From bf75a4070d3d013ae9df226c5ebc13536958f08c Mon Sep 17 00:00:00 2001 From: Tri Vo Date: Wed, 29 Mar 2023 16:45:17 -0700 Subject: Test for bootloader state Bug: 255344624 Test: VtsKeyMintAidlTargetTest Change-Id: I8b34a94c11d7cc174821483f624fd083ca1763ac --- .../aidl/vts/functional/BootloaderStateTest.cpp | 86 ++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 security/keymint/aidl/vts/functional/BootloaderStateTest.cpp (limited to 'security/keymint/aidl/vts/functional/BootloaderStateTest.cpp') diff --git a/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp b/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp new file mode 100644 index 0000000000..fdadad4dfe --- /dev/null +++ b/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp @@ -0,0 +1,86 @@ +/* + * Copyright (C) 2023 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#define LOG_TAG "keymint_1_bootloader_test" + +#include +#include +#include +#include + +#include +#include + +#include "KeyMintAidlTestBase.h" + +namespace aidl::android::hardware::security::keymint::test { + +using ::android::getAidlHalInstanceNames; +using ::std::string; +using ::std::vector; + +// Since this test needs to talk to KeyMint HAL, it can only run as root. Thus, +// bootloader can not be locked. +class BootloaderStateTest : public testing::TestWithParam { + public: + virtual void SetUp() override { + ::ndk::SpAIBinder binder(AServiceManager_waitForService(GetParam().c_str())); + keyMint_ = IKeyMintDevice::fromBinder(binder); + ASSERT_TRUE(keyMint_) << "Failed to get KM device"; + } + + std::shared_ptr keyMint_; +}; + +// Check that attested bootloader state is set to unlocked. +TEST_P(BootloaderStateTest, IsUnlocked) { + // Generate a key with attestation. + AuthorizationSet keyDesc = AuthorizationSetBuilder() + .Authorization(TAG_NO_AUTH_REQUIRED) + .EcdsaSigningKey(EcCurve::P_256) + .AttestationChallenge("foo") + .AttestationApplicationId("bar") + .Digest(Digest::NONE) + .SetDefaultValidity(); + KeyCreationResult creationResult; + auto kmStatus = keyMint_->generateKey(keyDesc.vector_data(), std::nullopt, &creationResult); + ASSERT_TRUE(kmStatus.isOk()); + + vector key_cert_chain = std::move(creationResult.certificateChain); + + // Parse attested AVB values. + const auto& attestation_cert = key_cert_chain[0].encodedCertificate; + X509_Ptr cert(parse_cert_blob(attestation_cert)); + ASSERT_TRUE(cert.get()); + + ASN1_OCTET_STRING* attest_rec = get_attestation_record(cert.get()); + ASSERT_TRUE(attest_rec); + + vector key; + VerifiedBoot attestedVbState; + bool attestedBootloaderState; + vector attestedVbmetaDigest; + auto error = parse_root_of_trust(attest_rec->data, attest_rec->length, &key, &attestedVbState, + &attestedBootloaderState, &attestedVbmetaDigest); + ASSERT_EQ(error, ErrorCode::OK); + ASSERT_FALSE(attestedBootloaderState) << "This test runs as root. Bootloader must be unlocked."; +} + +INSTANTIATE_TEST_SUITE_P(PerInstance, BootloaderStateTest, + testing::ValuesIn(getAidlHalInstanceNames(IKeyMintDevice::descriptor)), + ::android::PrintInstanceNameToString); + +} // namespace aidl::android::hardware::security::keymint::test -- cgit v1.2.3