The policy building library changes in aosp/3125493, accordingly change
the function call. This does not change the behaviour or test coverage
of VTS.
Test: atest VtsSecretkeeperTargetTest
Bug: 291245237
Change-Id: I21a7b0abe5bf186893ec9a68bb080b41778d3313
Bug: 324321147
Test: Manual -- trigger factory reset, confirm ISecretKeeper.deleteAll()
is being called in Trusty logs.
Change-Id: I0f033b53e83ff549f80271ba4a6ebeabac3db922
Add tests for:
- large number of session creations
- also use a bigger identity, to better simulate real use
- attempt to retrieve a secret with an incorrect identity
Test: VtsSecretkeeperTargetTest (shiba)
Bug: 327526008
Change-Id: I8dddf643d03a8fb679511564cb03c2248477c116
Secretkeeper is expected to advertize its public key to Android via
Device tree node at /avf/reference/avf/ Check that the identity used
during AutGraph key exchange protocol with client is indeed this.
Test: #secretkeeper_check_identity on device with Sk/default instance
enabled
Bug: 291213394
Change-Id: I08815d75410fdd0c76d675c7cc9521abe0cda98b
This CL is created as a best effort to migrate test targets
to the new android ownership model. If you find incorrect or unnecessary
attribution in this CL, please create a separate CL to fix that.
For more details please refer to the link below,
go/new-android-ownership-model
Bug: 304529413
Test: N/A
Change-Id: Ic8c4bd6ac246e7efa98bbdaf822d12ae8e1230a5
Include a list of subcomponents in AVB DiceChainEntry in the sample DICE
chain and include constraints on that in the sealing_policy.
Bug: 291238565
Test: VTS#secret_management_policy_gate
Change-Id: Id36ddf137bacf99c273b61c3136691426f2d5b34
This is needed to upgrade the android_logger crate from 0.12.0
to 0.13.3.
with_max_level provides the same functionality as with_min_level.
The renaming is admittedly confusing, but the new name is accurate
and it makes sense that they deprecated and then removed the
previously poorly named with_min_level.
See crate documentation [1] and code [2].
[1]: https://docs.rs/android_logger/0.12.0/android_logger/struct.Config.html#method.with_min_level
[2]: https://docs.rs/android_logger/0.12.0/src/android_logger/lib.rs.html#227
Bug: 322718401
Test: build and run CF with the change.
Test: m aosp_cf_x86_64_phone
Change-Id: I0ca9596433967be70e9d55acb6cfbf9322741bf8
With libdice_policy being refactored, get VTS to use the builder
library.
Test: Built the test-suite
Bug: 291238565
Change-Id: I149ec1ba9ee66fd19cbf0d0a6f3baa12ea2474ed
Allows testing of secret persistence across reboot (and non-persistence
across factory reset).
Move some test code into a library for re-use.
Test: Manual
Change-Id: I23772692d2de652f6d4a8e5659186bd9c1c06b72
ConstraintSpec constructor will take enum instead of boolean for missing
action.
Test: atest VtsSecretkeeperTargetTest
Bug: 291213394
Change-Id: I55fb0d8ef1fccca5feedf1fd368854ffb7eafaaf
1. Add a test to check Access control in Secretkeeper HAL: Construct
dice chains with different security version and check that the secret
is accessible with upgraded dice chain && DicePolicyError is thrown
when the access is requested using a dice chain with lower security
version.
2. Re-enable test #replay_protection_out_of_seq_req_not_accepted - This
was disabled because the method would not panic when run on
devices without Sk HAL, causing test failure. Refactor the test to
check the error instead of unwrapping.
Many methods of SkClient struct are refactored to return Error (also
introduced in this patch) instead of panicking on error.
Test: atest VtsSecretkeeperTargetTest
Bug: 291224769
Bug: 317416663
Change-Id: I646783e034064f81625a978a2bcacf143ff60c87
VTS (being the client of Sk) will use dice_chain as the identity.
Consequently we can use the sealing policy constructed out of this
identity & no more need to use HYPOTHETICAL_DICE_POLICY hack.
For sample identity, we create dice_sample module which constructs an
example dice chain (in Explicit key chain format), along with secrets.
Test: Secretkeeper VTS
Bug: 291224769
Change-Id: Ia1d1a92391d3ee455bf9fe254770b4a9bd08cb12
As we make Dice policy work with explicit key format of dice chain, the
hard coded policy needs to change to be compatible with hard coded
explicit key chain in the TA.
Test: VTS
Bug: 291213394
Change-Id: Ib3740d8f12f0a5f4e680bd215170bc96596fbe06
Use rdroidtest for running tests as it now supports parameterized
tests (aosp/2885268) and has an attribute macro (aosp/2890086).
Also rustfmt.
Test: VtsSecretkeeperTargetTest
Change-Id: I9570a7f33a6ff7dbf7cb7238fa3770dedb990e8c
This test does not account for potentially missing Sk HAL. Ideally, the
test should pass on those devices too (since Sk is an optional HAL at
the moment).
This test uses should_panic expecting the client code to panic on
processing the message, but that code is never executed because the
backend is not present & the method doesn't panic & the test fails.
As a mitigation, #ignore the test.
Bug: 317416663
Test: VTS show "IGNORED"
Change-Id: I2f1bb45361943f22d8cadc929059c65cb3120f3f
SecretId is a parameter in deleteIds() method, which will be invoked by
host (Android). Restrict the size to 64 bytes to avoid unnecessarily
large bytes making it to HAL & TA.
Test: atest VtsSecretkeeperTargetTest
Bug: 317374882
Change-Id: Ieb34fee4efd11636bee133fe9132c1d739d08a1c
Various small wording changes to attempt to clarify some of the
details of the Secretkeeper API.
While I'm here: fix error code naming inconsistency.
Bug: 291224769
Test: N/A
Change-Id: I956b549bc5bf4d2b964dde9867430cb4778e445b
Add test coverage for replay protection in Secretkeeper. Test that:
1. Sk implementation encrypts/decrypts messages using correct
sequence_numbers.
2. Out of order messages are not accepted.
3. The sequence numbers are per-connection ie, new SeqNum is used for a
fresh connection.
Also, refactor code. SeqNumbers are maintained by
libsecretkeeper_client. Have sk_client use a handle to SkSession for
SecretManagement requests. Replay protection tests however require more
fine grained control of SeqNums. For these we have introduced
`secret_management_request_custom_aad()` method.
Bug: 316126411
Test: atest VtsSecretkeeperTargetTest
Change-Id: I385856c04e185d2b300d59a1b54cb8f09cbf836f
Introduce sequence number in Secretkeeper packets to prevent replay of
packets with a session.
Bug: 316126411
Test: VTS
Change-Id: I20a5d8489e988bdcbe9058495ab56ed18a07b946
Calling binder::get_interface(name) for a name that isn't declared may
take multiple seconds before failing. Restrict to looking for instance
names that are declared.
Also add a rustfmt.toml file, copied from system/secretkeeper/
Bug: 291228655
Test: VtsSecretkeeperTargetTest on Cuttlefish and Pixel8
Change-Id: I9972bc782fe99f5dc5c2dc3b74fa12a0e000ea6c
Move nonsecure implementation code out of main.rs and into a new
secretkeeper_nonsecure library, to allow re-use in both the nonsecure
service and the new fuzzer.
The fuzzer drops the `LocalTa` instance on each input, so adjust the
error path to cope with this happening (the channels will fail).
Test: build, fuzz
Bug: 291228655
Change-Id: Ibe2ca5db9a9c8eed129ac5a90de85b933ab256a0
- Look for either /default or /nonsecure instances.
- Only run a `deleteAll()` test on a /nonsecure instance.
- Delete IDs on client drop to ensure a consistent state.
- Use a config that ensures tests are run single-threaded, to ensure a
consistent state.
- Shift to using types not raw arrays.
- Add a macro for common test setup.
- Add helper methods to reduce the amount of copy-pasta in the VTS
tests.
- Use these helpers to create some additional tests.
Test: VtsSecretkeeperTargetTest
Bug: 291224769
Change-Id: Icff0bba1bcdd66b18398ed4b64ebd2c6bc0de7e7
Also move error codes from separate `ErrorCode.aidl` file to be inline
ERROR_ constants instead.
Bug: 291224769
Test: VtsSecretkeeperTargetTest
Change-Id: I1b0f3f3b5a7c5e891da3022444bf6c7925850550
All request messages are encrypted, but response messages have an outer
unencrypted layer, with an inner response (and the result values inside
that).
Make the SecretManagement.cddl file clearer to reflect that, and make
the schema valid along the way.
Move the outer (unencrypted) error code values into `ErrorCode.aidl` and
use them as service-specific error codes, thus reducing the number of
error types from 3 to 2.
Bug: 291228560
Test: VtsSecretkeeperTargetTest
Test: validate CDDL with https://atacama.informatik.uni-bremen.de/
Change-Id: I46c5bfd7e40b03919d7d3779b265b3bb3ff1ce1e
Test Store/Get api of SecretManagement HAL. We use a hard coded
hypothetical chain & a dice policy (which the dice chain matches
against) for testing the store/get functionality.
This patch also adds required error codes in SecretManagement.cddl
Bug: 291224769
Test: atest VtsSecretkeeperTargetTest
Change-Id: I0aa2dfc7413791e9de62a6e753bda4ab2f813d2c
We introduce InMemoryStore, an implementation of KeyValueStore trait.
This can be used for implementing backends that VTS can run against.
Bug: 291224769
Test: atest VtsSecretkeeperTargetTest
Change-Id: Id109ee3bd38ec0979953b6285019c97d418172ef
With Request/Response packets impl CborSerializable. Use the methods
from those.
Test: atest libsecretkeeper_comm_nostd
Bug: 291228655
Change-Id: Ib0daf9c0aa3417befedbc130725fb3445b327079
Add `ISecretkeeper::getAuthGraphKe()` method to the Secretkeeper HAL.
Align the AIDL targets between AuthGraph and Secretkeeper, and add
some defaults that automatically link to the current version of the
Secretkeeper AIDL targets.
Move the non-secure implementation of AuthGraph to run the TA in a
separate thread.
Alter the nonsecure implementation of Secretkeeper so that it no longer
directly implements Secretkeeper functionality, but instead re-uses
common code from the Secretkeeper reference implementation. This
involves re-using the common implementation of the HAL service (from
`authgraph_hal`), but also involves using the reference implementation
of the the TA code that would normally run in a separate secure
environment. The latter code expects to run in a single-threaded
environment, so run it in a single local thread.
Note that the negotiated session keys emitted by AuthGraph are not yet
used by Secretkeeper (coming in a subsequent CL).
Extend the Secretkeeper VTS tests to invoke the AuthGraph VTS inner
tests on the returned IAuthGraphKeyExchange instance, exercising the
instance as an AuthGraph sink.
Bug: 291228560
Test: VtsSecretkeeperTargetTest
Change-Id: Ia2c97976edc4530b2c902d95a74f3c340d342174
Add VTS for testing ISecretkeeper implementation. At present, VTS is
limited to testing GetVersion operation of SecretManagement.
Test: atest VtsSecretkeeperTargetTest
Bug: 291224769
Change-Id: I6084af2fa6cb578e27996e26a0505b267a10b4ef
Create the default/reference implementation of Secretkeeper HAL. Status
quo, this is non-secure implementation. In reality, the HAL should be
backed by a privileged component such a trusted app.
Bug: 291224769
Test: Topic includes VTS
Change-Id: I6a4ad50482d537f5438de6201275f4020cd827df
Secretkeeper is a privileged component which seals the secrets of pVM
instances & releases them on successful authentication of the pVM.
The HAL should be backed by a secure TA of higher privilege than a pVM.
This patch introduces a subset of HAL spec - the SecretManagement api. The
protocol is cbor based (specified in SecretManagement.cddl).
Test: atest VtsSecretkeeperTargetTest
Bug: 293429085
Change-Id: I8e650f27d506d378a94bbc8834c68a005fb12253
