Merge "Add C++ bindings for Keystore flags" into main
diff --git a/fsverity/OWNERS b/fsverity/OWNERS
index f9e7b25..1f2485a 100644
--- a/fsverity/OWNERS
+++ b/fsverity/OWNERS
@@ -1,4 +1,3 @@
-alanstokes@google.com
ebiggers@google.com
jeffv@google.com
jiyong@google.com
diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs
index 626a1c0..34e0c59 100644
--- a/keystore2/src/database.rs
+++ b/keystore2/src/database.rs
@@ -1163,14 +1163,6 @@
let mut persistent_path_str = "file:".to_owned();
persistent_path_str.push_str(&persistent_path.to_string_lossy());
- // Connect to database in specific mode
- let persistent_path_mode = if keystore2_flags::wal_db_journalmode_v3() {
- "?journal_mode=WAL".to_owned()
- } else {
- "?journal_mode=DELETE".to_owned()
- };
- persistent_path_str.push_str(&persistent_path_mode);
-
Ok(persistent_path_str)
}
diff --git a/keystore2/src/remote_provisioning.rs b/keystore2/src/remote_provisioning.rs
index 2bdafd4..a1ce5f6 100644
--- a/keystore2/src/remote_provisioning.rs
+++ b/keystore2/src/remote_provisioning.rs
@@ -129,6 +129,6 @@
// by the calling function and allow for natural fallback to the factory key.
let rpc_name = get_remotely_provisioned_component_name(security_level)
.context(ks_err!("Trying to get IRPC name."))?;
- let _wd = wd::watch("Calling get_rkpd_attestation_key()");
+ let _wd = wd::watch_millis("Calling get_rkpd_attestation_key()", 1000);
rkpd_client::get_rkpd_attestation_key(&rpc_name, caller_uid)
}
diff --git a/keystore2/tests/keystore2_client_attest_key_tests.rs b/keystore2/tests/keystore2_client_attest_key_tests.rs
index 02dfd3f..553add0 100644
--- a/keystore2/tests/keystore2_client_attest_key_tests.rs
+++ b/keystore2/tests/keystore2_client_attest_key_tests.rs
@@ -13,7 +13,8 @@
// limitations under the License.
use crate::keystore2_client_test_utils::{
- app_attest_key_feature_exists, device_id_attestation_feature_exists, get_attest_id_value,
+ app_attest_key_feature_exists, device_id_attestation_check_acceptable_error,
+ device_id_attestation_feature_exists, get_attest_id_value,
is_second_imei_id_attestation_required, skip_device_id_attest_tests,
};
use crate::{
@@ -558,7 +559,7 @@
}
/// Try to generate an attested key with attestation of invalid device's identifiers. Test should
-/// fail with error response code `CANNOT_ATTEST_IDS`.
+/// fail to generate a key with proper error code.
#[test]
fn keystore2_attest_key_fails_with_invalid_attestation_id() {
skip_test_if_no_device_id_attestation_feature!();
@@ -602,7 +603,7 @@
));
assert!(result.is_err());
- assert_eq!(result.unwrap_err(), Error::Km(ErrorCode::CANNOT_ATTEST_IDS));
+ device_id_attestation_check_acceptable_error(attest_id, result.unwrap_err());
}
}
diff --git a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
index 91370c7..fb84808 100644
--- a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
+++ b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
@@ -13,8 +13,9 @@
// limitations under the License.
use crate::keystore2_client_test_utils::{
- delete_app_key, get_attest_id_value, is_second_imei_id_attestation_required,
- perform_sample_asym_sign_verify_op, skip_device_unique_attestation_tests,
+ delete_app_key, device_id_attestation_check_acceptable_error, get_attest_id_value,
+ is_second_imei_id_attestation_required, perform_sample_asym_sign_verify_op,
+ skip_device_unique_attestation_tests,
};
use crate::require_keymint;
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
@@ -254,7 +255,7 @@
}
/// Try to generate a device unique attested key with attestation of invalid device's identifiers.
-/// Test should fail with error response code `CANNOT_ATTEST_IDS`.
+/// Test should fail to generate a key with proper error code.
#[test]
fn keystore2_device_unique_attest_key_fails_with_invalid_attestation_id() {
let Some(sl) = SecLevel::strongbox() else { return };
@@ -288,7 +289,7 @@
let result =
key_generations::map_ks_error(key_generations::generate_key(&sl, &gen_params, alias));
assert!(result.is_err());
- assert_eq!(result.unwrap_err(), Error::Km(ErrorCode::CANNOT_ATTEST_IDS));
+ device_id_attestation_check_acceptable_error(attest_id, result.unwrap_err());
}
}
diff --git a/keystore2/tests/keystore2_client_test_utils.rs b/keystore2/tests/keystore2_client_test_utils.rs
index 1bbdc91..8d70866 100644
--- a/keystore2/tests/keystore2_client_test_utils.rs
+++ b/keystore2/tests/keystore2_client_test_utils.rs
@@ -618,3 +618,25 @@
let serial_num = cert.serial_number();
assert_eq!(serial_num.to_bn().as_ref().unwrap(), expected_serial_num);
}
+
+/// Check the error code from an attempt to perform device ID attestation with an invalid value.
+pub fn device_id_attestation_check_acceptable_error(attest_id_tag: Tag, e: Error) {
+ match e {
+ // Standard/default error code for ID mismatch.
+ Error::Km(ErrorCode::CANNOT_ATTEST_IDS) => {}
+ Error::Km(ErrorCode::INVALID_TAG) if get_vsr_api_level() < 34 => {
+ // Allow older implementations to (incorrectly) use INVALID_TAG.
+ }
+ Error::Km(ErrorCode::ATTESTATION_IDS_NOT_PROVISIONED)
+ if matches!(
+ attest_id_tag,
+ Tag::ATTESTATION_ID_IMEI
+ | Tag::ATTESTATION_ID_MEID
+ | Tag::ATTESTATION_ID_SECOND_IMEI
+ ) =>
+ {
+ // Non-phone devices will not have IMEI/MEID provisioned.
+ }
+ _ => panic!("Unexpected error {e:?} on ID mismatch for {attest_id_tag:?}"),
+ }
+}
diff --git a/prng_seeder/src/main.rs b/prng_seeder/src/main.rs
index d112d61..c6adfd4 100644
--- a/prng_seeder/src/main.rs
+++ b/prng_seeder/src/main.rs
@@ -69,11 +69,11 @@
}
fn setup() -> Result<(ConditionerBuilder, UnixListener)> {
+ configure_logging()?;
+ let cli = Cli::try_parse()?;
// SAFETY: nobody has taken ownership of the inherited FDs yet.
unsafe { rustutils::inherited_fd::init_once() }
.context("In setup, failed to own inherited FDs")?;
- configure_logging()?;
- let cli = Cli::try_parse()?;
// SAFETY: Nothing else sets the signal handler, so either it was set here or it is the default.
unsafe { signal::signal(signal::Signal::SIGPIPE, signal::SigHandler::SigIgn) }
.context("In setup, setting SIGPIPE to SIG_IGN")?;