Add an option to allow/disallow degenerate DICE chains
Bug: 323246910
Test: Manual testing of `rkp_factory_extraction_tool` with/without
`allow_degenerate=false` on a device with a degenerate DICE chain.
Change-Id: I69475209174cd8870bc0e3a8e52d325b6414d7a6
diff --git a/provisioner/rkp_factory_extraction_tool.cpp b/provisioner/rkp_factory_extraction_tool.cpp
index 1cb1144..c0f6beb 100644
--- a/provisioner/rkp_factory_extraction_tool.cpp
+++ b/provisioner/rkp_factory_extraction_tool.cpp
@@ -43,6 +43,8 @@
"If true, this tool performs a self-test, validating the payload for correctness. "
"This checks that the device on the factory line is producing valid output "
"before attempting to upload the output to the device info service.");
+DEFINE_bool(allow_degenerate, true,
+ "If true, self_test validation will allow degenerate DICE chains in the CSR.");
DEFINE_string(serialno_prop, "ro.serialno",
"The property of getting serial number. Defaults to 'ro.serialno'.");
@@ -83,7 +85,7 @@
if (std::string(name) == "avf" && !isRemoteProvisioningSupported(irpc)) {
return;
}
- auto [request, errMsg] = getCsr(name, irpc, FLAGS_self_test);
+ auto [request, errMsg] = getCsr(name, irpc, FLAGS_self_test, FLAGS_allow_degenerate);
auto fullName = getFullServiceName(descriptor, name);
if (!request) {
std::cerr << "Unable to build CSR for '" << fullName << ": " << errMsg << std::endl;