[e2e] Add VM attestation test interacting with RKPD
This CL adds an e2e test that interacts with RKPD and the real
RKP server. It checks the two major stages of pVM attestation:
- AVF key provisioning triggered with RKPD.
The CSRs generated by the RKP VM are sent to the real RKP server
for attestation.
- VM attestation.
RKP VM validates the VM requesting attestation and returns a
certificate chain covering the public key of a key pair owned by
the VM.
The test checks the final attestation certificate chain and asks
the VM to sign a message with the attestation key, to ensure that
the VM holds the correct key pair. It runs on an RKPD variation
that has permissions to run a VM.
The test target AvfRkpdVmAttestationTestApp is forked from
RkpdAppIntegrationTests with additional setup to check VM
attestation. It will run on a real device in avf-presubmit in the
future as VM attestation is not supported on cuttlefish.
The test has been added to avf busytown config in cl/614975596.
Bug: 325610326
Test: atest AvfRkpdVmAttestationTestApp
Change-Id: Ia6f52d60327be706c6c0c439ed59255358379b13
diff --git a/service_vm/test_apk/AndroidTest.rkpd.xml b/service_vm/test_apk/AndroidTest.rkpd.xml
new file mode 100644
index 0000000..2c0380c
--- /dev/null
+++ b/service_vm/test_apk/AndroidTest.rkpd.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2024 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<configuration description="VM attestation integration tests with the rkpd app.">
+ <option name="test-suite-tag" value="apct" />
+ <option name="test-suite-tag" value="apct-instrumentation" />
+
+ <!-- Need to disable SELinux policy to allow com.android.rkpdapp to run a VM. -->
+ <target_preparer class="com.android.tradefed.targetprep.DisableSELinuxTargetPreparer"/>
+
+ <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
+ <option name="test-file-name" value="AvfRkpdVmAttestationTestApp.apk" />
+ <option name="test-file-name" value="avf-rkpdapp.apk" />
+ </target_preparer>
+
+ <test class="com.android.tradefed.testtype.AndroidJUnitTest" >
+ <option name="package" value="com.android.virt.rkpd.vm_attestation.testapp" />
+ </test>
+</configuration>