commit c37901f7931d9d3ee1cf0d162c941db4f2273949
author Karuna Wadhera <kwadhera@google.com> Tue Sep 10 22:41:49 2024 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Sep 10 22:41:49 2024 +0000
tree 49a2a0d07692921764efb2dd4ff43c9ef37a420a
parent d9cf298536cd2b229eedfdecf2ccb46590098111

Revert "Revert "Add an option to allow/disallow degenerate DICE ..."

Revert submission 3260534-revert-3254876-disallow_degenerate_chains-RZRFZAKDEJ

Reason for revert: Breakage fixed

Reverted changes: /q/submissionid:3260534-revert-3254876-disallow_degenerate_chains-RZRFZAKDEJ

Change-Id: Ie148bce4247c58e0961eff7360789f9b2a9cce03

provisioner/rkp_factory_extraction_lib.cpp

diff --git a/provisioner/rkp_factory_extraction_lib.cpp b/provisioner/rkp_factory_extraction_lib.cpp
index ec70d08..2c2614d 100644
--- a/provisioner/rkp_factory_extraction_lib.cpp
+++ b/provisioner/rkp_factory_extraction_lib.cpp
@@ -224,7 +224,8 @@
 }
 
 CborResult<cppbor::Array> getCsrV3(std::string_view componentName,
-                                   IRemotelyProvisionedComponent* irpc, bool selfTest) {
+                                   IRemotelyProvisionedComponent* irpc, bool selfTest,
+                                   bool allowDegenerate) {
     std::vector<uint8_t> csr;
     std::vector<MacedPublicKey> emptyKeys;
     const std::vector<uint8_t> challenge = generateChallenge();
@@ -237,7 +238,8 @@
     }
 
     if (selfTest) {
-        auto result = verifyFactoryCsr(/*keysToSign=*/cppbor::Array(), csr, irpc, challenge);
+        auto result =
+            verifyFactoryCsr(/*keysToSign=*/cppbor::Array(), csr, irpc, challenge, allowDegenerate);
         if (!result) {
             std::cerr << "Self test failed for IRemotelyProvisionedComponent '" << componentName
                       << "'. Error message: '" << result.message() << "'." << std::endl;
@@ -249,7 +251,7 @@
 }
 
 CborResult<Array> getCsr(std::string_view componentName, IRemotelyProvisionedComponent* irpc,
-                         bool selfTest) {
+                         bool selfTest, bool allowDegenerate) {
     RpcHardwareInfo hwInfo;
     auto status = irpc->getHardwareInfo(&hwInfo);
     if (!status.isOk()) {
@@ -264,7 +266,7 @@
         }
         return getCsrV1(componentName, irpc);
     } else {
-        return getCsrV3(componentName, irpc, selfTest);
+        return getCsrV3(componentName, irpc, selfTest, allowDegenerate);
     }
 }
 

provisioner/rkp_factory_extraction_lib.h

diff --git a/provisioner/rkp_factory_extraction_lib.h b/provisioner/rkp_factory_extraction_lib.h
index 93c498a..94bd751 100644
--- a/provisioner/rkp_factory_extraction_lib.h
+++ b/provisioner/rkp_factory_extraction_lib.h
@@ -47,7 +47,7 @@
 CborResult<cppbor::Array>
 getCsr(std::string_view componentName,
        aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent* irpc,
-       bool selfTest);
+       bool selfTest, bool allowDegenerate);
 
 // Generates a test certificate chain and validates it, exiting the process on error.
 void selfTestGetCsr(

provisioner/rkp_factory_extraction_lib_test.cpp

diff --git a/provisioner/rkp_factory_extraction_lib_test.cpp b/provisioner/rkp_factory_extraction_lib_test.cpp
index 3fe88da..247c508 100644
--- a/provisioner/rkp_factory_extraction_lib_test.cpp
+++ b/provisioner/rkp_factory_extraction_lib_test.cpp
@@ -181,7 +181,7 @@
                         Return(ByMove(ScopedAStatus::ok()))));  //
 
     auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get(),
-                                   /*selfTest=*/false);
+                                   /*selfTest=*/false, /*allowDegenerate=*/true);
     ASSERT_THAT(csr, NotNull()) << csrErrMsg;
     ASSERT_THAT(csr->asArray(), Pointee(Property(&Array::size, Eq(4))));
 
@@ -251,7 +251,7 @@
                         Return(ByMove(ScopedAStatus::ok()))));
 
     auto [csr, csrErrMsg] = getCsr("mock component name", mockRpc.get(),
-                                   /*selfTest=*/false);
+                                   /*selfTest=*/false, /*allowDegenerate=*/true);
     ASSERT_THAT(csr, NotNull()) << csrErrMsg;
     ASSERT_THAT(csr, Pointee(Property(&Array::size, Eq(5))));
 

provisioner/rkp_factory_extraction_tool.cpp

diff --git a/provisioner/rkp_factory_extraction_tool.cpp b/provisioner/rkp_factory_extraction_tool.cpp
index 1cb1144..c0f6beb 100644
--- a/provisioner/rkp_factory_extraction_tool.cpp
+++ b/provisioner/rkp_factory_extraction_tool.cpp
@@ -43,6 +43,8 @@
             "If true, this tool performs a self-test, validating the payload for correctness. "
             "This checks that the device on the factory line is producing valid output "
             "before attempting to upload the output to the device info service.");
+DEFINE_bool(allow_degenerate, true,
+            "If true, self_test validation will allow degenerate DICE chains in the CSR.");
 DEFINE_string(serialno_prop, "ro.serialno",
               "The property of getting serial number. Defaults to 'ro.serialno'.");
 
@@ -83,7 +85,7 @@
     if (std::string(name) == "avf" && !isRemoteProvisioningSupported(irpc)) {
         return;
     }
-    auto [request, errMsg] = getCsr(name, irpc, FLAGS_self_test);
+    auto [request, errMsg] = getCsr(name, irpc, FLAGS_self_test, FLAGS_allow_degenerate);
     auto fullName = getFullServiceName(descriptor, name);
     if (!request) {
         std::cerr << "Unable to build CSR for '" << fullName << ": " << errMsg << std::endl;