There are a lot of upcoming requirements (see below) that place
restrictions on the CSR and the DICE chain. This is a first step to
make some of the infrastructure necessary to utilize
the already-existing functionality inside hwtrust.
Bug: 372843164
Bug: 376297620
A lot of parsing happens in `remote_prov_utils`. It would be nice to
have all parsing and validation occur in hwtrust.
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
atest libkeymint_remote_prov_support_test
Change-Id: I52383c0c62a6bb73554fd0771d2e7a8b366246c0
`android.hardware.security.keymint-service.nonsecure` is part of
`com.android.hardware.keymint.rust_nonsecure` apex. However, listing
android.hardware.hardware_keystore.xml in `required` of the binary
installs two copies of this permission file on device - one inside the
apex, and another it the /vendor/etc/permission (outside the apex).
With this CL, the latter will no longer be installed. This CL is
motivated by having the vendor.img building with soong as part of mk->bp
migration.
Test: m com.android.hardware.keymint.rust_nonsecure
Test: deapexer list
out/target/product/vsoc_x86_64/vendor/apex/com.android.hardware.keymint.rust_nonsecure.apex
# verified that etc/permissions/android.hardware.hardware_keystore.xml
is present
Bug: 374371755
Bug: 376110962
Change-Id: I15ba92c81296f869277940767ff3a76c28214c18
key_transform field not being reset during DeleteKey() causing
keygen test to skip the key generation.
Bug: 375151780
Test: VtsAidlKeyMintBenchmarkTest
Change-Id: I10428dc9f84831a44917fb180d16bb97e2db2257
Revert submission 3312283-2024-10-18-schuffelen-sepolicy
Reason for revert: Droidmonitor created revert due to b/375059051. Will be verifying through ABTD before submission.
Reverted changes: /q/submissionid:3312283-2024-10-18-schuffelen-sepolicy
Change-Id: Icebd34eb9e2941a6480d9943986a104cc5249729
add a flag to verifyFactoryCsr that enforces the presence
of UDS certs in the presented CSR
Bug: 366147625
Test: m rkp_factory_extraction_tool
Test: m librkp_factory_extraction_test
Test: m libkeymint_remote_prov_support_test
Test: atest system/security/provisioner
Test: atest hardware/interfaces/security/keymint/support
Change-Id: I1b6c85b858d76b1ea418400342c89553cbd4bc1d
This cl adds verifications to the IRPC VTS to check that:
- RKP VM DICE chains have a continuous presence of RKP VM markers
till the last DICE certificate.
- Non-RKP VM DICE chains do not have such continuous presence of
RKP VM markers.
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Test: atest libkeymint_remote_prov_support_test
Bug: 314128697
Change-Id: Ib966b4bd584f1f931b7f19b4b58a1a37b5266f5e
Summary: This seems to be not implicit when building vendor, so it's now necessary to explicitly include.
Test: Succesful build on master
Change-Id: Ie9720a3ae4c9f94210bc34c60d14756c7d0cf56f
Signed-off-by: Abdelrahman Daim <adaim@meta.com>
This is to prepare for enforcing a requirement of always having frozen
specified.
Test: m
Bug: 366292468
Change-Id: I2f26eb96a3a5a4ac279f665b9866bbfddbd8c496
Cleaning up the OWNERS file for those who are no longer on the team.
Test: The ghost of trong@'s account cannot approve changes in this
repository
Change-Id: Ib777c16b53691f82de5bea33bd3cc363a8720982
Change-Id: I6c2bcdbfc6177b5d8e9416a5b93edf7e5e8a2b5b
The UDS_pub is supposed to be the first element of DiceCertChain
according to generateCertificateRequestV2.cddl.
Bug: 365711214
Test: rkp_factory_extraction_tool
Change-Id: I454a99058d92ce9743810a9334c7ccacccc694e0
Revert submission 3254876-disallow_degenerate_chains
Reason for revert: Droidmonitor created revert due to b/365592588.
Reverted changes: /q/submissionid:3254876-disallow_degenerate_chains
Change-Id: I31f78d6c708f34f0a6fe9f54daef82981a91ac8f
Bug: 323246910
Test: atest libkeymint_remote_prov_support_test & manual testing of
`rkp_factory_extraction_tool` with/without `allow_degenerate=false` on a
device with a degenerate DICE chain
Change-Id: Ia1833c0bb6a895ae5b8aefea24850a41cf956f38
Previous commit was reverted as it removed wifi vintf fragment from
devices, which was caused by 'no_full_install' property from
vintf_fragment module. This change relands the change, with removing
no_full_install property from the vintf_fragment module
Bug: 322089980
Test: aosp_cf_x86_64_phone build succeeded
Test: mokey_go32 build contains
/vendor/etc/vintf/manifest/android.hardware.wifi.supplicant.xml file
Change-Id: I523ce570068b180805b65f984a0d6def0612db87
This reverts commit cf0a2dd5b0.
Reason for revert: b/363215494, breaks WiFi for at least some devices
Change-Id: I5137957087dde51c0049416404f410f53dd912f3
