diff options
author | Bowgo Tsai <bowgotsai@google.com> | 2020-09-03 02:35:02 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-09-03 02:35:02 +0000 |
commit | 294b32dd3fb7886065172a1ff5e5cf5cd943f761 (patch) | |
tree | 77f6e4dd0e705a22ac2f35d036a506ad0371ece2 | |
parent | f4f3dd7cfe21815878e0f9052805c8219ec48e32 (diff) | |
parent | cb6cd0c1bcf2d9f68b84ba37a513a4140949d8ab (diff) | |
download | platform_hardware_interfaces-294b32dd3fb7886065172a1ff5e5cf5cd943f761.tar.gz platform_hardware_interfaces-294b32dd3fb7886065172a1ff5e5cf5cd943f761.tar.bz2 platform_hardware_interfaces-294b32dd3fb7886065172a1ff5e5cf5cd943f761.zip |
Allowing GSI patch level to be greater than vbmeta SPL am: 2c94e43016 am: e42109b559 am: cb6cd0c1bc
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/interfaces/+/12501703
Change-Id: I829b9968e5dad0150ff16843049619cf5f5c76d6
-rw-r--r-- | keymaster/4.0/support/include/keymasterV4_0/authorization_set.h | 8 | ||||
-rw-r--r-- | keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp | 35 |
2 files changed, 36 insertions, 7 deletions
diff --git a/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h b/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h index ff08066bc0..3e29206e9e 100644 --- a/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h +++ b/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h @@ -17,6 +17,7 @@ #ifndef SYSTEM_SECURITY_KEYSTORE_KM4_AUTHORIZATION_SET_H_ #define SYSTEM_SECURITY_KEYSTORE_KM4_AUTHORIZATION_SET_H_ +#include <functional> #include <vector> #include <keymasterV4_0/keymaster_tags.h> @@ -165,11 +166,12 @@ class AuthorizationSet { */ bool Contains(Tag tag) const { return find(tag) != -1; } - template <TagType tag_type, Tag tag, typename ValueT> - bool Contains(TypedTag<tag_type, tag> ttag, const ValueT& value) const { + template <TagType tag_type, Tag tag, typename ValueT, typename Comparator = std::equal_to<>> + bool Contains(TypedTag<tag_type, tag> ttag, const ValueT& value, + Comparator cmp = Comparator()) const { for (const auto& param : data_) { auto entry = authorizationValue(ttag, param); - if (entry.isOk() && static_cast<ValueT>(entry.value()) == value) return true; + if (entry.isOk() && cmp(static_cast<ValueT>(entry.value()), value)) return true; } return false; } diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp index aa2de2a682..d6696673a2 100644 --- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp +++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp @@ -17,9 +17,12 @@ #define LOG_TAG "keymaster_hidl_hal_test" #include <cutils/log.h> -#include <iostream> #include <signal.h> +#include <functional> +#include <iostream> +#include <string> + #include <openssl/evp.h> #include <openssl/mem.h> #include <openssl/x509.h> @@ -32,6 +35,8 @@ #include "KeymasterHidlTest.h" +using namespace std::string_literals; + static bool arm_deleteAllKeys = false; static bool dump_Attestations = false; @@ -315,6 +320,12 @@ bool avb_verification_enabled() { return property_get("ro.boot.vbmeta.device_state", value, "") != 0; } +bool is_gsi() { + char property_value[PROPERTY_VALUE_MAX] = {}; + EXPECT_NE(property_get("ro.product.system.name", property_value, ""), 0); + return "mainline"s == property_value; +} + } // namespace bool verify_attestation_record(const string& challenge, const string& app_id, @@ -512,9 +523,25 @@ class NewKeyGenerationTest : public KeymasterHidlTest { EXPECT_TRUE(auths.Contains(TAG_OS_VERSION, os_version())) << "OS version is " << os_version() << " key reported " << auths.GetTagValue(TAG_OS_VERSION); - EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL, os_patch_level())) - << "OS patch level is " << os_patch_level() << " key reported " - << auths.GetTagValue(TAG_OS_PATCHLEVEL); + + if (is_gsi()) { + // In general, TAG_OS_PATCHLEVEL should be equal to os_patch_level() + // reported from the system.img in use. But it is allowed to boot a + // GSI system.img with newer patch level, which means TAG_OS_PATCHLEVEL + // might be less than or equal to os_patch_level() in this case. + EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL, // vbmeta.img patch level + os_patch_level(), // system.img patch level + std::less_equal<>())) + << "OS patch level is " << os_patch_level() + << ", which is less than key reported " << auths.GetTagValue(TAG_OS_PATCHLEVEL); + } else { + EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL, // vbmeta.img patch level + os_patch_level(), // system.img patch level + std::equal_to<>())) + << "OS patch level is " << os_patch_level() + << ", which is not equal to key reported " + << auths.GetTagValue(TAG_OS_PATCHLEVEL); + } } void CheckCharacteristics(const HidlBuf& key_blob, |