Basic Keystore availability test
Loop up the Keystore service from the test payload to make sure it can
be found and communicated with.
Bug: 190578423
Test: atest MicrodroidHostTestCases
Change-Id: I1dd863202b7de5405658ee5e922b955e3cba6741
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 6424988..55d1eae 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -77,6 +77,8 @@
"cgroups.json",
"public.libraries.android.txt",
+ "android.system.keystore2-V1-ndk_platform",
+
// TODO(b/185767624): remove hidl after full keymint support
"hwservicemanager",
diff --git a/microdroid/sepolicy/system/private/keystore_keys.te b/microdroid/sepolicy/system/private/keystore_keys.te
index 2f97608..03625dc 100644
--- a/microdroid/sepolicy/system/private/keystore_keys.te
+++ b/microdroid/sepolicy/system/private/keystore_keys.te
@@ -20,3 +20,6 @@
# A keystore2 namespace for resume on reboot.
type resume_on_reboot_key, keystore2_key_type;
+# A keystore2 namespace for VM payloads.
+type vm_payload_key, keystore2_key_type;
+
diff --git a/microdroid/sepolicy/system/private/microdroid_launcher.te b/microdroid/sepolicy/system/private/microdroid_launcher.te
index 5a313b6..6bcd4f1 100644
--- a/microdroid/sepolicy/system/private/microdroid_launcher.te
+++ b/microdroid/sepolicy/system/private/microdroid_launcher.te
@@ -24,3 +24,18 @@
# Allow to set debug prop
set_prop(microdroid_launcher, debug_prop)
+
+# Talk to binder services (for keystore)
+binder_use(microdroid_launcher);
+
+# Allow payloads to use keystore
+use_keystore(microdroid_launcher);
+
+# Allow payloads to use and manage their keys
+allow microdroid_launcher vm_payload_key:keystore2_key {
+ delete
+ get_info
+ manage_blob
+ rebind
+ use
+};
diff --git a/tests/hostside/java/android/virt/test/MicrodroidTestCase.java b/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
index 4aa8eb5..f9794f7 100644
--- a/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
+++ b/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
@@ -104,6 +104,9 @@
runOnMicrodroid(microdroidLauncher, testLib, "arg1", "arg2"),
is("Hello Microdroid " + testLib + " arg1 arg2"));
+ // Check that keystore was found by the payload
+ assertThat(runOnMicrodroid("getprop", "debug.microdroid.test_keystore"), is("PASS"));
+
// Shutdown microdroid
runOnAndroid(VIRT_APEX + "bin/vm", "stop", cid);
}
diff --git a/tests/testapk/Android.bp b/tests/testapk/Android.bp
index 35f2f08..1122b25 100644
--- a/tests/testapk/Android.bp
+++ b/tests/testapk/Android.bp
@@ -6,7 +6,7 @@
name: "MicrodroidTestApp",
srcs: ["src/java/**/*.java"],
jni_libs: ["MicrodroidTestNativeLib"],
- sdk_version: "current",
+ platform_apis: true,
use_embedded_native_libs: true,
}
@@ -14,7 +14,10 @@
cc_library_shared {
name: "MicrodroidTestNativeLib",
srcs: ["src/native/*.cpp"],
- sdk_version: "current",
+ shared_libs: [
+ "android.system.keystore2-V1-ndk_platform",
+ "libbinder_ndk",
+ ],
}
genrule {
diff --git a/tests/testapk/src/native/testbinary.cpp b/tests/testapk/src/native/testbinary.cpp
index c3eefc4..682ab2a 100644
--- a/tests/testapk/src/native/testbinary.cpp
+++ b/tests/testapk/src/native/testbinary.cpp
@@ -13,9 +13,36 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
+#include <aidl/android/system/keystore2/IKeystoreService.h>
+#include <android/binder_auto_utils.h>
+#include <android/binder_manager.h>
#include <stdio.h>
#include <sys/system_properties.h>
+using aidl::android::hardware::security::keymint::SecurityLevel;
+
+using aidl::android::system::keystore2::IKeystoreSecurityLevel;
+using aidl::android::system::keystore2::IKeystoreService;
+
+namespace {
+
+bool test_keystore() {
+ ndk::SpAIBinder binder(
+ AServiceManager_getService("android.system.keystore2.IKeystoreService/default"));
+ auto service = IKeystoreService::fromBinder(binder);
+ if (service == nullptr) {
+ return false;
+ }
+ std::shared_ptr<IKeystoreSecurityLevel> securityLevel;
+ auto status = service->getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT, &securityLevel);
+ if (!status.isOk()) {
+ return false;
+ }
+ return true;
+}
+
+} // Anonymous namespace
+
extern "C" int android_native_main(int argc, char* argv[]) {
printf("Hello Microdroid ");
for (int i = 0; i < argc; i++) {
@@ -28,5 +55,6 @@
printf("\n");
__system_property_set("debug.microdroid.app.run", "true");
+ __system_property_set("debug.microdroid.test_keystore", test_keystore() ? "PASS" : "FAIL");
return 0;
}