diff options
| author | David Drysdale <drysdale@google.com> | 2021-04-13 11:15:51 +0100 |
|---|---|---|
| committer | David Drysdale <drysdale@google.com> | 2021-04-30 14:50:14 +0100 |
| commit | bb3d85eaa4c8564ea864df2dd5abea8c585e0408 (patch) | |
| tree | 3ed50481d64bedf3a83fc7ae461a0fd9868a1b8b /security/keymint/aidl/vts/functional/KeyMintTest.cpp | |
| parent | 7de9febd174214cfb9ac65ada12c2ceb988cd19d (diff) | |
Test for patchlevels and too much entropy
Add tests for:
- Too much entropy should be rejected with INVALID_INPUT_LENGTH
- All authorization lists should include a vendor and boot patchlevel.
These requirements are in both the KeyMint and the KeyMaster 4.0 AIDL
specificications, but have never been policed before.
Currently disabled with a command-line flag because CF does not have
the patchlevels and so fails lots of tests.
Test: VtsKeyMintAidlTargetTest
Change-Id: Ic9622ef3f1b80e013a34059218e3e029f392eb72
Diffstat (limited to 'security/keymint/aidl/vts/functional/KeyMintTest.cpp')
| -rw-r--r-- | security/keymint/aidl/vts/functional/KeyMintTest.cpp | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp index 287b4dbd60..f9a99aaafa 100644 --- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp @@ -67,6 +67,8 @@ namespace aidl::android::hardware::security::keymint::test { namespace { +bool check_patchLevels = false; + template <TagType tag_type, Tag tag, typename ValueT> bool contains(const vector<KeyParameter>& set, TypedTag<tag_type, tag> ttag, ValueT expected_value) { @@ -330,6 +332,15 @@ class NewKeyGenerationTest : public KeyMintAidlTestBase { EXPECT_TRUE(os_pl); EXPECT_EQ(*os_pl, os_patch_level()); + if (check_patchLevels) { + // Should include vendor and boot patchlevels. + auto vendor_pl = auths.GetTagValue(TAG_VENDOR_PATCHLEVEL); + EXPECT_TRUE(vendor_pl); + EXPECT_EQ(*vendor_pl, vendor_patch_level()); + auto boot_pl = auths.GetTagValue(TAG_BOOT_PATCHLEVEL); + EXPECT_TRUE(boot_pl); + } + return auths; } }; @@ -5312,6 +5323,16 @@ TEST_P(AddEntropyTest, AddLargeEntropy) { EXPECT_TRUE(keyMint().addRngEntropy(AidlBuf(string(2 * 1024, 'a'))).isOk()); } +/* + * AddEntropyTest.AddTooLargeEntropy + * + * Verifies that the addRngEntropy method rejects more than 2KiB of data. + */ +TEST_P(AddEntropyTest, AddTooLargeEntropy) { + ErrorCode rc = GetReturnErrorCode(keyMint().addRngEntropy(AidlBuf(string(2 * 1024 + 1, 'a')))); + EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, rc); +} + INSTANTIATE_KEYMINT_AIDL_TEST(AddEntropyTest); typedef KeyMintAidlTestBase KeyDeletionTest; @@ -5765,6 +5786,10 @@ int main(int argc, char** argv) { } else { std::cout << "NOT dumping attestations" << std::endl; } + // TODO(drysdale): Remove this flag when available KeyMint devices comply with spec + if (std::string(argv[i]) == "--check_patchLevels") { + aidl::android::hardware::security::keymint::test::check_patchLevels = true; + } } } return RUN_ALL_TESTS(); |