From ead5f3e7a5308abd4ab3ba82c136d82fe771066c Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Mon, 6 Jun 2022 16:51:25 +0100 Subject: KeyMint VTS: cope with ATTEST_KEY +/- SIGN This change is a back-port of http://aosp/1877245 but adapted to allow for devices that passed the original (but incorrect) version of the VTS tests. Bug: 197096139 Bug: 230074335 Test: VtsAidlKeyMintTargetTest Change-Id: I447e6dc9dc049922725160c48c2406d79a8cffb5 --- .../keymint/aidl/vts/functional/AttestKeyTest.cpp | 203 ++++++++++++--------- 1 file changed, 117 insertions(+), 86 deletions(-) (limited to 'security/keymint/aidl/vts/functional/AttestKeyTest.cpp') diff --git a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp index a3127237ac..23e9d6a31c 100644 --- a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp +++ b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp @@ -16,6 +16,7 @@ #define LOG_TAG "keymint_1_attest_key_test" #include +#include #include #include @@ -33,7 +34,33 @@ bool IsSelfSigned(const vector& chain) { } // namespace -using AttestKeyTest = KeyMintAidlTestBase; +class AttestKeyTest : public KeyMintAidlTestBase { + protected: + ErrorCode GenerateAttestKey(const AuthorizationSet& key_desc, + const optional& attest_key, + vector* key_blob, + vector* key_characteristics, + vector* cert_chain) { + // The original specification for KeyMint v1 required ATTEST_KEY not be combined + // with any other key purpose, but the original VTS tests incorrectly did exactly that. + // This means that a device that launched prior to Android T (API level 33) may + // accept or even require KeyPurpose::SIGN too. + if (property_get_int32("ro.board.first_api_level", 0) < 33) { + AuthorizationSet key_desc_plus_sign = key_desc; + key_desc_plus_sign.push_back(TAG_PURPOSE, KeyPurpose::SIGN); + + auto result = GenerateKey(key_desc_plus_sign, attest_key, key_blob, key_characteristics, + cert_chain); + if (result == ErrorCode::OK) { + return result; + } + // If the key generation failed, it may be because the device is (correctly) + // rejecting the combination of ATTEST_KEY+SIGN. Fall through to try again with + // just ATTEST_KEY. + } + return GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain); + } +}; /* * AttestKeyTest.AllRsaSizes @@ -49,12 +76,13 @@ TEST_P(AttestKeyTest, AllRsaSizes) { AttestationKey attest_key; vector attest_key_characteristics; vector attest_key_cert_chain; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(size, 65537) - .AttestKey() - .SetDefaultValidity(), - {} /* attestation signing key */, &attest_key.keyBlob, - &attest_key_characteristics, &attest_key_cert_chain)); + ASSERT_EQ(ErrorCode::OK, + GenerateAttestKey(AuthorizationSetBuilder() + .RsaKey(size, 65537) + .AttestKey() + .SetDefaultValidity(), + {} /* attestation signing key */, &attest_key.keyBlob, + &attest_key_characteristics, &attest_key_cert_chain)); ASSERT_GT(attest_key_cert_chain.size(), 0); EXPECT_EQ(attest_key_cert_chain.size(), 1); @@ -199,17 +227,17 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) { vector attest_key_characteristics; vector attest_key_cert_chain; ASSERT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(2048, 65537) - .AttestKey() - .AttestationChallenge(challenge) - .AttestationApplicationId(app_id) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - {} /* attestation signing key */, &attest_key.keyBlob, - &attest_key_characteristics, &attest_key_cert_chain)); + GenerateAttestKey(AuthorizationSetBuilder() + .RsaKey(2048, 65537) + .AttestKey() + .AttestationChallenge(challenge) + .AttestationApplicationId(app_id) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .Authorization(TAG_NO_AUTH_REQUIRED) + .SetDefaultValidity(), + {} /* attestation signing key */, &attest_key.keyBlob, + &attest_key_characteristics, &attest_key_cert_chain)); EXPECT_GT(attest_key_cert_chain.size(), 1); verify_subject_and_serial(attest_key_cert_chain[0], serial_int, subject, false); @@ -298,17 +326,17 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) { } EXPECT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(2048, 65537) - .AttestKey() - .AttestationChallenge("foo") - .AttestationApplicationId("bar") - .Authorization(TAG_NO_AUTH_REQUIRED) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .SetDefaultValidity(), - attest_key_opt, &key_blob_list[i], &attested_key_characteristics, - &cert_chain_list[i])); + GenerateAttestKey(AuthorizationSetBuilder() + .RsaKey(2048, 65537) + .AttestKey() + .AttestationChallenge("foo") + .AttestationApplicationId("bar") + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(), + attest_key_opt, &key_blob_list[i], + &attested_key_characteristics, &cert_chain_list[i])); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); @@ -369,17 +397,17 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) { } EXPECT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .EcdsaSigningKey(EcCurve::P_256) - .AttestKey() - .AttestationChallenge("foo") - .AttestationApplicationId("bar") - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - attest_key_opt, &key_blob_list[i], &attested_key_characteristics, - &cert_chain_list[i])); + GenerateAttestKey(AuthorizationSetBuilder() + .EcdsaKey(EcCurve::P_256) + .AttestKey() + .AttestationChallenge("foo") + .AttestationApplicationId("bar") + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .Authorization(TAG_NO_AUTH_REQUIRED) + .SetDefaultValidity(), + attest_key_opt, &key_blob_list[i], + &attested_key_characteristics, &cert_chain_list[i])); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); @@ -443,30 +471,30 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) { if ((i & 0x1) == 1) { EXPECT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .EcdsaSigningKey(EcCurve::P_256) - .AttestKey() - .AttestationChallenge("foo") - .AttestationApplicationId("bar") - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - attest_key_opt, &key_blob_list[i], &attested_key_characteristics, - &cert_chain_list[i])); + GenerateAttestKey(AuthorizationSetBuilder() + .EcdsaKey(EcCurve::P_256) + .AttestKey() + .AttestationChallenge("foo") + .AttestationApplicationId("bar") + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .Authorization(TAG_NO_AUTH_REQUIRED) + .SetDefaultValidity(), + attest_key_opt, &key_blob_list[i], + &attested_key_characteristics, &cert_chain_list[i])); } else { EXPECT_EQ(ErrorCode::OK, - GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(2048, 65537) - .AttestKey() - .AttestationChallenge("foo") - .AttestationApplicationId("bar") - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - attest_key_opt, &key_blob_list[i], &attested_key_characteristics, - &cert_chain_list[i])); + GenerateAttestKey(AuthorizationSetBuilder() + .RsaKey(2048, 65537) + .AttestKey() + .AttestationChallenge("foo") + .AttestationApplicationId("bar") + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .Authorization(TAG_NO_AUTH_REQUIRED) + .SetDefaultValidity(), + attest_key_opt, &key_blob_list[i], + &attested_key_characteristics, &cert_chain_list[i])); } AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); @@ -505,12 +533,13 @@ TEST_P(AttestKeyTest, MissingChallenge) { AttestationKey attest_key; vector attest_key_characteristics; vector attest_key_cert_chain; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .RsaSigningKey(size, 65537) - .AttestKey() - .SetDefaultValidity(), - {} /* attestation signing key */, &attest_key.keyBlob, - &attest_key_characteristics, &attest_key_cert_chain)); + ASSERT_EQ(ErrorCode::OK, + GenerateAttestKey(AuthorizationSetBuilder() + .RsaKey(size, 65537) + .AttestKey() + .SetDefaultValidity(), + {} /* attestation signing key */, &attest_key.keyBlob, + &attest_key_characteristics, &attest_key_cert_chain)); EXPECT_EQ(attest_key_cert_chain.size(), 1); EXPECT_TRUE(IsSelfSigned(attest_key_cert_chain)) << "Failed on size " << size; @@ -552,12 +581,12 @@ TEST_P(AttestKeyTest, AllEcCurves) { AttestationKey attest_key; vector attest_key_characteristics; vector attest_key_cert_chain; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .EcdsaSigningKey(curve) - .AttestKey() - .SetDefaultValidity(), - {} /* attestation signing key */, &attest_key.keyBlob, - &attest_key_characteristics, &attest_key_cert_chain)); + ASSERT_EQ( + ErrorCode::OK, + GenerateAttestKey( + AuthorizationSetBuilder().EcdsaKey(curve).AttestKey().SetDefaultValidity(), + {} /* attestation signing key */, &attest_key.keyBlob, + &attest_key_characteristics, &attest_key_cert_chain)); ASSERT_GT(attest_key_cert_chain.size(), 0); EXPECT_EQ(attest_key_cert_chain.size(), 1); @@ -667,12 +696,13 @@ TEST_P(AttestKeyTest, EcdsaAttestationID) { AttestationKey attest_key; vector attest_key_characteristics; vector attest_key_cert_chain; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .EcdsaSigningKey(EcCurve::P_256) - .AttestKey() - .SetDefaultValidity(), - {} /* attestation signing key */, &attest_key.keyBlob, - &attest_key_characteristics, &attest_key_cert_chain)); + ASSERT_EQ(ErrorCode::OK, + GenerateAttestKey(AuthorizationSetBuilder() + .EcdsaKey(EcCurve::P_256) + .AttestKey() + .SetDefaultValidity(), + {} /* attestation signing key */, &attest_key.keyBlob, + &attest_key_characteristics, &attest_key_cert_chain)); attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key"); ASSERT_GT(attest_key_cert_chain.size(), 0); EXPECT_EQ(attest_key_cert_chain.size(), 1); @@ -731,12 +761,13 @@ TEST_P(AttestKeyTest, EcdsaAttestationMismatchID) { AttestationKey attest_key; vector attest_key_characteristics; vector attest_key_cert_chain; - ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() - .EcdsaSigningKey(EcCurve::P_256) - .AttestKey() - .SetDefaultValidity(), - {} /* attestation signing key */, &attest_key.keyBlob, - &attest_key_characteristics, &attest_key_cert_chain)); + ASSERT_EQ(ErrorCode::OK, + GenerateAttestKey(AuthorizationSetBuilder() + .EcdsaKey(EcCurve::P_256) + .AttestKey() + .SetDefaultValidity(), + {} /* attestation signing key */, &attest_key.keyBlob, + &attest_key_characteristics, &attest_key_cert_chain)); attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key"); ASSERT_GT(attest_key_cert_chain.size(), 0); EXPECT_EQ(attest_key_cert_chain.size(), 1); -- cgit v1.2.3 From 981c9c223671d9012781acf6e9128fd037578833 Mon Sep 17 00:00:00 2001 From: Benjamin Grimberg Date: Thu, 5 Jan 2023 14:48:36 +0200 Subject: Fix AttestKeyTest failures in KeyMint VTS Skip attestation key tests if the feature FEATURE_KEYSTORE_APP_ATTEST_KEY is disabled on device, as done in KeyMint CTS. Bug: 244460948 Bug: 265740739 Test: VtsAidlKeyMintTargetTest Change-Id: I8199e5c7570b10b71f127c7439b889c0b3327865 --- .../keymint/aidl/vts/functional/AttestKeyTest.cpp | 63 ++++++++++++++++++++++ 1 file changed, 63 insertions(+) (limited to 'security/keymint/aidl/vts/functional/AttestKeyTest.cpp') diff --git a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp index ca517ac61c..b9968f8afc 100644 --- a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp +++ b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp @@ -35,7 +35,17 @@ bool IsSelfSigned(const vector& chain) { } // namespace class AttestKeyTest : public KeyMintAidlTestBase { + public: + void SetUp() override { + check_skip_test(); + KeyMintAidlTestBase::SetUp(); + } + protected: + const string FEATURE_KEYSTORE_APP_ATTEST_KEY = "android.hardware.keystore.app_attest_key"; + + const string FEATURE_STRONGBOX_KEYSTORE = "android.hardware.strongbox_keystore"; + ErrorCode GenerateAttestKey(const AuthorizationSet& key_desc, const optional& attest_key, vector* key_blob, @@ -60,6 +70,59 @@ class AttestKeyTest : public KeyMintAidlTestBase { } return GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain); } + + // Check if ATTEST_KEY feature is disabled + bool is_attest_key_feature_disabled(void) const { + if (!check_feature(FEATURE_KEYSTORE_APP_ATTEST_KEY)) { + GTEST_LOG_(INFO) << "Feature " + FEATURE_KEYSTORE_APP_ATTEST_KEY + " is disabled"; + return true; + } + + return false; + } + + // Check if StrongBox KeyStore is enabled + bool is_strongbox_enabled(void) const { + if (check_feature(FEATURE_STRONGBOX_KEYSTORE)) { + GTEST_LOG_(INFO) << "Feature " + FEATURE_STRONGBOX_KEYSTORE + " is enabled"; + return true; + } + + return false; + } + + // Check if chipset has received a waiver allowing it to be launched with + // Android S (or later) with Keymaster 4.0 in StrongBox + bool is_chipset_allowed_km4_strongbox(void) const { + std::array buffer; + + auto res = property_get("ro.vendor.qti.soc_model", buffer.data(), nullptr); + if (res <= 0) return false; + + const string allowed_soc_models[] = {"SM8450", "SM8475", "SM8550", "SXR2230P"}; + + for (const string model : allowed_soc_models) { + if (model.compare(buffer.data()) == 0) { + GTEST_LOG_(INFO) << "QTI SOC Model " + model + " is allowed SB KM 4.0"; + return true; + } + } + + return false; + } + + // Skip the test if all the following conditions hold: + // 1. ATTEST_KEY feature is disabled + // 2. STRONGBOX is enabled + // 3. The device is running one of the chipsets that have received a waiver + // allowing it to be launched with Android S (or later) with Keymaster 4.0 + // in StrongBox + void check_skip_test(void) const { + if (is_attest_key_feature_disabled() && is_strongbox_enabled() && + is_chipset_allowed_km4_strongbox()) { + GTEST_SKIP() << "Test is not applicable"; + } + } }; /* -- cgit v1.2.3