0x90, 0xfd, 0x89, 0x03, 0xf5, 0xaf,
+ 0x75, 0xa0, 0x79, 0xbb, 0x53, 0x9a, 0x1f, 0x2b, 0x34, 0x86, 0x47, 0x3d, 0x66, 0x2a, 0x07,
+ 0x3b, 0x1e, 0x23, 0x58, 0x20, 0x34, 0x7b, 0x15, 0xcc, 0xbf, 0x26, 0xc9, 0x28, 0x0e, 0xee,
+ 0xc5, 0x47, 0xac, 0x00, 0xc4, 0x4d, 0x81, 0x2b, 0x1e, 0xac, 0x31, 0xd2, 0x6f, 0x36, 0x85,
+ 0xe6, 0xa8, 0xf0, 0x46, 0xfc, 0xd2, 0x83, 0x58, 0x40, 0x55, 0x4c, 0x38, 0xdf, 0xfe, 0x49,
+ 0xa8, 0xa0, 0xa5, 0x08, 0xce, 0x2f, 0xe5, 0xf6, 0x6e, 0x2b, 0xc2, 0x95, 0x39, 0xc8, 0xca,
+ 0x77, 0xd6, 0xf6, 0x67, 0x24, 0x6b, 0x0e, 0x63, 0x5d, 0x11, 0x97, 0x26, 0x52, 0x30, 0xbc,
+ 0x28, 0x1d, 0xbf, 0x2a, 0x3e, 0x8c, 0x90, 0x54, 0xaa, 0xaa, 0xd1, 0x7c, 0x53, 0x7b, 0x48,
+ 0x1f, 0x51, 0x50, 0x6c, 0x32, 0xe1, 0x0f, 0x57, 0xea, 0x47, 0x76, 0x85, 0x0c, 0xa1, 0x6b,
+ 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x78, 0x3b, 0x62, 0x72,
+ 0x61, 0x6e, 0x64, 0x31, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x31, 0x2f, 0x64,
+ 0x65, 0x76, 0x69, 0x63, 0x65, 0x31, 0x3a, 0x31, 0x31, 0x2f, 0x69, 0x64, 0x2f, 0x32, 0x30,
+ 0x32, 0x31, 0x30, 0x38, 0x30, 0x35, 0x2e, 0x34, 0x32, 0x3a, 0x75, 0x73, 0x65, 0x72, 0x2f,
+ 0x72, 0x65, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x2d, 0x6b, 0x65, 0x79, 0x73};
+
// The challenge that is in kKeysToSignForCsrWithUdsCerts and kCsrWithUdsCerts
inline const std::vector<uint8_t> kChallenge{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
@@ -328,6 +397,8 @@
0xa7, 0xb6, 0xc2, 0x40, 0x06, 0x65, 0xc5, 0xff, 0x19, 0xc5, 0xcd, 0x1c, 0xd5, 0x78, 0x01,
0xd4, 0xb8};
+const RpcHardwareInfo kRpcHardwareInfo = {.versionNumber = 3};
+
inline bool equal_byte_views(const byte_view& view1, const byte_view& view2) {
return std::equal(view1.begin(), view1.end(), view2.begin(), view2.end());
}
@@ -557,19 +628,26 @@
DEFAULT_INSTANCE_NAME));
}
+TEST(RemoteProvUtils, validateDiceChainProper) {
+ auto result = isCsrWithProperDiceChain(kCsrWithUdsCerts, DEFAULT_INSTANCE_NAME);
+ ASSERT_TRUE(result) << result.message();
+ ASSERT_TRUE(*result) << "DICE Chain is degenerate";
+}
+
+TEST(RemoteProvUtils, validateDiceChainDegenerate) {
+ auto result = isCsrWithProperDiceChain(kCsrWithDegenerateDiceChain, DEFAULT_INSTANCE_NAME);
+ ASSERT_TRUE(result) << result.message();
+ ASSERT_FALSE(*result) << "DICE Chain is proper";
+}
+
TEST(RemoteProvUtilsTest, requireUdsCertsWhenPresent) {
auto [keysToSignPtr, _, errMsg] = cppbor::parse(kKeysToSignForCsrWithUdsCerts);
ASSERT_TRUE(keysToSignPtr) << "Error: " << errMsg;
- auto mockRpc = SharedRefBase::make<MockIRemotelyProvisionedComponent>();
- EXPECT_CALL(*mockRpc, getHardwareInfo(NotNull())).WillRepeatedly([](RpcHardwareInfo* hwInfo) {
- hwInfo->versionNumber = 3;
- return ScopedAStatus::ok();
- });
-
const auto keysToSign = keysToSignPtr->asArray();
- auto csr = verifyFactoryCsr(*keysToSign, kCsrWithUdsCerts, mockRpc.get(), "default", kChallenge,
- /*allowDegenerate=*/false, /*requireUdsCerts=*/true);
+ auto csr =
+ verifyFactoryCsr(*keysToSign, kCsrWithUdsCerts, kRpcHardwareInfo, "default", kChallenge,
+ /*allowDegenerate=*/false, /*requireUdsCerts=*/true);
ASSERT_TRUE(csr) << csr.message();
}
@@ -577,27 +655,15 @@
auto [keysToSignPtr, _, errMsg] = cppbor::parse(kKeysToSignForCsrWithUdsCerts);
ASSERT_TRUE(keysToSignPtr) << "Error: " << errMsg;
- auto mockRpc = SharedRefBase::make<MockIRemotelyProvisionedComponent>();
- EXPECT_CALL(*mockRpc, getHardwareInfo(NotNull())).WillRepeatedly([](RpcHardwareInfo* hwInfo) {
- hwInfo->versionNumber = 3;
- return ScopedAStatus::ok();
- });
-
const auto* keysToSign = keysToSignPtr->asArray();
- auto csr = verifyFactoryCsr(*keysToSign, kCsrWithUdsCerts, mockRpc.get(), DEFAULT_INSTANCE_NAME,
- kChallenge,
+ auto csr = verifyFactoryCsr(*keysToSign, kCsrWithUdsCerts, kRpcHardwareInfo,
+ DEFAULT_INSTANCE_NAME, kChallenge,
/*allowDegenerate=*/false, /*requireUdsCerts=*/false);
ASSERT_TRUE(csr) << csr.message();
}
TEST(RemoteProvUtilsTest, requireUdsCertsWhenNotPresent) {
- auto mockRpc = SharedRefBase::make<MockIRemotelyProvisionedComponent>();
- EXPECT_CALL(*mockRpc, getHardwareInfo(NotNull())).WillRepeatedly([](RpcHardwareInfo* hwInfo) {
- hwInfo->versionNumber = 3;
- return ScopedAStatus::ok();
- });
-
- auto csr = verifyFactoryCsr(/*keysToSign=*/Array(), kCsrWithoutUdsCerts, mockRpc.get(),
+ auto csr = verifyFactoryCsr(/*keysToSign=*/Array(), kCsrWithoutUdsCerts, kRpcHardwareInfo,
DEFAULT_INSTANCE_NAME, kChallenge, /*allowDegenerate=*/false,
/*requireUdsCerts=*/true);
ASSERT_FALSE(csr);
@@ -610,14 +676,8 @@
kKeysToSignForCsrWithoutUdsCerts.data() + kKeysToSignForCsrWithoutUdsCerts.size());
ASSERT_TRUE(keysToSignPtr) << "Error: " << errMsg;
- auto mockRpc = SharedRefBase::make<MockIRemotelyProvisionedComponent>();
- EXPECT_CALL(*mockRpc, getHardwareInfo(NotNull())).WillRepeatedly([](RpcHardwareInfo* hwInfo) {
- hwInfo->versionNumber = 3;
- return ScopedAStatus::ok();
- });
-
const auto* keysToSign = keysToSignPtr->asArray();
- auto csr = verifyFactoryCsr(*keysToSign, kCsrWithoutUdsCerts, mockRpc.get(),
+ auto csr = verifyFactoryCsr(*keysToSign, kCsrWithoutUdsCerts, kRpcHardwareInfo,
DEFAULT_INSTANCE_NAME, kChallenge,
/*allowDegenerate=*/false, /*requireUdsCerts=*/false);
ASSERT_TRUE(csr) << csr.message();
diff --git a/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp b/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
index 8f918af..5467679 100644
--- a/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
+++ b/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
@@ -35,6 +35,7 @@
#include <remote_prov/remote_prov_utils.h>
#include <optional>
#include <set>
+#include <string_view>
#include <vector>
#include "KeyMintAidlTestBase.h"
@@ -150,22 +151,14 @@
return corruptChain.encode();
}
-string device_suffix(const string& name) {
- size_t pos = name.find('/');
- if (pos == string::npos) {
- return name;
- }
- return name.substr(pos + 1);
-}
-
bool matching_keymint_device(const string& rp_name, std::shared_ptr<IKeyMintDevice>* keyMint) {
- string rp_suffix = device_suffix(rp_name);
+ auto rp_suffix = deviceSuffix(rp_name);
vector<string> km_names = ::android::getAidlHalInstanceNames(IKeyMintDevice::descriptor);
for (const string& km_name : km_names) {
// If the suffix of the KeyMint instance equals the suffix of the
// RemotelyProvisionedComponent instance, assume they match.
- if (device_suffix(km_name) == rp_suffix && AServiceManager_isDeclared(km_name.c_str())) {
+ if (deviceSuffix(km_name) == rp_suffix && AServiceManager_isDeclared(km_name.c_str())) {
::ndk::SpAIBinder binder(AServiceManager_waitForService(km_name.c_str()));
*keyMint = IKeyMintDevice::fromBinder(binder);
return true;
@@ -489,9 +482,9 @@
&protectedData, &keysToSignMac);
ASSERT_TRUE(status.isOk()) << status.getDescription();
- auto result = verifyProductionProtectedData(
- deviceInfo, cppbor::Array(), keysToSignMac, protectedData, testEekChain_, eekId_,
- rpcHardwareInfo.supportedEekCurve, provisionable_.get(), GetParam(), challenge_);
+ auto result = verifyProductionProtectedData(deviceInfo, cppbor::Array(), keysToSignMac,
+ protectedData, testEekChain_, eekId_,
+ rpcHardwareInfo, GetParam(), challenge_);
ASSERT_TRUE(result) << result.message();
}
}
@@ -516,8 +509,7 @@
auto firstBcc = verifyProductionProtectedData(deviceInfo, /*keysToSign=*/cppbor::Array(),
keysToSignMac, protectedData, testEekChain_,
- eekId_, rpcHardwareInfo.supportedEekCurve,
- provisionable_.get(), GetParam(), challenge_);
+ eekId_, rpcHardwareInfo, GetParam(), challenge_);
ASSERT_TRUE(firstBcc) << firstBcc.message();
status = provisionable_->generateCertificateRequest(
@@ -527,8 +519,7 @@
auto secondBcc = verifyProductionProtectedData(deviceInfo, /*keysToSign=*/cppbor::Array(),
keysToSignMac, protectedData, testEekChain_,
- eekId_, rpcHardwareInfo.supportedEekCurve,
- provisionable_.get(), GetParam(), challenge_);
+ eekId_, rpcHardwareInfo, GetParam(), challenge_);
ASSERT_TRUE(secondBcc) << secondBcc.message();
// Verify that none of the keys in the first BCC are repeated in the second one.
@@ -576,9 +567,9 @@
&keysToSignMac);
ASSERT_TRUE(status.isOk()) << status.getDescription();
- auto result = verifyProductionProtectedData(
- deviceInfo, cborKeysToSign_, keysToSignMac, protectedData, testEekChain_, eekId_,
- rpcHardwareInfo.supportedEekCurve, provisionable_.get(), GetParam(), challenge_);
+ auto result = verifyProductionProtectedData(deviceInfo, cborKeysToSign_, keysToSignMac,
+ protectedData, testEekChain_, eekId_,
+ rpcHardwareInfo, GetParam(), challenge_);
ASSERT_TRUE(result) << result.message();
}
}
@@ -766,7 +757,7 @@
provisionable_->generateCertificateRequestV2({} /* keysToSign */, challenge, &csr);
ASSERT_TRUE(status.isOk()) << status.getDescription();
- auto result = verifyProductionCsr(cppbor::Array(), csr, provisionable_.get(), GetParam(),
+ auto result = verifyProductionCsr(cppbor::Array(), csr, rpcHardwareInfo, GetParam(),
challenge, isRkpVmInstance_);
ASSERT_TRUE(result) << result.message();
}
@@ -788,7 +779,7 @@
auto status = provisionable_->generateCertificateRequestV2(keysToSign_, challenge, &csr);
ASSERT_TRUE(status.isOk()) << status.getDescription();
- auto result = verifyProductionCsr(cborKeysToSign_, csr, provisionable_.get(), GetParam(),
+ auto result = verifyProductionCsr(cborKeysToSign_, csr, rpcHardwareInfo, GetParam(),
challenge, isRkpVmInstance_);
ASSERT_TRUE(result) << result.message();
}
@@ -819,14 +810,14 @@
auto status = provisionable_->generateCertificateRequestV2(keysToSign_, challenge_, &csr);
ASSERT_TRUE(status.isOk()) << status.getDescription();
- auto firstCsr = verifyProductionCsr(cborKeysToSign_, csr, provisionable_.get(), GetParam(),
+ auto firstCsr = verifyProductionCsr(cborKeysToSign_, csr, rpcHardwareInfo, GetParam(),
challenge_, isRkpVmInstance_);
ASSERT_TRUE(firstCsr) << firstCsr.message();
status = provisionable_->generateCertificateRequestV2(keysToSign_, challenge_, &csr);
ASSERT_TRUE(status.isOk()) << status.getDescription();
- auto secondCsr = verifyProductionCsr(cborKeysToSign_, csr, provisionable_.get(), GetParam(),
+ auto secondCsr = verifyProductionCsr(cborKeysToSign_, csr, rpcHardwareInfo, GetParam(),
challenge_, isRkpVmInstance_);
ASSERT_TRUE(secondCsr) << secondCsr.message();
@@ -845,8 +836,8 @@
auto status = provisionable_->generateCertificateRequestV2(keysToSign_, challenge_, &csr);
ASSERT_TRUE(status.isOk()) << status.getDescription();
- auto result = verifyProductionCsr(cborKeysToSign_, csr, provisionable_.get(), GetParam(),
- challenge_, isRkpVmInstance_);
+ auto result = verifyProductionCsr(cborKeysToSign_, csr, rpcHardwareInfo, GetParam(), challenge_,
+ isRkpVmInstance_);
ASSERT_TRUE(result) << result.message();
}
@@ -977,7 +968,7 @@
ASSERT_TRUE(irpcStatus.isOk()) << irpcStatus.getDescription();
auto result =
- verifyProductionCsr(cppbor::Array(), csr, provisionable_.get(), GetParam(), challenge_);
+ verifyProductionCsr(cppbor::Array(), csr, rpcHardwareInfo, GetParam(), challenge_);
ASSERT_TRUE(result) << result.message();
std::unique_ptr<cppbor::Array> csrPayload = std::move(*result);
@@ -1002,7 +993,7 @@
ASSERT_TRUE(bootPatchLevel);
ASSERT_TRUE(securityLevel);
- auto kmDeviceName = device_suffix(GetParam());
+ auto kmDeviceName = deviceSuffix(GetParam());
// Compare DeviceInfo against IDs attested by KeyMint.
ASSERT_TRUE((securityLevel->value() == "tee" && kmDeviceName == "default") ||
diff --git a/uwb/aidl/aidl_api/android.hardware.uwb.fira_android/current/android/hardware/uwb/fira_android/UwbVendorCapabilityTlvTypes.aidl b/uwb/aidl/aidl_api/android.hardware.uwb.fira_android/current/android/hardware/uwb/fira_android/UwbVendorCapabilityTlvTypes.aidl
index 09cdc26..d0f1ed9 100644
--- a/uwb/aidl/aidl_api/android.hardware.uwb.fira_android/current/android/hardware/uwb/fira_android/UwbVendorCapabilityTlvTypes.aidl
+++ b/uwb/aidl/aidl_api/android.hardware.uwb.fira_android/current/android/hardware/uwb/fira_android/UwbVendorCapabilityTlvTypes.aidl
@@ -36,6 +36,7 @@
enum UwbVendorCapabilityTlvTypes {
SUPPORTED_POWER_STATS_QUERY = 0xC0,
SUPPORTED_ANTENNA_MODES = 0xC1,
+ SUPPORTED_MAX_SESSION_COUNT = 0xEB,
CCC_SUPPORTED_CHAPS_PER_SLOT = 0xA0,
CCC_SUPPORTED_SYNC_CODES = 0xA1,
CCC_SUPPORTED_HOPPING_CONFIG_MODES_AND_SEQUENCES = 0xA2,
diff --git a/uwb/aidl/android/hardware/uwb/fira_android/UwbVendorCapabilityTlvTypes.aidl b/uwb/aidl/android/hardware/uwb/fira_android/UwbVendorCapabilityTlvTypes.aidl
index 28e44ef..2d81ed2 100644
--- a/uwb/aidl/android/hardware/uwb/fira_android/UwbVendorCapabilityTlvTypes.aidl
+++ b/uwb/aidl/android/hardware/uwb/fira_android/UwbVendorCapabilityTlvTypes.aidl
@@ -48,6 +48,11 @@
*/
SUPPORTED_ANTENNA_MODES = 0xC1,
+ /**
+ * Int value to indicate max supported session count
+ */
+ SUPPORTED_MAX_SESSION_COUNT = 0xEB,
+
/*********************************************
* CCC specific
********************************************/