diff options
| author | Eran Messeri <eranm@google.com> | 2022-03-31 14:53:49 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-03-31 14:53:49 +0000 |
| commit | f9b12ac72a16973c22f0582a8961da5b6b85c900 (patch) | |
| tree | de2fd563fdc108957a48172af40b8542e0694401 /security | |
| parent | 98b2a2079c540ce6cad378221b33e422820ea5d1 (diff) | |
| parent | 8adaed5f628c339bb5b9d3a0ea9b73ac57ce9ccd (diff) | |
Merge "KeyMint: Device IDs attestation based on verion." am: 1b7abc43b6 am: d8fdf0b804 am: 8adaed5f62
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2028224
Change-Id: I2937358195e0218cf7337b989686f649b7e82d22
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Diffstat (limited to 'security')
4 files changed, 12 insertions, 3 deletions
diff --git a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp index 0bab54c2a6..5cdea93a19 100644 --- a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp +++ b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp @@ -783,7 +783,7 @@ TEST_P(AttestKeyTest, EcdsaAttestationID) { vector<Certificate> attested_key_cert_chain; auto result = GenerateKey(builder, attest_key, &attested_key_blob, &attested_key_characteristics, &attested_key_cert_chain); - if (result == ErrorCode::CANNOT_ATTEST_IDS) { + if (result == ErrorCode::CANNOT_ATTEST_IDS && !isDeviceIdAttestationRequired()) { continue; } diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp index f9510d3071..943c692c3e 100644 --- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp @@ -207,6 +207,14 @@ uint32_t KeyMintAidlTestBase::boot_patch_level() { return boot_patch_level(key_characteristics_); } +/** + * An API to determine device IDs attestation is required or not, + * which is mandatory for KeyMint version 2 or first_api_level 33 or greater. + */ +bool KeyMintAidlTestBase::isDeviceIdAttestationRequired() { + return AidlVersion() >= 2 || property_get_int32("ro.vendor.api_level", 0) >= 33; +} + bool KeyMintAidlTestBase::Curve25519Supported() { // Strongbox never supports curve 25519. if (SecLevel() == SecurityLevel::STRONGBOX) { diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h index 602dcaf6a0..7279c95692 100644 --- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h +++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h @@ -79,6 +79,7 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> { uint32_t vendor_patch_level() { return vendor_patch_level_; } uint32_t boot_patch_level(const vector<KeyCharacteristics>& key_characteristics); uint32_t boot_patch_level(); + bool isDeviceIdAttestationRequired(); bool Curve25519Supported(); diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp index 3aa09fafe8..e73f46c21f 100644 --- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp @@ -1986,8 +1986,8 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) { if (SecLevel() == SecurityLevel::STRONGBOX) { if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; } - if (result == ErrorCode::CANNOT_ATTEST_IDS) { - // Device ID attestation is optional; KeyMint may not support it at all. + if (result == ErrorCode::CANNOT_ATTEST_IDS && !isDeviceIdAttestationRequired()) { + // ID attestation was optional till api level 32, from api level 33 it is mandatory. continue; } ASSERT_EQ(result, ErrorCode::OK); |