Merge "Adding sanity check for VBMeta device state"

am: 63cc8d12a5 Change-Id: Ic642331cf6f3d0ad04bcaea691f860bd182d3059
2026-02-01 15:58:43 +00:00 · 2019-12-19 01:05:35 -08:00
parent 96643ab05c 63cc8d12a5
commit 051f044853
1 changed files with 12 additions and 6 deletions
--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
@@ -423,27 +423,33 @@ bool verify_attestation_record(const string& challenge, const string& app_id,
    EXPECT_EQ(ErrorCode::OK, error);

    if (avb_verification_enabled()) {
-        property_get("ro.boot.vbmeta.digest", property_value, "nogood");
-        EXPECT_NE(strcmp(property_value, "nogood"), 0);
+        EXPECT_NE(property_get("ro.boot.vbmeta.digest", property_value, ""), 0);
        string prop_string(property_value);
        EXPECT_EQ(prop_string.size(), 64);
        EXPECT_EQ(prop_string, bin2hex(verified_boot_hash));

-        property_get("ro.boot.vbmeta.device_state", property_value, "nogood");
-        EXPECT_NE(strcmp(property_value, "nogood"), 0);
+        EXPECT_NE(property_get("ro.boot.vbmeta.device_state", property_value, ""), 0);
        if (!strcmp(property_value, "unlocked")) {
            EXPECT_FALSE(device_locked);
        } else {
            EXPECT_TRUE(device_locked);
        }
+
+        // Check that the expected result from VBMeta matches the build type. Only a user build
+        // should have AVB reporting the device is locked.
+        EXPECT_NE(property_get("ro.build.type", property_value, ""), 0);
+        if (!strcmp(property_value, "user")) {
+            EXPECT_TRUE(device_locked);
+        } else {
+            EXPECT_FALSE(device_locked);
+        }
    }

    // Verified boot key should be all 0's if the boot state is not verified or self signed
    std::string empty_boot_key(32, '\0');
    std::string verified_boot_key_str((const char*)verified_boot_key.data(),
                                      verified_boot_key.size());
-    property_get("ro.boot.verifiedbootstate", property_value, "nogood");
-    EXPECT_NE(property_value, "nogood");
+    EXPECT_NE(property_get("ro.boot.verifiedbootstate", property_value, ""), 0);
    if (!strcmp(property_value, "green")) {
        EXPECT_EQ(verified_boot_state, KM_VERIFIED_BOOT_VERIFIED);
        EXPECT_NE(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),