Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 0362f7f22c97bf6fc999f7db800a639509dea734^! / . / tests
commit0362f7f22c97bf6fc999f7db800a639509dea734[log] [tgz]
authorAlice Wang <aliceywang@google.com>Thu Mar 21 08:16:26 2024 +0000
committerAlice Wang <aliceywang@google.com>Thu Mar 21 15:57:13 2024 +0000
tree8d0efbe2fa750a91ed69ca6e975137481242ea14
parentab86c8364b0c7e2f7479a65172884786f783194f [diff]
[attestation] Add API to check AVF RKP Hal presence in VM Attestation

This cl adds a new API in VirtualMachineManager to check whether
remote attestation is supported on a device.

Since Remote Attestation is a strongly recommended feature for Android
V, the new API is needed to determine whether we should proceed with
the Remote Attestation CTS tests.

Bug: 329652894
Test: atest MicrodroidTests
Change-Id: I0941914e7a5f1a483705d3faf7091b47ada41b1f

diff --git a/tests/testapk/Android.bp b/tests/testapk/Android.bp
index 732be94..1ed48d0 100644
--- a/tests/testapk/Android.bp
+++ b/tests/testapk/Android.bp

@@ -23,6 +23,7 @@
     static_libs: [
         "com.android.microdroid.testservice-java",
         "com.android.microdroid.test.vmshare_service-java",
+        "com.android.virt.vm_attestation.testservice-java",
     ],
     certificate: ":MicrodroidTestAppCert",
     sdk_version: "test_current",
@@ -53,6 +54,7 @@
         "MicrodroidExitNativeLib",
         "MicrodroidPrivateLinkingNativeLib",
         "MicrodroidCrashNativeLib",
+        "libvm_attestation_test_payload",
     ],
     min_sdk_version: "33",
     // Defined in ../vmshareapp/Android.bp

diff --git a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
index efacf8f..45beb14 100644
--- a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
+++ b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java

@@ -28,6 +28,8 @@
 import static com.google.common.truth.Truth.assertThat;
 import static com.google.common.truth.Truth.assertWithMessage;
 import static com.google.common.truth.TruthJUnit.assume;
+import com.android.virt.vm_attestation.testservice.IAttestationService.AttestationStatus;
+import com.android.virt.vm_attestation.testservice.IAttestationService.SigningResult;
 
 import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
@@ -115,6 +117,8 @@
 @RunWith(Parameterized.class)
 public class MicrodroidTests extends MicrodroidDeviceTestBase {
     private static final String TAG = "MicrodroidTests";
+    private static final String VM_ATTESTATION_PAYLOAD_PATH = "libvm_attestation_test_payload.so";
+    private static final String VM_ATTESTATION_MESSAGE = "Hello RKP from AVF!";
 
     @Rule public Timeout globalTimeout = Timeout.seconds(300);
 
@@ -210,6 +214,47 @@
 
     @Test
     @CddTest(requirements = {"9.17/C-1-1", "9.17/C-2-1"})
+    public void vmAttestationWhenRemoteAttestationIsSupported() throws Exception {
+        // pVM remote attestation is only supported on protected VMs.
+        assumeProtectedVM();
+        assumeFeatureEnabled(VirtualMachineManager.FEATURE_REMOTE_ATTESTATION);
+        assume().withMessage("Test needs Remote Attestation support")
+                .that(getVirtualMachineManager().isRemoteAttestationSupported())
+                .isTrue();
+        VirtualMachineConfig config =
+                newVmConfigBuilderWithPayloadBinary(VM_ATTESTATION_PAYLOAD_PATH)
+                        .setProtectedVm(mProtectedVm)
+                        .setDebugLevel(DEBUG_LEVEL_FULL)
+                        .build();
+        VirtualMachine vm =
+                forceCreateNewVirtualMachine("cts_attestation_with_rkpd_supported", config);
+
+        // Check with an invalid challenge.
+        byte[] invalidChallenge = new byte[65];
+        Arrays.fill(invalidChallenge, (byte) 0xbb);
+        SigningResult signingResultInvalidChallenge =
+                runVmAttestationService(
+                        TAG, vm, invalidChallenge, VM_ATTESTATION_MESSAGE.getBytes());
+        assertThat(signingResultInvalidChallenge.status)
+                .isEqualTo(AttestationStatus.ATTESTATION_ERROR_INVALID_CHALLENGE);
+
+        // Check with a valid challenge.
+        byte[] challenge = new byte[32];
+        Arrays.fill(challenge, (byte) 0xac);
+        SigningResult signingResult =
+                runVmAttestationService(TAG, vm, challenge, VM_ATTESTATION_MESSAGE.getBytes());
+        assertWithMessage(
+                        "VM attestation should either succeed or fail when the network is unstable")
+                .that(signingResult.status)
+                .isAnyOf(
+                        AttestationStatus.ATTESTATION_OK,
+                        AttestationStatus.ATTESTATION_ERROR_ATTESTATION_FAILED);
+        // TODO(b/330662600): Check the certificate chain and the signature after refactoring the
+        // x509 util method in RkpdVmAttestationTest.
+    }
+
+    @Test
+    @CddTest(requirements = {"9.17/C-1-1", "9.17/C-2-1"})
     public void createAndRunNoDebugVm() throws Exception {
         assumeSupportedDevice();