Evolution-x/hardware_interfaces
1
0
Fork 0
mirror of https://github.com/Evolution-X/hardware_interfaces synced 2026-02-01 11:36:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

KeyMint VTS: better early boot key tests

Browse Source 
Add a check that the TAG_EARLY_BOOT_ONLY is included in the returned key
characteristics.

Bug: 188672564
Test: VtsAidlKeyMintTargetTest
Change-Id: I200c61f34888c720c47f6289d79cd21d78436b58
This commit is contained in:
David Drysdale
2021-05-27 12:00:53 +01:00
parent 19c7c575f0
commit adfe6116d5
2 changed files with 68 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
View File

@@ -16,6 +16,7 @@
#pragma once
#include <functional>
#include <string_view>
#include <aidl/Gtest.h>
@@ -206,50 +207,58 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
template <typename TagType>
std::tuple<KeyData /* aesKey */, KeyData /* hmacKey */, KeyData /* rsaKey */,
KeyData /* ecdsaKey */>
CreateTestKeys(TagType tagToTest, ErrorCode expectedReturn) {
CreateTestKeys(
TagType tagToTest, ErrorCode expectedReturn,
std::function<void(AuthorizationSetBuilder*)> tagModifier =
[](AuthorizationSetBuilder*) {}) {
/* AES */
KeyData aesKeyData;
ErrorCode errorCode = GenerateKey(AuthorizationSetBuilder()
.AesEncryptionKey(128)
.Authorization(tagToTest)
.BlockMode(BlockMode::ECB)
.Padding(PaddingMode::NONE)
.Authorization(TAG_NO_AUTH_REQUIRED),
&aesKeyData.blob, &aesKeyData.characteristics);
AuthorizationSetBuilder aesBuilder = AuthorizationSetBuilder()
.AesEncryptionKey(128)
.Authorization(tagToTest)
.BlockMode(BlockMode::ECB)
.Padding(PaddingMode::NONE)
.Authorization(TAG_NO_AUTH_REQUIRED);
tagModifier(&aesBuilder);
ErrorCode errorCode =
GenerateKey(aesBuilder, &aesKeyData.blob, &aesKeyData.characteristics);
EXPECT_EQ(expectedReturn, errorCode);
/* HMAC */
KeyData hmacKeyData;
errorCode = GenerateKey(AuthorizationSetBuilder()
.HmacKey(128)
.Authorization(tagToTest)
.Digest(Digest::SHA_2_256)
.Authorization(TAG_MIN_MAC_LENGTH, 128)
.Authorization(TAG_NO_AUTH_REQUIRED),
&hmacKeyData.blob, &hmacKeyData.characteristics);
AuthorizationSetBuilder hmacBuilder = AuthorizationSetBuilder()
.HmacKey(128)
.Authorization(tagToTest)
.Digest(Digest::SHA_2_256)
.Authorization(TAG_MIN_MAC_LENGTH, 128)
.Authorization(TAG_NO_AUTH_REQUIRED);
tagModifier(&hmacBuilder);
errorCode = GenerateKey(hmacBuilder, &hmacKeyData.blob, &hmacKeyData.characteristics);
EXPECT_EQ(expectedReturn, errorCode);
/* RSA */
KeyData rsaKeyData;
errorCode = GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(2048, 65537)
.Authorization(tagToTest)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(),
&rsaKeyData.blob, &rsaKeyData.characteristics);
AuthorizationSetBuilder rsaBuilder = AuthorizationSetBuilder()
.RsaSigningKey(2048, 65537)
.Authorization(tagToTest)
.Digest(Digest::NONE)
.Padding(PaddingMode::NONE)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity();
tagModifier(&rsaBuilder);
errorCode = GenerateKey(rsaBuilder, &rsaKeyData.blob, &rsaKeyData.characteristics);
EXPECT_EQ(expectedReturn, errorCode);
/* ECDSA */
KeyData ecdsaKeyData;
errorCode = GenerateKey(AuthorizationSetBuilder()
.EcdsaSigningKey(256)
.Authorization(tagToTest)
.Digest(Digest::SHA_2_256)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(),
&ecdsaKeyData.blob, &ecdsaKeyData.characteristics);
AuthorizationSetBuilder ecdsaBuilder = AuthorizationSetBuilder()
.EcdsaSigningKey(256)
.Authorization(tagToTest)
.Digest(Digest::SHA_2_256)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity();
tagModifier(&ecdsaBuilder);
errorCode = GenerateKey(ecdsaBuilder, &ecdsaKeyData.blob, &ecdsaKeyData.characteristics);
EXPECT_EQ(expectedReturn, errorCode);
return {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData};
}

30
security/keymint/aidl/vts/functional/KeyMintTest.cpp
View File

@@ -6355,6 +6355,11 @@ TEST_P(EarlyBootKeyTest, CreateEarlyBootKeys) {
auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] =
CreateTestKeys(TAG_EARLY_BOOT_ONLY, ErrorCode::OK);
for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
ASSERT_GT(keyData.blob.size(), 0U);
AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
}
CheckedDeleteKey(&aesKeyData.blob);
CheckedDeleteKey(&hmacKeyData.blob);
CheckedDeleteKey(&rsaKeyData.blob);
@@ -6362,7 +6367,30 @@ TEST_P(EarlyBootKeyTest, CreateEarlyBootKeys) {
}
/*
* EarlyBootKeyTest.UsetEarlyBootKeyFailure
* EarlyBootKeyTest.CreateAttestedEarlyBootKey
*
* Verifies that creating an early boot key with attestation succeeds.
*/
TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) {
auto [aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData] = CreateTestKeys(
TAG_EARLY_BOOT_ONLY, ErrorCode::OK, [](AuthorizationSetBuilder* builder) {
builder->AttestationChallenge("challenge");
builder->AttestationApplicationId("app_id");
});
for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
ASSERT_GT(keyData.blob.size(), 0U);
AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;
}
CheckedDeleteKey(&aesKeyData.blob);
CheckedDeleteKey(&hmacKeyData.blob);
CheckedDeleteKey(&rsaKeyData.blob);
CheckedDeleteKey(&ecdsaKeyData.blob);
}
/*
* EarlyBootKeyTest.UseEarlyBootKeyFailure
*
* Verifies that using early boot keys at a later stage fails.
*/