Convert SDK API level to vendor API level for Android 15+ in VTS gates.
This is a fairly targeted fix for b/383452093 since the new vendor API
level format (YYYYMM) was introduced in Android 14-QPR3 and therefore
only affects comparisons between the vendor API level and the SDK API
level starting with Android 15 (V).
A proper solution should not rely on the caller remembering to convert
the SDK API level, but this will do for now and we can improve the
gating properly in subsequent commits.
Bug: 383452093
Bug: 384021501
Test: atest VtsAidlKeyMintTargetTest
Change-Id: Ibb6ec2a294e96094ab5af8a674ddb77c1ad14993
diff --git a/security/keymint/aidl/vts/functional/Android.bp b/security/keymint/aidl/vts/functional/Android.bp
index 1414220..da3427a 100644
--- a/security/keymint/aidl/vts/functional/Android.bp
+++ b/security/keymint/aidl/vts/functional/Android.bp
@@ -37,6 +37,7 @@
"libcrypto",
"libbase",
"libgatekeeper",
+ "libvendorsupport",
"packagemanager_aidl-cpp",
],
static_libs: [
diff --git a/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp b/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp
index b41da3f..62215f3 100644
--- a/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp
+++ b/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp
@@ -27,6 +27,7 @@
#include <libavb/libavb.h>
#include <libavb_user/avb_ops_user.h>
#include <remote_prov/remote_prov_utils.h>
+#include <vendorsupport/api_level.h>
#include "KeyMintAidlTestBase.h"
@@ -98,7 +99,7 @@
// Check that the attested Verified Boot key is 32 bytes of zeroes since the bootloader is unlocked.
TEST_P(BootloaderStateTest, VerifiedBootKeyAllZeroes) {
// Gate this test to avoid waiver issues.
- if (get_vsr_api_level() <= __ANDROID_API_V__) {
+ if (get_vsr_api_level() <= AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
return;
}
@@ -141,7 +142,7 @@
avb_slot_verify_data_calculate_vbmeta_digest(avbSlotData, AVB_DIGEST_TYPE_SHA256,
sha256Digest.data());
- if (get_vsr_api_level() >= __ANDROID_API_V__) {
+ if (get_vsr_api_level() >= AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
ASSERT_TRUE(attestedVbmetaDigest_ == sha256Digest)
<< "Attested VBMeta digest (" << bin2hex(attestedVbmetaDigest_)
<< ") does not match the expected SHA-256 digest (" << bin2hex(sha256Digest)
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
index 09446ce..4429816 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
@@ -35,6 +35,7 @@
#include <openssl/evp.h>
#include <openssl/mem.h>
#include <remote_prov/remote_prov_utils.h>
+#include <vendorsupport/api_level.h>
#include <keymaster/cppcose/cppcose.h>
#include <keymint_support/key_param_output.h>
@@ -1908,13 +1909,13 @@
}
}
- if (get_vsr_api_level() > __ANDROID_API_V__) {
+ if (get_vsr_api_level() > AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
// The Verified Boot key field should be exactly 32 bytes since it
// contains the SHA-256 hash of the key on locked devices or 32 bytes
// of zeroes on unlocked devices. This wasn't checked for earlier
// versions of the KeyMint HAL, so only only be strict for VSR-16+.
EXPECT_EQ(verified_boot_key.size(), 32);
- } else if (get_vsr_api_level() == __ANDROID_API_V__) {
+ } else if (get_vsr_api_level() == AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
// The Verified Boot key field should be:
// - Exactly 32 bytes on locked devices since it should contain
// the SHA-256 hash of the key, or
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
index 416e6c0..e8a767b 100644
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@@ -42,6 +42,8 @@
#include <keymint_support/key_param_output.h>
#include <keymint_support/openssl_utils.h>
+#include <vendorsupport/api_level.h>
+
#include "KeyMintAidlTestBase.h"
using aidl::android::hardware::security::keymint::AuthorizationSet;
@@ -4156,7 +4158,7 @@
* when the EC_CURVE is not explicitly specified.
*/
TEST_P(ImportKeyTest, EcdsaSuccessCurveNotSpecified) {
- if (get_vsr_api_level() < __ANDROID_API_V__) {
+ if (get_vsr_api_level() < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
/*
* The KeyMint spec was previously not clear as to whether EC_CURVE was optional on import
* of EC keys. However, this was not checked at the time so we can only be strict about
@@ -5315,7 +5317,7 @@
TEST_P(ImportWrappedKeyTest, RsaKey) {
int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level < __ANDROID_API_V__) {
+ if (vsr_api_level < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
/*
* The Keymaster v4 spec introduced `importWrappedKey()` and did not restrict it to
* just symmetric keys. However, the import of asymmetric wrapped keys was not tested
@@ -5346,7 +5348,7 @@
TEST_P(ImportWrappedKeyTest, EcKey) {
int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level < __ANDROID_API_V__) {
+ if (vsr_api_level < AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
/*
* The Keymaster v4 spec introduced `importWrappedKey()` and did not restrict it to
* just symmetric keys. However, the import of asymmetric wrapped keys was not tested
@@ -8962,7 +8964,7 @@
// @VsrTest = GMS-VSR-3.10-019
TEST_P(VsrRequirementTest, Vsr16Test) {
int vsr_api_level = get_vsr_api_level();
- if (vsr_api_level <= __ANDROID_API_V__) {
+ if (vsr_api_level <= AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
GTEST_SKIP() << "Applies only to VSR API level > 35, this device is: " << vsr_api_level;
}
if (SecLevel() == SecurityLevel::STRONGBOX) {
diff --git a/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp b/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp
index f7639bf..1f09328 100644
--- a/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp
+++ b/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp
@@ -26,6 +26,7 @@
#include <cppbor_parse.h>
#include <keymaster/cppcose/cppcose.h>
#include <keymint_support/key_param_output.h>
+#include <vendorsupport/api_level.h>
#include "KeyMintAidlTestBase.h"
@@ -114,13 +115,13 @@
const auto& vbKey = rot->asArray()->get(pos++);
ASSERT_TRUE(vbKey);
ASSERT_TRUE(vbKey->asBstr());
- if (get_vsr_api_level() > __ANDROID_API_V__) {
+ if (get_vsr_api_level() > AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
// The Verified Boot key field should be exactly 32 bytes since it
// contains the SHA-256 hash of the key on locked devices or 32 bytes
// of zeroes on unlocked devices. This wasn't checked for earlier
// versions of the KeyMint HAL, so only only be strict for VSR-16+.
ASSERT_EQ(vbKey->asBstr()->value().size(), 32);
- } else if (get_vsr_api_level() == __ANDROID_API_V__) {
+ } else if (get_vsr_api_level() == AVendorSupport_getVendorApiLevelOf(__ANDROID_API_V__)) {
// The Verified Boot key field should be:
// - Exactly 32 bytes on locked devices since it should contain
// the SHA-256 hash of the key, or