Evolution-x/hardware_interfaces
1
0
Fork 0
mirror of https://github.com/Evolution-X/hardware_interfaces synced 2026-02-02 02:42:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

KeyMint VTS: option to skip BOOT_PATCHLEVEL check

Browse Source 
The KeyMint spec requires that all generated keys include the
BOOT_PATCHLEVEL for the device.

However, the VTS test sometimes gets run in an environment where this
is not possible; specifically the Trusty QEMU tests don't have the
bootloader -> KeyMint communication that is needed to populate this
information.

Add a command line flag that disables checks for BOOT_PATCHLEVEL to
cope with these scenarios, making sure that it defaults to having the
checks enabled.

Test: VtsAidlKeyMintTargetTest
Change-Id: I215c8a18afbd68af199d49f74b977ad7cac6b805
This commit is contained in:
David Drysdale
2021-12-02 07:44:23 +00:00
parent 2edfc467f1
commit dbbbe2ea6d
1 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
security/keymint/aidl/vts/functional/KeyMintTest.cpp
View File

@@ -69,6 +69,9 @@ namespace aidl::android::hardware::security::keymint::test {
namespace {
// Whether to check that BOOT_PATCHLEVEL is populated.
bool check_boot_pl = true;
// The maximum number of times we'll attempt to verify that corruption
// of an ecrypted blob results in an error. Retries are necessary as there
// is a small (roughly 1/256) chance that corrupting ciphertext still results
@@ -527,12 +530,17 @@ class NewKeyGenerationTest : public KeyMintAidlTestBase {
EXPECT_TRUE(os_pl);
EXPECT_EQ(*os_pl, os_patch_level());
// Should include vendor and boot patchlevels.
// Should include vendor patchlevel.
auto vendor_pl = auths.GetTagValue(TAG_VENDOR_PATCHLEVEL);
EXPECT_TRUE(vendor_pl);
EXPECT_EQ(*vendor_pl, vendor_patch_level());
auto boot_pl = auths.GetTagValue(TAG_BOOT_PATCHLEVEL);
EXPECT_TRUE(boot_pl);
// Should include boot patchlevel (but there are some test scenarios where this is not
// possible).
if (check_boot_pl) {
auto boot_pl = auths.GetTagValue(TAG_BOOT_PATCHLEVEL);
EXPECT_TRUE(boot_pl);
}
return auths;
}
@@ -6871,6 +6879,12 @@ int main(int argc, char** argv) {
} else {
std::cout << "NOT dumping attestations" << std::endl;
}
if (std::string(argv[i]) == "--skip_boot_pl_check") {
// Allow checks of BOOT_PATCHLEVEL to be disabled, so that the tests can
// be run in emulated environments that don't have the normal bootloader
// interactions.
aidl::android::hardware::security::keymint::test::check_boot_pl = false;
}
}
}
return RUN_ALL_TESTS();