Merge "Reboot to bootloader if sending module info to KeyMint fails" into main
diff --git a/keystore2/test_utils/attestation/Android.bp b/keystore2/test_utils/attestation/Android.bp
index 0ac5630..fb4dc7e 100644
--- a/keystore2/test_utils/attestation/Android.bp
+++ b/keystore2/test_utils/attestation/Android.bp
@@ -41,6 +41,7 @@
name: "libkeystore_attestation",
defaults: ["libkeystore_attestation_defaults"],
vendor_available: true,
+ min_sdk_version: "35",
}
rust_test {
diff --git a/provisioner/rkp_factory_extraction_lib.h b/provisioner/rkp_factory_extraction_lib.h
index 3515f48..f6f21f5 100644
--- a/provisioner/rkp_factory_extraction_lib.h
+++ b/provisioner/rkp_factory_extraction_lib.h
@@ -33,6 +33,18 @@
// Challenge size must be between 32 and 64 bytes inclusive.
constexpr size_t kChallengeSize = 64;
+// How CSRs should be validated when the rkp_factory_extraction_tool's "self_test"
+// flag is set to "true".
+struct CsrValidationConfig {
+ // Names of IRemotelyProvisionedComponent instances for which degenerate DICE
+ // chains are allowed.
+ std::unordered_set<std::string>* allow_degenerate_irpc_names;
+
+ // Names of IRemotelyProvisionedComponent instances for which UDS certificate
+ // chains are required to be present in the CSR.
+ std::unordered_set<std::string>* require_uds_certs_irpc_names;
+};
+
// Contains a the result of an operation that should return cborData on success.
// Returns an an error message and null cborData on error.
template <typename T> struct CborResult {
diff --git a/provisioner/rkp_factory_extraction_tool.cpp b/provisioner/rkp_factory_extraction_tool.cpp
index 599b52a..f65e0ae 100644
--- a/provisioner/rkp_factory_extraction_tool.cpp
+++ b/provisioner/rkp_factory_extraction_tool.cpp
@@ -40,17 +40,20 @@
DEFINE_string(output_format, "build+csr", "How to format the output. Defaults to 'build+csr'.");
DEFINE_bool(self_test, true,
- "If true, this tool performs a self-test, validating the payload for correctness. "
- "This checks that the device on the factory line is producing valid output "
- "before attempting to upload the output to the device info service.");
-DEFINE_bool(allow_degenerate, true,
- "If true, self_test validation will allow degenerate DICE chains in the CSR.");
+ "Whether to validate the output for correctness. If enabled, this checks that the "
+ "device on the factory line is producing valid output before attempting to upload the "
+ "output to the device info service. Defaults to true.");
+DEFINE_string(allow_degenerate, "",
+ "Comma-delimited list of names of IRemotelyProvisionedComponent instances for which "
+ "self_test validation allows degenerate DICE chains in the CSR. Example: "
+ "avf,default,strongbox. Defaults to the empty string.");
DEFINE_string(serialno_prop, "ro.serialno",
- "The property of getting serial number. Defaults to 'ro.serialno'.");
+ "System property from which the serial number should be retrieved. Defaults to "
+ "'ro.serialno'.");
DEFINE_string(require_uds_certs, "",
- "The comma-delimited names of remotely provisioned "
- "components whose UDS certificate chains are required to be present in the CSR. "
- "Example: avf,default,strongbox");
+ "Comma-delimited list of names of IRemotelyProvisionedComponent instances for which "
+ "UDS certificate chains are required to be present in the CSR. Example: "
+ "avf,default,strongbox. Defaults to the empty string.");
namespace {
@@ -84,7 +87,7 @@
}
void getCsrForIRpc(const char* descriptor, const char* name, IRemotelyProvisionedComponent* irpc,
- bool requireUdsCerts) {
+ bool allowDegenerate, bool requireUdsCerts) {
auto fullName = getFullServiceName(descriptor, name);
// AVF RKP HAL is not always supported, so we need to check if it is supported before
// generating the CSR.
@@ -96,8 +99,7 @@
}
}
- auto [request, errMsg] =
- getCsr(name, irpc, FLAGS_self_test, FLAGS_allow_degenerate, requireUdsCerts);
+ auto [request, errMsg] = getCsr(name, irpc, FLAGS_self_test, allowDegenerate, requireUdsCerts);
if (!request) {
std::cerr << "Unable to build CSR for '" << fullName << "': " << errMsg << ", exiting."
<< std::endl;
@@ -131,11 +133,25 @@
exit(-1);
}
- auto requireUdsCertsRpcNames = static_cast<std::unordered_set<std::string>*>(context);
- auto requireUdsCerts = requireUdsCertsRpcNames->count(name) != 0;
- requireUdsCertsRpcNames->erase(name);
+ auto csrValidationConfig = static_cast<CsrValidationConfig*>(context);
+ bool allowDegenerateFieldNotNull = csrValidationConfig->allow_degenerate_irpc_names != nullptr;
+ bool allowDegenerate = allowDegenerateFieldNotNull &&
+ csrValidationConfig->allow_degenerate_irpc_names->count(name) > 0;
+ bool requireUdsCertsFieldNotNull = csrValidationConfig->require_uds_certs_irpc_names != nullptr;
+ bool requireUdsCerts = requireUdsCertsFieldNotNull &&
+ csrValidationConfig->require_uds_certs_irpc_names->count(name) > 0;
+
+ // Record the fact that this IRemotelyProvisionedComponent instance was found by removing it
+ // from the sets in the context.
+ if (allowDegenerateFieldNotNull) {
+ csrValidationConfig->allow_degenerate_irpc_names->erase(name);
+ }
+ if (requireUdsCertsFieldNotNull) {
+ csrValidationConfig->require_uds_certs_irpc_names->erase(name);
+ }
+
getCsrForIRpc(IRemotelyProvisionedComponent::descriptor, name, rkpService.get(),
- requireUdsCerts);
+ allowDegenerate, requireUdsCerts);
}
} // namespace
@@ -143,21 +159,38 @@
int main(int argc, char** argv) {
gflags::ParseCommandLineFlags(&argc, &argv, /*remove_flags=*/true);
- auto requireUdsCertsRpcNames = parseCommaDelimited(FLAGS_require_uds_certs);
+ auto allowDegenerateIRpcNames = parseCommaDelimited(FLAGS_allow_degenerate);
+ auto requireUdsCertsIRpcNames = parseCommaDelimited(FLAGS_require_uds_certs);
+ CsrValidationConfig csrValidationConfig = {
+ .allow_degenerate_irpc_names = &allowDegenerateIRpcNames,
+ .require_uds_certs_irpc_names = &requireUdsCertsIRpcNames,
+ };
AServiceManager_forEachDeclaredInstance(IRemotelyProvisionedComponent::descriptor,
- &requireUdsCertsRpcNames, getCsrForInstance);
+ &csrValidationConfig, getCsrForInstance);
// Append drm CSRs
for (auto const& [name, irpc] : android::mediadrm::getDrmRemotelyProvisionedComponents()) {
- auto requireUdsCerts = requireUdsCertsRpcNames.count(name) != 0;
- requireUdsCertsRpcNames.erase(name);
- getCsrForIRpc(IDrmFactory::descriptor, name.c_str(), irpc.get(), requireUdsCerts);
+ bool allowDegenerate = allowDegenerateIRpcNames.count(name) != 0;
+ allowDegenerateIRpcNames.erase(name);
+ auto requireUdsCerts = requireUdsCertsIRpcNames.count(name) != 0;
+ requireUdsCertsIRpcNames.erase(name);
+ getCsrForIRpc(IDrmFactory::descriptor, name.c_str(), irpc.get(), allowDegenerate,
+ requireUdsCerts);
}
- for (auto const& rpcName : requireUdsCertsRpcNames) {
- std::cerr << "WARNING: You requested to enforce the presence of UDS Certs for '" << rpcName
- << "', but no Remotely Provisioned Component had that name." << std::endl;
+ // Print a warning for IRemotelyProvisionedComponent instance names that were passed
+ // in as parameters to the "require_uds_certs" and "allow_degenerate" flags but were
+ // ignored because no instances with those names were found.
+ for (const auto& irpcName : allowDegenerateIRpcNames) {
+ std::cerr << "WARNING: You requested special handling of 'self_test' validation checks "
+ << "for '" << irpcName << "' via the 'allow_degenerate' flag but no such "
+ << "IRemotelyProvisionedComponent instance exists." << std::endl;
+ }
+ for (const auto& irpcName : requireUdsCertsIRpcNames) {
+ std::cerr << "WARNING: You requested special handling of 'self_test' validation checks "
+ << "for '" << irpcName << "' via the 'require_uds_certs' flag but no such "
+ << "IRemotelyProvisionedComponent instance exists." << std::endl;
}
return 0;