Merge "Secretkeeper: test sealing policy update" into main am: c97055b9b6 am: 4c9290c911

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2932990 Change-Id: I1cf6b74b7b3ea2274b6c0f9abac9f3f27e1756b5 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2026-02-01 11:36:00 +00:00 · 2024-01-30 09:07:19 +00:00
parent 324b996467 4c9290c911
commit 2e49089f61
1 changed files with 27 additions and 3 deletions
--- a/security/secretkeeper/aidl/vts/secretkeeper_test_client.rs
+++ b/security/secretkeeper/aidl/vts/secretkeeper_test_client.rs
@@ -171,7 +171,16 @@ impl SkClient {

    /// Helper method to get a secret.
    fn get(&mut self, id: &Id) -> Result<Secret, Error> {
-        let get_request = GetSecretRequest { id: id.clone(), updated_sealing_policy: None };
+        self.get_update_policy(id, None)
+    }
+
+    /// Helper method to get a secret, updating the sealing policy along the way.
+    fn get_update_policy(
+        &mut self,
+        id: &Id,
+        updated_sealing_policy: Option<Vec<u8>>,
+    ) -> Result<Secret, Error> {
+        let get_request = GetSecretRequest { id: id.clone(), updated_sealing_policy };
        let get_request = get_request.serialize_to_packet().to_vec()?;

        let get_response = self.secret_management_request(&get_request)?;
@@ -532,8 +541,9 @@ fn secret_management_replay_protection_out_of_seq_req_not_accepted(instance: Str
 #[rdroidtest(get_instances())]
 fn secret_management_policy_gate(instance: String) {
    let dice_chain = make_explicit_owned_dice(/*Security version in a node */ 100);
-    let mut sk_client = SkClient::with_identity(&instance, dice_chain);
-    sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE).unwrap();
+    let mut sk_client_original = SkClient::with_identity(&instance, dice_chain);
+    sk_client_original.store(&ID_EXAMPLE, &SECRET_EXAMPLE).unwrap();
+    assert_eq!(sk_client_original.get(&ID_EXAMPLE).unwrap(), SECRET_EXAMPLE);

    // Start a session with higher security_version & get the stored secret.
    let dice_chain_upgraded = make_explicit_owned_dice(/*Security version in a node */ 101);
@@ -547,6 +557,20 @@ fn secret_management_policy_gate(instance: String) {
        sk_client_downgraded.get(&ID_EXAMPLE).unwrap_err(),
        Error::SecretkeeperError(SecretkeeperError::DicePolicyError)
    ));
+
+    // Now get the secret with the later version, and upgrade the sealing policy along the way.
+    let sealing_policy =
+        sealing_policy(sk_client_upgraded.dice_artifacts.explicit_key_dice_chain().unwrap());
+    assert_eq!(
+        sk_client_upgraded.get_update_policy(&ID_EXAMPLE, Some(sealing_policy)).unwrap(),
+        SECRET_EXAMPLE
+    );
+
+    // The original version of the client should no longer be able to retrieve the secret.
+    assert!(matches!(
+        sk_client_original.get(&ID_EXAMPLE).unwrap_err(),
+        Error::SecretkeeperError(SecretkeeperError::DicePolicyError)
+    ));
 }

 // Helper method that constructs 3 SecretManagement requests. Callers would usually not care about