Strongbox may not support 1024 bit key size for RSA.
So in NoUserConfirmation test updated the key size to
2048 so that the test works for both TEE and Strongbox.
Bug: 280117495
Test: run VtsAidlKeyMintTarget
Change-Id: I32bb28001aca9b69eedb1bd3d0bcff43052d06e4
Updated the BootLoaderStateTest for strongbox implementations which
do not support factory attestation.
Test: vts -m VtsAidlKeyMintTarget
Change-Id: I8fe176a18fc0b9e2b2d0b012b7b63124d15c9e2f
It's already documented that IRPC v3 doesn't make use of test mode keys
however VTS still required support for their generation. Fix this and
simplify implementation of the v3 HAL by expecting an error in all cases
that the deprecated test mode keys are seen.
IRPC v3 also fully deprecated the EEK meaning a v3 implementation must
unconditionally report CURVE_NONE for supportedEekCurve.
The VTS tests are enhanced with contextual version constants rather than
reusing constants with seemingly unrelated names.
Bug: 278013975
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I5709a0b1cd77eb28e677f64bb781fad58d91570a
No tests are instantiated if KeyMint is present on the the device.
Explicitly allow that.
Bug: 277975776
Test: VtsAidlKeyMintTargetTest
Change-Id: I88f1c0a81f36d198dabcb1420b62a00bacdbb6e7
Enable some tests that are bypassed on strongbox implementation.
Bug: 262255219
Test: VtsAidlKeyMintTargetTest
Change-Id: I548bddcd16c0a1ee1c1cb8266d4d99dbdff3d39b
Following feedback from partners, allow the component version in the
configuration descriptor to be either an int or a string.
Bug: 273552826
Test: n/a
Change-Id: Iecc9889592a2e634a3b9e40f14347b231b703c60
The DICE chain specification changes slightly between VSR versions so
the VSR is used to select the set of validation rules that should be
applied.
Test: TH
Change-Id: I3697279d9348705a0279736c61e8333720321214
Deprecate the CSR format from v1 and v2 of the HAL, again. The older CSR
versions were allowed in order to ease migration from the
RemoteProvisioner app over to rkpd and that has now been completed.
Bug: 260920864
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I4d16eb64e4ffe602b4b252159202a4ddb56d63d7
RKP allows 0 ~ 64 byte challenge to be provided.
Test it by several different size inputs.
Bug: 272392463
Test: VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I488c75745dc68778ff6d862506a5beeec82f7ac1
Detect if there is an IRemotelyProvisionedComponent for strongbox, and
if so run the associated keymint tests. Else, allow strongbox to skip
the test as it's not required to implement the IRPC HAL.
Bug: 271948302
Test: VtsAidlKeyMintTargetTest
Change-Id: Ibf98e594e725d6ad14c0ff189ab9fbcc25b51f80
Ensure that v3 HALs have exactly the expected number of entries present
when returning DeviceInfo inside of the Certificate Signing Request. Do
not allow for additional or fewer entries.
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I8ea628335d5eed35ca2b65e22980e13fc9806738
Some of the DeviceInfo must match existing tags in KeyMint, but this
was not documented.
Test: n/a
Change-Id: I7733e2a4b0c08b0b89ece41390c0ce0711459d82
Since comments are stripped from the stable AIDL snapshots, the CDDL
describing the DeviceInfo contents is lost for the older versions. Add
the comments from older DeviceInfo versions as a reference for
maintainers of older HAL implementations.
Test: n/a
Change-Id: I7dd3d285b3d8422a6df4228ad0cf5797e78609c1
When we split the rkp interface, we only added one hash to rkp v2, but
on Android S devices, this interface was in keymint v2, and so it used
the keymint v2 hash.
In order for that old implementation to be recognized, we need to add the hash in specifically.
Note: v1 was missed in b/264549860, but this was v2.
Fixes: 271513408
Test: vts_treble_vintf_vendor_test
Change-Id: I58c7c41633000df933261a147edd3477afd09a36
The support level for strongbox is different from the tee
implementation. Additionally, we were incorrectly checking the keymint
aidl version. KeyMint 1.0 supported ATTEST_KEY, so it's unclear why we
were ever checking for KeyMint 2.0.
Test: VtsAidlKeyMintTargetTest
Bug: 263844771
Change-Id: I750367902fec90204d71c1e158404b2421f9ad87
The DICE chain in the ProtectedData objects are evaluated against the
specification from v1 and v2 of the HAL whereas the chain in
AuthenticatedMessage objects are evaluated against the specification
from v3.
There are only small differences with v3 aligning to the standards where
there was previously more leniency.
Fix: 262599829
Test: TH
Change-Id: Ied14362b5530485eb6c2302a0ae0f21da9cdb33f
The server-provided challenge is almost always smaller than 32 bytes,
so we cannot enforce that as a minimum. I fixed up the CDDL a while
back, but missed one mention of the 32 byte minimum in the description.
Test: n/a (it's a comment)
Bug: 272392463
Change-Id: Ia5994e2b7cf107ab131c6b028bee7881d0e657ac
Put the test arm that just involves checking a property
first, so that tests which involve a round trip to the Package
Manager are only executed when they're needed.
Test: VtsAidlKeyMintTargetTest
Bug: 271026714
Change-Id: I4caad6243a3b9d511a32717fd95f58864b857eeb
In 32-bit builds a `long` may be 32 bits, but the `long` values on an
AIDL interface are 64 bits. Therefore need to use `int64_t` for the
corresponding C++ type, not `long`.
Bug: 271056044
Test: VtsAidlKeyMintTargetTest --gtest_filter="*AuthTest*" (32-b)
Change-Id: I19f5a1d825dfcc45087534bbd4239a13cdfec3f7
to not to hold the CRL Distribution Points extension in it.
Bug: 260332189
Test: atest VtsAidlKeyMintTargetTest
Change-Id: I7b191b4351984ce82db0e9440027ddbfc14b1c3a
hardware/interfaces/security/keymint/aidl/vts/performance/KeyMintBenchmark.cpp:79:26: error: reference to stack memory associated with local variable 'message' returned [-Werror,-Wreturn-stack-address]
return std::move(message);
^~~~~~~
Test: presubmit
Change-Id: I4298b4a25ccb809a7ae180bb218e673a7f1aa623
This cl removes the unused service android.hardware.security.dice
together with all its usages (all of them are tests), because the
service is incomplete and not used anywhere for now and in the
near future.
The cl also removes dice from the compat matrix.
This helps us reduce some maintainance burden for the Rust dice
wrapper libraries such as libdiced_open_dice[_nostd],
libdiced_sample_inputs, libdiced_utils and their tests.
Test: atest diced_utils_test diced_sample_inputs_test \
diced_open_dice_cbor_test \
libdiced_open_dice_nostd.integration_test \
libdiced_open_dice.integration_test diced_open_dice_cbor_test
Test: m pvmfw_img microdroid_manager
Bug: 267575445
Bug: 270511529
Change-Id: I3d2497d2e8d3f88c49cae9ae80a6b4f7b652cc4a
