Merge "When using a GSI (Generic System Image) on a device with a Keymaster implementation, the Tag::OS_PATCHLEVEL key-character value must be less than or equal to the actual OS patch level of the device." into main am: bb508ba215
Original change: https://android-review.googlesource.com/c/platform/system/security/+/3495026
Change-Id: I53e94878d9de846922834b2fd6bf3aeff9e8c904
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs
index 5e823c2..98b227b 100644
--- a/keystore2/test_utils/key_generations.rs
+++ b/keystore2/test_utils/key_generations.rs
@@ -536,13 +536,27 @@
value: KeyParameterValue::Integer(get_os_version().try_into().unwrap())
}
));
- assert!(check_key_param(
- authorizations,
- &KeyParameter {
- tag: Tag::OS_PATCHLEVEL,
- value: KeyParameterValue::Integer(get_os_patchlevel().try_into().unwrap())
- }
- ));
+ if is_gsi() && sl.is_keymaster() {
+ // The expected value of TAG::OS_PATCHLEVEL should match the system's reported
+ // OS patch level (obtained via get_os_patchlevel()). However, booting a Generic System
+ // Image (GSI) with a newer patch level is permitted. Therefore, the generated key's
+ // TAG::OS_PATCHLEVEL may be less than or equal to the current system's OS patch level.
+ assert!(authorizations.iter().map(|auth| &auth.keyParameter).any(|key_param| key_param
+ .tag
+ == Tag::OS_PATCHLEVEL
+ && key_param.value
+ <= KeyParameterValue::Integer(get_os_patchlevel().try_into().unwrap())));
+ } else {
+ // The KeyMint spec required that the patch-levels match that of the running system, even
+ // under GSI.
+ assert!(check_key_param(
+ authorizations,
+ &KeyParameter {
+ tag: Tag::OS_PATCHLEVEL,
+ value: KeyParameterValue::Integer(get_os_patchlevel().try_into().unwrap())
+ }
+ ));
+ }
assert!(check_key_param(
authorizations,