Add getSupplementaryAttestationInfo am: 1cfc81d898
Original change: https://android-review.googlesource.com/c/platform/system/security/+/3341796
Change-Id: Ia98a6ae5533322524c4c274d6ae25f19512829eb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/keystore2/Android.bp b/keystore2/Android.bp
index 4da0b6a..be2f812 100644
--- a/keystore2/Android.bp
+++ b/keystore2/Android.bp
@@ -183,6 +183,12 @@
host_supported: true,
}
+java_aconfig_library {
+ name: "keystore2_flags_java-framework",
+ aconfig_declarations: "keystore2_flags",
+ defaults: ["framework-minus-apex-aconfig-java-defaults"],
+}
+
rust_aconfig_library {
name: "libkeystore2_flags_rust",
crate_name: "keystore2_flags",
diff --git a/provisioner/Android.bp b/provisioner/Android.bp
index ede1ae6..6a4dc24 100644
--- a/provisioner/Android.bp
+++ b/provisioner/Android.bp
@@ -36,6 +36,7 @@
],
static_libs: [
"android.hardware.common-V2-ndk",
+ "android.hardware.drm.common-V1-ndk",
"android.hardware.drm-V1-ndk",
"android.hardware.security.rkp-V3-ndk",
"libbase",
diff --git a/provisioner/rkp_factory_extraction_lib.cpp b/provisioner/rkp_factory_extraction_lib.cpp
index a87aa40..9b04626 100644
--- a/provisioner/rkp_factory_extraction_lib.cpp
+++ b/provisioner/rkp_factory_extraction_lib.cpp
@@ -85,7 +85,7 @@
const DeviceInfo& verifiedDeviceInfo,
const std::vector<uint8_t>& challenge,
const std::vector<uint8_t>& keysToSignMac,
- IRemotelyProvisionedComponent* provisionable) {
+ const RpcHardwareInfo& rpcHardwareInfo) {
Array macedKeysToSign = Array()
.add(Map().add(1, 5).encode()) // alg: hmac-sha256
.add(Map()) // empty unprotected headers
@@ -93,7 +93,7 @@
.add(keysToSignMac); // MAC as returned from the HAL
ErrMsgOr<std::unique_ptr<Map>> parsedVerifiedDeviceInfo =
- parseAndValidateFactoryDeviceInfo(verifiedDeviceInfo.deviceInfo, provisionable);
+ parseAndValidateFactoryDeviceInfo(verifiedDeviceInfo.deviceInfo, rpcHardwareInfo);
if (!parsedVerifiedDeviceInfo) {
return {nullptr, parsedVerifiedDeviceInfo.moveMessage()};
}
@@ -139,7 +139,7 @@
return {nullptr, status.getDescription()};
}
return composeCertificateRequestV1(protectedData, verifiedDeviceInfo, challenge, keysToSignMac,
- irpc);
+ hwInfo);
}
std::optional<std::string> selfTestGetCsrV1(std::string_view componentName,
@@ -172,9 +172,9 @@
return status.getDescription();
}
- auto result = verifyFactoryProtectedData(
- verifiedDeviceInfo, /*keysToSign=*/{}, keysToSignMac, protectedData, *eekChain, eekId,
- hwInfo.supportedEekCurve, irpc, std::string(componentName), challenge);
+ auto result = verifyFactoryProtectedData(verifiedDeviceInfo, /*keysToSign=*/{}, keysToSignMac,
+ protectedData, *eekChain, eekId, hwInfo,
+ std::string(componentName), challenge);
if (!result) {
std::cerr << "Self test failed for IRemotelyProvisionedComponent '" << componentName
@@ -211,7 +211,15 @@
std::vector<MacedPublicKey> emptyKeys;
const std::vector<uint8_t> challenge = generateChallenge();
- auto status = irpc->generateCertificateRequestV2(emptyKeys, challenge, &csr);
+ RpcHardwareInfo hwInfo;
+ auto status = irpc->getHardwareInfo(&hwInfo);
+ if (!status.isOk()) {
+ std::cerr << "Failed to get hardware info for '" << componentName
+ << "'. Description: " << status.getDescription() << "." << std::endl;
+ return {nullptr, status.getDescription()};
+ }
+
+ status = irpc->generateCertificateRequestV2(emptyKeys, challenge, &csr);
if (!status.isOk()) {
std::cerr << "Bundle extraction failed for '" << componentName
<< "'. Description: " << status.getDescription() << "." << std::endl;
@@ -219,9 +227,9 @@
}
if (selfTest) {
- auto result =
- verifyFactoryCsr(/*keysToSign=*/cppbor::Array(), csr, irpc, std::string(componentName),
- challenge, allowDegenerate, requireUdsCerts);
+ auto result = verifyFactoryCsr(/*keysToSign=*/cppbor::Array(), csr, hwInfo,
+ std::string(componentName), challenge, allowDegenerate,
+ requireUdsCerts);
if (!result) {
std::cerr << "Self test failed for IRemotelyProvisionedComponent '" << componentName
<< "'. Error message: '" << result.message() << "'." << std::endl;
diff --git a/provisioner/rkp_factory_extraction_lib_test.cpp b/provisioner/rkp_factory_extraction_lib_test.cpp
index 702be63..9bfb25e 100644
--- a/provisioner/rkp_factory_extraction_lib_test.cpp
+++ b/provisioner/rkp_factory_extraction_lib_test.cpp
@@ -26,7 +26,6 @@
#include <gmock/gmock.h>
#include <gtest/gtest.h>
#include <openssl/base64.h>
-#include <remote_prov/MockIRemotelyProvisionedComponent.h>
#include <cstdint>
#include <memory>
@@ -86,6 +85,27 @@
return base64;
}
+class MockIRemotelyProvisionedComponent : public IRemotelyProvisionedComponentDefault {
+ public:
+ MOCK_METHOD(ScopedAStatus, getHardwareInfo, (RpcHardwareInfo * _aidl_return), (override));
+ MOCK_METHOD(ScopedAStatus, generateEcdsaP256KeyPair,
+ (bool in_testMode, MacedPublicKey* out_macedPublicKey,
+ std::vector<uint8_t>* _aidl_return),
+ (override));
+ MOCK_METHOD(ScopedAStatus, generateCertificateRequest,
+ (bool in_testMode, const std::vector<MacedPublicKey>& in_keysToSign,
+ const std::vector<uint8_t>& in_endpointEncryptionCertChain,
+ const std::vector<uint8_t>& in_challenge, DeviceInfo* out_deviceInfo,
+ ProtectedData* out_protectedData, std::vector<uint8_t>* _aidl_return),
+ (override));
+ MOCK_METHOD(ScopedAStatus, generateCertificateRequestV2,
+ (const std::vector<MacedPublicKey>& in_keysToSign,
+ const std::vector<uint8_t>& in_challenge, std::vector<uint8_t>* _aidl_return),
+ (override));
+ MOCK_METHOD(ScopedAStatus, getInterfaceVersion, (int32_t* _aidl_return), (override));
+ MOCK_METHOD(ScopedAStatus, getInterfaceHash, (std::string * _aidl_return), (override));
+};
+
TEST(LibRkpFactoryExtractionTests, ToBase64) {
std::vector<uint8_t> input(UINT8_MAX + 1);
for (int i = 0; i < input.size(); ++i) {
@@ -165,7 +185,7 @@
std::vector<uint8_t> challenge;
// Set up mock, then call getSCsr
- auto mockRpc = SharedRefBase::make<remote_prov::MockIRemotelyProvisionedComponent>();
+ auto mockRpc = SharedRefBase::make<MockIRemotelyProvisionedComponent>();
EXPECT_CALL(*mockRpc, getHardwareInfo(NotNull())).WillRepeatedly([](RpcHardwareInfo* hwInfo) {
hwInfo->versionNumber = 2;
return ScopedAStatus::ok();
@@ -244,7 +264,7 @@
std::vector<uint8_t> challenge;
// Set up mock, then call getCsr
- auto mockRpc = SharedRefBase::make<remote_prov::MockIRemotelyProvisionedComponent>();
+ auto mockRpc = SharedRefBase::make<MockIRemotelyProvisionedComponent>();
EXPECT_CALL(*mockRpc, getHardwareInfo(NotNull())).WillRepeatedly([](RpcHardwareInfo* hwInfo) {
hwInfo->versionNumber = 3;
return ScopedAStatus::ok();
@@ -284,7 +304,7 @@
std::vector<uint8_t> challenge;
// Set up mock, then call getCsr
- auto mockRpc = SharedRefBase::make<remote_prov::MockIRemotelyProvisionedComponent>();
+ auto mockRpc = SharedRefBase::make<MockIRemotelyProvisionedComponent>();
EXPECT_CALL(*mockRpc, getHardwareInfo(NotNull())).WillRepeatedly([](RpcHardwareInfo* hwInfo) {
hwInfo->versionNumber = 3;
return ScopedAStatus::ok();
@@ -313,7 +333,7 @@
std::vector<uint8_t> challenge;
// Set up mock, then call getCsr
- auto mockRpc = SharedRefBase::make<remote_prov::MockIRemotelyProvisionedComponent>();
+ auto mockRpc = SharedRefBase::make<MockIRemotelyProvisionedComponent>();
EXPECT_CALL(*mockRpc, getHardwareInfo(NotNull())).WillRepeatedly([](RpcHardwareInfo* hwInfo) {
hwInfo->versionNumber = 3;
return ScopedAStatus::ok();
diff --git a/provisioner/rkp_factory_extraction_tool.cpp b/provisioner/rkp_factory_extraction_tool.cpp
index eaa0acc..599b52a 100644
--- a/provisioner/rkp_factory_extraction_tool.cpp
+++ b/provisioner/rkp_factory_extraction_tool.cpp
@@ -35,7 +35,6 @@
using aidl::android::hardware::drm::IDrmFactory;
using aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent;
using aidl::android::hardware::security::keymint::RpcHardwareInfo;
-using aidl::android::hardware::security::keymint::remote_prov::deviceSuffix;
using aidl::android::hardware::security::keymint::remote_prov::jsonEncodeCsrWithBuild;
using aidl::android::hardware::security::keymint::remote_prov::RKPVM_INSTANCE_NAME;
@@ -86,9 +85,10 @@
void getCsrForIRpc(const char* descriptor, const char* name, IRemotelyProvisionedComponent* irpc,
bool requireUdsCerts) {
+ auto fullName = getFullServiceName(descriptor, name);
// AVF RKP HAL is not always supported, so we need to check if it is supported before
// generating the CSR.
- if (std::string(name) == deviceSuffix(RKPVM_INSTANCE_NAME)) {
+ if (fullName == RKPVM_INSTANCE_NAME) {
RpcHardwareInfo hwInfo;
auto status = irpc->getHardwareInfo(&hwInfo);
if (!status.isOk()) {
@@ -99,7 +99,6 @@
auto [request, errMsg] =
getCsr(name, irpc, FLAGS_self_test, FLAGS_allow_degenerate, requireUdsCerts);
if (!request) {
- auto fullName = getFullServiceName(descriptor, name);
std::cerr << "Unable to build CSR for '" << fullName << "': " << errMsg << ", exiting."
<< std::endl;
exit(-1);
@@ -149,7 +148,7 @@
AServiceManager_forEachDeclaredInstance(IRemotelyProvisionedComponent::descriptor,
&requireUdsCertsRpcNames, getCsrForInstance);
- // Append drm csr's
+ // Append drm CSRs
for (auto const& [name, irpc] : android::mediadrm::getDrmRemotelyProvisionedComponents()) {
auto requireUdsCerts = requireUdsCertsRpcNames.count(name) != 0;
requireUdsCertsRpcNames.erase(name);