The Done flag of VtsAidlKeyMintTargetTest is false during running
the module with ‘--collect-tests-only’ because it uses standard
output to print logs.
Bug: 340576534
Test: run vts -m VtsAidlKeyMintTargetTest --collect-tests-only
Change-Id: I3d81f7e59b6189fab1b146320263509f2694c11e
Signed-off-by: Huang Rui <rui1.huang@intel.com>
Signed-off-by: Liu Kai <kai1.liu@intel.com>
Make it clearer that the default implementation is non-secure in
various ways, most notably because the TA code is running in-process
in the HAL service.
Bug: 314513765
Test: VtsAidlKeyMintTargetTest
Change-Id: I83509110c32a4df8df6c0b288d14659e022442ff
Because Keystore2 always requires valid auth tokens for user keys, this
copies and extends the existing in-guest GateKeeper implementation to
negotiate a shared secret key with Keymint in order to generate a
session key for signing auth tokens.
This implementation also uses AIDL rather than HIDL to interact with the
framework. It's also packaged in an APEX.
The files are cobbled together from a few sources:
- SoftGateKeeper.h is based on hardware/interfaces/gatekeeper/1.0/software/SoftGateKeeper.h
- GateKeeper.{cpp,h} are based on device/google/cuttlefish/guest/hals/gatekeeper/remote/remote_gatekeeper.{cpp,h}
- SharedSecret.{cpp,h} are based on device/google/cuttlefish/guest/hals/keymint/remote/remote_shared_secret.{cpp,h}
- Apex files are based on device/google/cuttlefish/guest/hals/keymint/rust/
Keymint modifications to use BOOT_TIME are lifted from
https://android-review.git.corp.google.com/c/platform/hardware/interfaces/+/2856649/6..8/security/keymint/aidl/default/ta/clock.rs#38
Bug: 332376454
Change-Id: I81845d5e6370bdddb1a24d67437964e03a5fb243
Test: Run with rust-nonsecure keymint on Cuttlefish
Add test paths for HALs that are RKP-only so that they may pass tests.
Fix up a few tests that were just being skipped for RKP-only HALs.
Test: ran VTS against cuttlefish with no factory key
Bug: 329409739
Change-Id: I5400874dd2f9885c061970a30ea44985353d23ed
error: field `0` is never read
--> hardware/interfaces/security/keymint/aidl/default/main.rs:38:24
|
38 | struct HalServiceError(String);
| --------------- ^^^^^^
| |
| field in this struct
|
= note: `HalServiceError` has derived impls for the traits `Clone` and `Debug`, but these are intentionally ignored during dead code analysis
= note: `-D dead-code` implied by `-D warnings`
= help: to override `-D warnings` add `#[allow(dead_code)]`
help: consider changing the field to be of unit type to suppress this warning while preserving the field numbering, or remove the field
|
38 | struct HalServiceError(());
| ~~
error: aborting due to 1 previous err
Bug: http://b/330185853
Test: ./test_compiler.py --prebuilt-path dist/rust-dev.tar.xz --target aosp_cf_x86_64_phone --image
Change-Id: I57f3bd1d702c97929f5fd34f909aa72aa2f2ba02
This will make it easier to swap in and out with the Cuttlefish remote
implementation.
Bug: 331474817
Test: m com.android.hardware.keymint.rust_nonsecure
Change-Id: I0e9a350b62a90ef6126db109195e19b4181d0cf8
The ISharedSecret.aidl description of the pre-shared secret K
mentioned that K was set up during factory reset. While that could be
done, it is almost never done; most OEMs inject K in the factory.
Removed the reference to setup in factory reset to reduce confusion.
Test: N/A, comment-only change
Change-Id: Idbbd5a8d64197ef4713a75075a9730d06162ad05
error: field `0` is never read
--> hardware/interfaces/security/authgraph/default/src/main.rs:34:24
|
34 | struct HalServiceError(String);
| --------------- ^^^^^^
| |
| field in this struct
|
= note: `HalServiceError` has derived impls for the traits `Clone` and `Debug`, but these are intenti
onally ignored during dead code analysis
= note: `-D dead-code` implied by `-D warnings`
= help: to override `-D warnings` add `#[allow(dead_code)]`
help: consider changing the field to be of unit type to suppress this warning while preserving the field
numbering, or remove the field
|
34 | struct HalServiceError(());
| ~~
error: aborting due to 1 previous error
Test: ./build.py --lto thin
bug: http://b/330185853
Change-Id: I08b79176fb5edea9e24990e4884e521c24660d68
Bug: 324321147
Test: Manual -- trigger factory reset, confirm ISecretKeeper.deleteAll()
is being called in Trusty logs.
Change-Id: I0f033b53e83ff549f80271ba4a6ebeabac3db922
This target was using the same `.rc` as the keymint-service target,
though it had a different name.
Bug: 331474817
Test: LOCAL_KEYMINT_PRODUCT_PACKAGE=android.hardware.security.keymint-service.nonsecure m && launch_cvd --noresume --secure_hals=keymint,oemlock
Change-Id: I0f744b75e451f6780d8f6c9bddbd5ea80c579a20
If a decice provides a StrongBox KeyMint instance then the default IRPC
instance is required to use a proper, non-degenerate DICE chain.
Expose a function to check whether the CSR contains a proper DICE chain
and use that from VTS to implement the test.
Bug: 302204396
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I90cf070bc2279fc52e0a8e7fd0039d3fdb68c1d7
Add tests for:
- large number of session creations
- also use a bigger identity, to better simulate real use
- attempt to retrieve a secret with an incorrect identity
Test: VtsSecretkeeperTargetTest (shiba)
Bug: 327526008
Change-Id: I8dddf643d03a8fb679511564cb03c2248477c116
Only applies for devices on VSR API level 35 and above, so that existing
devices which previously passed VTS should not need to pass the new
tests.
Bug: 292534977
Test: VtsAidlKeyMintTargetTest
Change-Id: I8281c3cebf05795e3f9a1ed2b112fc149d8a104c
This is a partial revert of aosp/2856649, changeID
Ia450e9a8f2dc530f79e8d74d7ce65f7d67ea129f, because it turns out
that there are Wear devices that are using the default implementation
(but which are not covered by TreeHugger/presubmit).
It restores the C++ implementation for KeyMint as
android.hardware.security.keymint-service, but preserves the Rust
libraries that were moved here in that CL as a subsequent CL
(aosp/2852598) means that Cuttlefish now uses the libraries here.
Test: VtsAidlKeyMintTargetTest on Cuttlefish
Bug: 328251011
Bug: 314513765
Change-Id: Id6f3491144588e418cd6e18e51262fe839bfdf39
