diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp index 822770d155..d3f6ae393e 100644 --- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp @@ -1792,6 +1792,12 @@ void verify_root_of_trust(const vector& verified_boot_key, bool device_ std::string empty_boot_key(32, '\0'); std::string verified_boot_key_str((const char*)verified_boot_key.data(), verified_boot_key.size()); + if (get_vsr_api_level() >= __ANDROID_API_V__) { + // The attestation should contain the SHA-256 hash of the verified boot + // key. However, this was not checked for earlier versions of the KeyMint + // HAL so only be strict for VSR-V and above. + EXPECT_LE(verified_boot_key.size(), 32); + } EXPECT_NE(property_get("ro.boot.verifiedbootstate", property_value, ""), 0); if (!strcmp(property_value, "green")) { EXPECT_EQ(verified_boot_state, VerifiedBoot::VERIFIED); diff --git a/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp b/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp index c9a156d3e6..9f7322ac93 100644 --- a/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp +++ b/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp @@ -114,6 +114,12 @@ class SecureElementProvisioningTest : public testing::Test { const auto& vbKey = rot->asArray()->get(pos++); ASSERT_TRUE(vbKey); ASSERT_TRUE(vbKey->asBstr()); + if (get_vsr_api_level() >= __ANDROID_API_V__) { + // The attestation should contain the SHA-256 hash of the verified boot + // key. However, this not was checked for earlier versions of the KeyMint + // HAL so only be strict for VSR-V and above. + ASSERT_LE(vbKey->asBstr()->value().size(), 32); + } const auto& deviceLocked = rot->asArray()->get(pos++); ASSERT_TRUE(deviceLocked);