summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTreehugger Robot2018-08-29 03:06:38 -0500
committerGerrit Code Review2018-08-29 03:06:38 -0500
commite101aa87a389fbe45df67ed727a564d6d337fa6c (patch)
tree0e0551125bc54e3473a26aced6dccfe2d7424b31
parent33f79706723b3ca28d3656697de3ef3d4624eff4 (diff)
parent8414fb8556182a9f03cd230b30258453614a9541 (diff)
downloadplatform-hardware-interfaces-e101aa87a389fbe45df67ed727a564d6d337fa6c.tar.gz
platform-hardware-interfaces-e101aa87a389fbe45df67ed727a564d6d337fa6c.tar.xz
platform-hardware-interfaces-e101aa87a389fbe45df67ed727a564d6d337fa6c.zip
Merge changes Ic41afbd0,Ibe264d08 into pie-vts-dev
* changes: keymaster: spec does not require that update produce output Fix attestation test.
-rw-r--r--keymaster/4.0/support/attestation_record.cpp29
-rw-r--r--keymaster/4.0/support/include/keymasterV4_0/key_param_output.h4
-rw-r--r--keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h6
-rw-r--r--keymaster/4.0/vts/functional/VerificationTokenTest.cpp5
-rw-r--r--keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp54
5 files changed, 63 insertions, 35 deletions
diff --git a/keymaster/4.0/support/attestation_record.cpp b/keymaster/4.0/support/attestation_record.cpp
index 8f37d9c8..6de0c1c6 100644
--- a/keymaster/4.0/support/attestation_record.cpp
+++ b/keymaster/4.0/support/attestation_record.cpp
@@ -49,12 +49,14 @@ typedef struct km_root_of_trust {
49 ASN1_OCTET_STRING* verified_boot_key; 49 ASN1_OCTET_STRING* verified_boot_key;
50 ASN1_BOOLEAN* device_locked; 50 ASN1_BOOLEAN* device_locked;
51 ASN1_ENUMERATED* verified_boot_state; 51 ASN1_ENUMERATED* verified_boot_state;
52 ASN1_OCTET_STRING* verified_boot_hash;
52} KM_ROOT_OF_TRUST; 53} KM_ROOT_OF_TRUST;
53 54
54ASN1_SEQUENCE(KM_ROOT_OF_TRUST) = { 55ASN1_SEQUENCE(KM_ROOT_OF_TRUST) = {
55 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_key, ASN1_OCTET_STRING), 56 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_key, ASN1_OCTET_STRING),
56 ASN1_SIMPLE(KM_ROOT_OF_TRUST, device_locked, ASN1_BOOLEAN), 57 ASN1_SIMPLE(KM_ROOT_OF_TRUST, device_locked, ASN1_BOOLEAN),
57 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_state, ASN1_ENUMERATED), 58 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_state, ASN1_ENUMERATED),
59 ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_hash, ASN1_OCTET_STRING),
58} ASN1_SEQUENCE_END(KM_ROOT_OF_TRUST); 60} ASN1_SEQUENCE_END(KM_ROOT_OF_TRUST);
59IMPLEMENT_ASN1_FUNCTIONS(KM_ROOT_OF_TRUST); 61IMPLEMENT_ASN1_FUNCTIONS(KM_ROOT_OF_TRUST);
60 62
@@ -77,11 +79,16 @@ typedef struct km_auth_list {
77 ASN1_OCTET_STRING* application_id; 79 ASN1_OCTET_STRING* application_id;
78 ASN1_INTEGER* creation_date_time; 80 ASN1_INTEGER* creation_date_time;
79 ASN1_INTEGER* origin; 81 ASN1_INTEGER* origin;
80 ASN1_NULL* rollback_resistant; 82 ASN1_NULL* rollback_resistance;
81 KM_ROOT_OF_TRUST* root_of_trust; 83 KM_ROOT_OF_TRUST* root_of_trust;
82 ASN1_INTEGER* os_version; 84 ASN1_INTEGER* os_version;
83 ASN1_INTEGER* os_patchlevel; 85 ASN1_INTEGER* os_patchlevel;
84 ASN1_OCTET_STRING* attestation_application_id; 86 ASN1_OCTET_STRING* attestation_application_id;
87 ASN1_NULL* trusted_user_presence_required;
88 ASN1_NULL* trusted_confirmation_required;
89 ASN1_NULL* unlocked_device_required;
90 ASN1_INTEGER* vendor_patchlevel;
91 ASN1_INTEGER* boot_patchlevel;
85} KM_AUTH_LIST; 92} KM_AUTH_LIST;
86 93
87ASN1_SEQUENCE(KM_AUTH_LIST) = { 94ASN1_SEQUENCE(KM_AUTH_LIST) = {
@@ -93,6 +100,7 @@ ASN1_SEQUENCE(KM_AUTH_LIST) = {
93 ASN1_EXP_OPT(KM_AUTH_LIST, ec_curve, ASN1_INTEGER, TAG_EC_CURVE.maskedTag()), 100 ASN1_EXP_OPT(KM_AUTH_LIST, ec_curve, ASN1_INTEGER, TAG_EC_CURVE.maskedTag()),
94 ASN1_EXP_OPT(KM_AUTH_LIST, rsa_public_exponent, ASN1_INTEGER, 101 ASN1_EXP_OPT(KM_AUTH_LIST, rsa_public_exponent, ASN1_INTEGER,
95 TAG_RSA_PUBLIC_EXPONENT.maskedTag()), 102 TAG_RSA_PUBLIC_EXPONENT.maskedTag()),
103 ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistance, ASN1_NULL, TAG_ROLLBACK_RESISTANCE.maskedTag()),
96 ASN1_EXP_OPT(KM_AUTH_LIST, active_date_time, ASN1_INTEGER, TAG_ACTIVE_DATETIME.maskedTag()), 104 ASN1_EXP_OPT(KM_AUTH_LIST, active_date_time, ASN1_INTEGER, TAG_ACTIVE_DATETIME.maskedTag()),
97 ASN1_EXP_OPT(KM_AUTH_LIST, origination_expire_date_time, ASN1_INTEGER, 105 ASN1_EXP_OPT(KM_AUTH_LIST, origination_expire_date_time, ASN1_INTEGER,
98 TAG_ORIGINATION_EXPIRE_DATETIME.maskedTag()), 106 TAG_ORIGINATION_EXPIRE_DATETIME.maskedTag()),
@@ -102,13 +110,19 @@ ASN1_SEQUENCE(KM_AUTH_LIST) = {
102 ASN1_EXP_OPT(KM_AUTH_LIST, user_auth_type, ASN1_INTEGER, TAG_USER_AUTH_TYPE.maskedTag()), 110 ASN1_EXP_OPT(KM_AUTH_LIST, user_auth_type, ASN1_INTEGER, TAG_USER_AUTH_TYPE.maskedTag()),
103 ASN1_EXP_OPT(KM_AUTH_LIST, auth_timeout, ASN1_INTEGER, TAG_AUTH_TIMEOUT.maskedTag()), 111 ASN1_EXP_OPT(KM_AUTH_LIST, auth_timeout, ASN1_INTEGER, TAG_AUTH_TIMEOUT.maskedTag()),
104 ASN1_EXP_OPT(KM_AUTH_LIST, allow_while_on_body, ASN1_NULL, TAG_ALLOW_WHILE_ON_BODY.maskedTag()), 112 ASN1_EXP_OPT(KM_AUTH_LIST, allow_while_on_body, ASN1_NULL, TAG_ALLOW_WHILE_ON_BODY.maskedTag()),
105 ASN1_EXP_OPT(KM_AUTH_LIST, application_id, ASN1_OCTET_STRING, TAG_APPLICATION_ID.maskedTag()), 113 ASN1_EXP_OPT(KM_AUTH_LIST, trusted_user_presence_required, ASN1_NULL,
114 TAG_TRUSTED_USER_PRESENCE_REQUIRED.maskedTag()),
115 ASN1_EXP_OPT(KM_AUTH_LIST, trusted_confirmation_required, ASN1_NULL,
116 TAG_TRUSTED_CONFIRMATION_REQUIRED.maskedTag()),
117 ASN1_EXP_OPT(KM_AUTH_LIST, unlocked_device_required, ASN1_NULL,
118 TAG_UNLOCKED_DEVICE_REQUIRED.maskedTag()),
106 ASN1_EXP_OPT(KM_AUTH_LIST, creation_date_time, ASN1_INTEGER, TAG_CREATION_DATETIME.maskedTag()), 119 ASN1_EXP_OPT(KM_AUTH_LIST, creation_date_time, ASN1_INTEGER, TAG_CREATION_DATETIME.maskedTag()),
107 ASN1_EXP_OPT(KM_AUTH_LIST, origin, ASN1_INTEGER, TAG_ORIGIN.maskedTag()), 120 ASN1_EXP_OPT(KM_AUTH_LIST, origin, ASN1_INTEGER, TAG_ORIGIN.maskedTag()),
108 ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistant, ASN1_NULL, TAG_ROLLBACK_RESISTANCE.maskedTag()),
109 ASN1_EXP_OPT(KM_AUTH_LIST, root_of_trust, KM_ROOT_OF_TRUST, TAG_ROOT_OF_TRUST.maskedTag()), 121 ASN1_EXP_OPT(KM_AUTH_LIST, root_of_trust, KM_ROOT_OF_TRUST, TAG_ROOT_OF_TRUST.maskedTag()),
110 ASN1_EXP_OPT(KM_AUTH_LIST, os_version, ASN1_INTEGER, TAG_OS_VERSION.maskedTag()), 122 ASN1_EXP_OPT(KM_AUTH_LIST, os_version, ASN1_INTEGER, TAG_OS_VERSION.maskedTag()),
111 ASN1_EXP_OPT(KM_AUTH_LIST, os_patchlevel, ASN1_INTEGER, TAG_OS_PATCHLEVEL.maskedTag()), 123 ASN1_EXP_OPT(KM_AUTH_LIST, os_patchlevel, ASN1_INTEGER, TAG_OS_PATCHLEVEL.maskedTag()),
124 ASN1_EXP_OPT(KM_AUTH_LIST, vendor_patchlevel, ASN1_INTEGER, TAG_VENDOR_PATCHLEVEL.maskedTag()),
125 ASN1_EXP_OPT(KM_AUTH_LIST, boot_patchlevel, ASN1_INTEGER, TAG_BOOT_PATCHLEVEL.maskedTag()),
112 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_application_id, ASN1_OCTET_STRING, 126 ASN1_EXP_OPT(KM_AUTH_LIST, attestation_application_id, ASN1_OCTET_STRING,
113 TAG_ATTESTATION_APPLICATION_ID.maskedTag()), 127 TAG_ATTESTATION_APPLICATION_ID.maskedTag()),
114} ASN1_SEQUENCE_END(KM_AUTH_LIST); 128} ASN1_SEQUENCE_END(KM_AUTH_LIST);
@@ -237,11 +251,18 @@ static ErrorCode extract_auth_list(const KM_AUTH_LIST* record, AuthorizationSet*
237 copyAuthTag(record->os_version, TAG_OS_VERSION, auth_list); 251 copyAuthTag(record->os_version, TAG_OS_VERSION, auth_list);
238 copyAuthTag(record->padding, TAG_PADDING, auth_list); 252 copyAuthTag(record->padding, TAG_PADDING, auth_list);
239 copyAuthTag(record->purpose, TAG_PURPOSE, auth_list); 253 copyAuthTag(record->purpose, TAG_PURPOSE, auth_list);
240 copyAuthTag(record->rollback_resistant, TAG_ROLLBACK_RESISTANCE, auth_list); 254 copyAuthTag(record->rollback_resistance, TAG_ROLLBACK_RESISTANCE, auth_list);
241 copyAuthTag(record->rsa_public_exponent, TAG_RSA_PUBLIC_EXPONENT, auth_list); 255 copyAuthTag(record->rsa_public_exponent, TAG_RSA_PUBLIC_EXPONENT, auth_list);
242 copyAuthTag(record->usage_expire_date_time, TAG_USAGE_EXPIRE_DATETIME, auth_list); 256 copyAuthTag(record->usage_expire_date_time, TAG_USAGE_EXPIRE_DATETIME, auth_list);
243 copyAuthTag(record->user_auth_type, TAG_USER_AUTH_TYPE, auth_list); 257 copyAuthTag(record->user_auth_type, TAG_USER_AUTH_TYPE, auth_list);
244 copyAuthTag(record->attestation_application_id, TAG_ATTESTATION_APPLICATION_ID, auth_list); 258 copyAuthTag(record->attestation_application_id, TAG_ATTESTATION_APPLICATION_ID, auth_list);
259 copyAuthTag(record->vendor_patchlevel, TAG_VENDOR_PATCHLEVEL, auth_list);
260 copyAuthTag(record->boot_patchlevel, TAG_BOOT_PATCHLEVEL, auth_list);
261 copyAuthTag(record->trusted_user_presence_required, TAG_TRUSTED_USER_PRESENCE_REQUIRED,
262 auth_list);
263 copyAuthTag(record->trusted_confirmation_required, TAG_TRUSTED_CONFIRMATION_REQUIRED,
264 auth_list);
265 copyAuthTag(record->unlocked_device_required, TAG_UNLOCKED_DEVICE_REQUIRED, auth_list);
245 266
246 return ErrorCode::OK; 267 return ErrorCode::OK;
247} 268}
diff --git a/keymaster/4.0/support/include/keymasterV4_0/key_param_output.h b/keymaster/4.0/support/include/keymasterV4_0/key_param_output.h
index 74be3436..6e2b691c 100644
--- a/keymaster/4.0/support/include/keymasterV4_0/key_param_output.h
+++ b/keymaster/4.0/support/include/keymasterV4_0/key_param_output.h
@@ -53,6 +53,10 @@ inline ::std::ostream& operator<<(::std::ostream& os, PaddingMode value) {
53 return os << toString(value); 53 return os << toString(value);
54} 54}
55 55
56inline ::std::ostream& operator<<(::std::ostream& os, SecurityLevel value) {
57 return os << toString(value);
58}
59
56template <typename ValueT> 60template <typename ValueT>
57::std::ostream& operator<<(::std::ostream& os, const NullOr<ValueT>& value) { 61::std::ostream& operator<<(::std::ostream& os, const NullOr<ValueT>& value) {
58 if (!value.isOk()) { 62 if (!value.isOk()) {
diff --git a/keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h b/keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h
index ce213bc1..9e7d2522 100644
--- a/keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h
+++ b/keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h
@@ -116,6 +116,7 @@ DECLARE_TYPED_TAG(AUTH_TIMEOUT);
116DECLARE_TYPED_TAG(BLOB_USAGE_REQUIREMENTS); 116DECLARE_TYPED_TAG(BLOB_USAGE_REQUIREMENTS);
117DECLARE_TYPED_TAG(BLOCK_MODE); 117DECLARE_TYPED_TAG(BLOCK_MODE);
118DECLARE_TYPED_TAG(BOOTLOADER_ONLY); 118DECLARE_TYPED_TAG(BOOTLOADER_ONLY);
119DECLARE_TYPED_TAG(BOOT_PATCHLEVEL);
119DECLARE_TYPED_TAG(CALLER_NONCE); 120DECLARE_TYPED_TAG(CALLER_NONCE);
120DECLARE_TYPED_TAG(CONFIRMATION_TOKEN); 121DECLARE_TYPED_TAG(CONFIRMATION_TOKEN);
121DECLARE_TYPED_TAG(CREATION_DATETIME); 122DECLARE_TYPED_TAG(CREATION_DATETIME);
@@ -141,12 +142,14 @@ DECLARE_TYPED_TAG(ROLLBACK_RESISTANCE);
141DECLARE_TYPED_TAG(ROOT_OF_TRUST); 142DECLARE_TYPED_TAG(ROOT_OF_TRUST);
142DECLARE_TYPED_TAG(RSA_PUBLIC_EXPONENT); 143DECLARE_TYPED_TAG(RSA_PUBLIC_EXPONENT);
143DECLARE_TYPED_TAG(TRUSTED_CONFIRMATION_REQUIRED); 144DECLARE_TYPED_TAG(TRUSTED_CONFIRMATION_REQUIRED);
145DECLARE_TYPED_TAG(TRUSTED_USER_PRESENCE_REQUIRED);
144DECLARE_TYPED_TAG(UNIQUE_ID); 146DECLARE_TYPED_TAG(UNIQUE_ID);
145DECLARE_TYPED_TAG(UNLOCKED_DEVICE_REQUIRED); 147DECLARE_TYPED_TAG(UNLOCKED_DEVICE_REQUIRED);
146DECLARE_TYPED_TAG(USAGE_EXPIRE_DATETIME); 148DECLARE_TYPED_TAG(USAGE_EXPIRE_DATETIME);
147DECLARE_TYPED_TAG(USER_AUTH_TYPE); 149DECLARE_TYPED_TAG(USER_AUTH_TYPE);
148DECLARE_TYPED_TAG(USER_ID); 150DECLARE_TYPED_TAG(USER_ID);
149DECLARE_TYPED_TAG(USER_SECURE_ID); 151DECLARE_TYPED_TAG(USER_SECURE_ID);
152DECLARE_TYPED_TAG(VENDOR_PATCHLEVEL);
150 153
151template <typename... Elems> 154template <typename... Elems>
152struct MetaList {}; 155struct MetaList {};
@@ -163,7 +166,8 @@ using all_tags_t =
163 TAG_OS_VERSION_t, TAG_OS_PATCHLEVEL_t, TAG_UNIQUE_ID_t, TAG_ATTESTATION_CHALLENGE_t, 166 TAG_OS_VERSION_t, TAG_OS_PATCHLEVEL_t, TAG_UNIQUE_ID_t, TAG_ATTESTATION_CHALLENGE_t,
164 TAG_ATTESTATION_APPLICATION_ID_t, TAG_RESET_SINCE_ID_ROTATION_t, TAG_PURPOSE_t, 167 TAG_ATTESTATION_APPLICATION_ID_t, TAG_RESET_SINCE_ID_ROTATION_t, TAG_PURPOSE_t,
165 TAG_ALGORITHM_t, TAG_BLOCK_MODE_t, TAG_DIGEST_t, TAG_PADDING_t, 168 TAG_ALGORITHM_t, TAG_BLOCK_MODE_t, TAG_DIGEST_t, TAG_PADDING_t,
166 TAG_BLOB_USAGE_REQUIREMENTS_t, TAG_ORIGIN_t, TAG_USER_AUTH_TYPE_t, TAG_EC_CURVE_t>; 169 TAG_BLOB_USAGE_REQUIREMENTS_t, TAG_ORIGIN_t, TAG_USER_AUTH_TYPE_t, TAG_EC_CURVE_t,
170 TAG_BOOT_PATCHLEVEL_t, TAG_VENDOR_PATCHLEVEL_t, TAG_TRUSTED_USER_PRESENCE_REQUIRED_t>;
167 171
168template <typename TypedTagType> 172template <typename TypedTagType>
169struct TypedTag2ValueType; 173struct TypedTag2ValueType;
diff --git a/keymaster/4.0/vts/functional/VerificationTokenTest.cpp b/keymaster/4.0/vts/functional/VerificationTokenTest.cpp
index 6afba0c4..3876b16f 100644
--- a/keymaster/4.0/vts/functional/VerificationTokenTest.cpp
+++ b/keymaster/4.0/vts/functional/VerificationTokenTest.cpp
@@ -111,8 +111,9 @@ TEST_F(VerificationTokenTest, TestCreation) {
111 111
112 EXPECT_GE(host_time_delta, time_to_sleep) 112 EXPECT_GE(host_time_delta, time_to_sleep)
113 << "We slept for " << time_to_sleep << " ms, the clock must have advanced by that much"; 113 << "We slept for " << time_to_sleep << " ms, the clock must have advanced by that much";
114 EXPECT_LE(host_time_delta, time_to_sleep + 10) 114 EXPECT_LE(host_time_delta, time_to_sleep + 20)
115 << "The verifyAuthorization call took more than 10 ms? That's awful!"; 115 << "The verifyAuthorization call took " << (host_time_delta - time_to_sleep)
116 << " ms? That's awful!";
116 117
117 auto km_time_delta = result2.token.timestamp - result1.token.timestamp; 118 auto km_time_delta = result2.token.timestamp - result1.token.timestamp;
118 119
diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
index 450b3eb4..5dc0c7fa 100644
--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
@@ -182,7 +182,7 @@ X509* parse_cert_blob(const hidl_vec<uint8_t>& blob) {
182} 182}
183 183
184bool verify_chain(const hidl_vec<hidl_vec<uint8_t>>& chain) { 184bool verify_chain(const hidl_vec<hidl_vec<uint8_t>>& chain) {
185 for (size_t i = 0; i < chain.size() - 1; ++i) { 185 for (size_t i = 0; i < chain.size(); ++i) {
186 X509_Ptr key_cert(parse_cert_blob(chain[i])); 186 X509_Ptr key_cert(parse_cert_blob(chain[i]));
187 X509_Ptr signing_cert; 187 X509_Ptr signing_cert;
188 if (i < chain.size() - 1) { 188 if (i < chain.size() - 1) {
@@ -246,8 +246,7 @@ bool tag_in_list(const KeyParameter& entry) {
246 // Attestations don't contain everything in key authorization lists, so we need to filter 246 // Attestations don't contain everything in key authorization lists, so we need to filter
247 // the key lists to produce the lists that we expect to match the attestations. 247 // the key lists to produce the lists that we expect to match the attestations.
248 auto tag_list = { 248 auto tag_list = {
249 Tag::INCLUDE_UNIQUE_ID, Tag::BLOB_USAGE_REQUIREMENTS, 249 Tag::INCLUDE_UNIQUE_ID, Tag::BLOB_USAGE_REQUIREMENTS, Tag::EC_CURVE, Tag::HARDWARE_TYPE,
250 Tag::EC_CURVE /* Tag::EC_CURVE will be included by KM2 implementations */,
251 }; 250 };
252 return std::find(tag_list.begin(), tag_list.end(), entry.tag) != tag_list.end(); 251 return std::find(tag_list.begin(), tag_list.end(), entry.tag) != tag_list.end();
253} 252}
@@ -271,7 +270,7 @@ std::string make_string(const uint8_t (&a)[N]) {
271 270
272bool verify_attestation_record(const string& challenge, const string& app_id, 271bool verify_attestation_record(const string& challenge, const string& app_id,
273 AuthorizationSet expected_sw_enforced, 272 AuthorizationSet expected_sw_enforced,
274 AuthorizationSet expected_tee_enforced, 273 AuthorizationSet expected_tee_enforced, SecurityLevel security_level,
275 const hidl_vec<uint8_t>& attestation_cert) { 274 const hidl_vec<uint8_t>& attestation_cert) {
276 X509_Ptr cert(parse_cert_blob(attestation_cert)); 275 X509_Ptr cert(parse_cert_blob(attestation_cert));
277 EXPECT_TRUE(!!cert.get()); 276 EXPECT_TRUE(!!cert.get());
@@ -290,29 +289,27 @@ bool verify_attestation_record(const string& challenge, const string& app_id,
290 HidlBuf att_challenge; 289 HidlBuf att_challenge;
291 HidlBuf att_unique_id; 290 HidlBuf att_unique_id;
292 HidlBuf att_app_id; 291 HidlBuf att_app_id;
293 EXPECT_EQ(ErrorCode::OK, 292
294 parse_attestation_record(attest_rec->data, // 293 auto error = parse_attestation_record(attest_rec->data, //
295 attest_rec->length, // 294 attest_rec->length, //
296 &att_attestation_version, // 295 &att_attestation_version, //
297 &att_attestation_security_level, // 296 &att_attestation_security_level, //
298 &att_keymaster_version, // 297 &att_keymaster_version, //
299 &att_keymaster_security_level, // 298 &att_keymaster_security_level, //
300 &att_challenge, // 299 &att_challenge, //
301 &att_sw_enforced, // 300 &att_sw_enforced, //
302 &att_tee_enforced, // 301 &att_tee_enforced, //
303 &att_unique_id)); 302 &att_unique_id);
304 303 EXPECT_EQ(ErrorCode::OK, error);
305 EXPECT_TRUE(att_attestation_version == 1 || att_attestation_version == 2); 304 if (error != ErrorCode::OK) return false;
305
306 EXPECT_TRUE(att_attestation_version == 3);
306 307
307 expected_sw_enforced.push_back(TAG_ATTESTATION_APPLICATION_ID, HidlBuf(app_id)); 308 expected_sw_enforced.push_back(TAG_ATTESTATION_APPLICATION_ID, HidlBuf(app_id));
308 309
309 EXPECT_GE(att_keymaster_version, 3U); 310 EXPECT_GE(att_keymaster_version, 3U);
310 EXPECT_EQ(KeymasterHidlTest::IsSecure() ? SecurityLevel::TRUSTED_ENVIRONMENT 311 EXPECT_EQ(security_level, att_keymaster_security_level);
311 : SecurityLevel::SOFTWARE, 312 EXPECT_EQ(security_level, att_attestation_security_level);
312 att_keymaster_security_level);
313 EXPECT_EQ(KeymasterHidlTest::IsSecure() ? SecurityLevel::TRUSTED_ENVIRONMENT
314 : SecurityLevel::SOFTWARE,
315 att_attestation_security_level);
316 313
317 EXPECT_EQ(challenge.length(), att_challenge.size()); 314 EXPECT_EQ(challenge.length(), att_challenge.size());
318 EXPECT_EQ(0, memcmp(challenge.data(), att_challenge.data(), challenge.length())); 315 EXPECT_EQ(0, memcmp(challenge.data(), att_challenge.data(), challenge.length()));
@@ -3008,6 +3005,7 @@ TEST_F(EncryptionOperationsTest, AesGcmAadNoData) {
3008 * Verifies that AES GCM mode works when provided additional authenticated data in multiple chunks. 3005 * Verifies that AES GCM mode works when provided additional authenticated data in multiple chunks.
3009 */ 3006 */
3010TEST_F(EncryptionOperationsTest, AesGcmMultiPartAad) { 3007TEST_F(EncryptionOperationsTest, AesGcmMultiPartAad) {
3008 const size_t tag_bits = 128;
3011 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() 3009 ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
3012 .Authorization(TAG_NO_AUTH_REQUIRED) 3010 .Authorization(TAG_NO_AUTH_REQUIRED)
3013 .AesEncryptionKey(128) 3011 .AesEncryptionKey(128)
@@ -3019,7 +3017,7 @@ TEST_F(EncryptionOperationsTest, AesGcmMultiPartAad) {
3019 auto begin_params = AuthorizationSetBuilder() 3017 auto begin_params = AuthorizationSetBuilder()
3020 .BlockMode(BlockMode::GCM) 3018 .BlockMode(BlockMode::GCM)
3021 .Padding(PaddingMode::NONE) 3019 .Padding(PaddingMode::NONE)
3022 .Authorization(TAG_MAC_LENGTH, 128); 3020 .Authorization(TAG_MAC_LENGTH, tag_bits);
3023 AuthorizationSet begin_out_params; 3021 AuthorizationSet begin_out_params;
3024 3022
3025 auto update_params = 3023 auto update_params =
@@ -3041,10 +3039,11 @@ TEST_F(EncryptionOperationsTest, AesGcmMultiPartAad) {
3041 EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params, 3039 EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params,
3042 &ciphertext, &input_consumed)); 3040 &ciphertext, &input_consumed));
3043 EXPECT_EQ(message.size(), input_consumed); 3041 EXPECT_EQ(message.size(), input_consumed);
3044 EXPECT_EQ(message.size(), ciphertext.size());
3045 EXPECT_TRUE(update_out_params.empty()); 3042 EXPECT_TRUE(update_out_params.empty());
3046 3043
3047 EXPECT_EQ(ErrorCode::OK, Finish("" /* input */, &ciphertext)); 3044 EXPECT_EQ(ErrorCode::OK, Finish("" /* input */, &ciphertext));
3045 // Expect 128-bit (16-byte) tag appended to ciphertext.
3046 EXPECT_EQ(message.size() + (tag_bits >> 3), ciphertext.size());
3048 3047
3049 // Grab nonce. 3048 // Grab nonce.
3050 begin_params.push_back(begin_out_params); 3049 begin_params.push_back(begin_out_params);
@@ -3100,7 +3099,6 @@ TEST_F(EncryptionOperationsTest, AesGcmAadOutOfOrder) {
3100 EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params, 3099 EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params,
3101 &ciphertext, &input_consumed)); 3100 &ciphertext, &input_consumed));
3102 EXPECT_EQ(message.size(), input_consumed); 3101 EXPECT_EQ(message.size(), input_consumed);
3103 EXPECT_EQ(message.size(), ciphertext.size());
3104 EXPECT_TRUE(update_out_params.empty()); 3102 EXPECT_TRUE(update_out_params.empty());
3105 3103
3106 // More AAD 3104 // More AAD
@@ -3827,7 +3825,7 @@ TEST_F(AttestationTest, RsaAttestation) {
3827 EXPECT_TRUE(verify_attestation_record("challenge", "foo", // 3825 EXPECT_TRUE(verify_attestation_record("challenge", "foo", //
3828 key_characteristics_.softwareEnforced, // 3826 key_characteristics_.softwareEnforced, //
3829 key_characteristics_.hardwareEnforced, // 3827 key_characteristics_.hardwareEnforced, //
3830 cert_chain[0])); 3828 SecLevel(), cert_chain[0]));
3831} 3829}
3832 3830
3833/* 3831/*
@@ -3874,7 +3872,7 @@ TEST_F(AttestationTest, EcAttestation) {
3874 EXPECT_TRUE(verify_attestation_record("challenge", "foo", // 3872 EXPECT_TRUE(verify_attestation_record("challenge", "foo", //
3875 key_characteristics_.softwareEnforced, // 3873 key_characteristics_.softwareEnforced, //
3876 key_characteristics_.hardwareEnforced, // 3874 key_characteristics_.hardwareEnforced, //
3877 cert_chain[0])); 3875 SecLevel(), cert_chain[0]));
3878} 3876}
3879 3877
3880/* 3878/*