diff options
author | Bowgo Tsai <bowgotsai@google.com> | 2020-03-13 14:54:37 +0800 |
---|---|---|
committer | Bowgo Tsai <bowgotsai@google.com> | 2020-09-02 11:00:22 +0800 |
commit | 2c94e430165edda0cc26c0784175b1984186443d (patch) | |
tree | ad6e143e8f3985d3c82b2aadd2388ee2f794b666 | |
parent | 9ade092595a841393936ee2f38ddcfac92b73e81 (diff) | |
download | platform_hardware_interfaces-2c94e430165edda0cc26c0784175b1984186443d.tar.gz platform_hardware_interfaces-2c94e430165edda0cc26c0784175b1984186443d.tar.bz2 platform_hardware_interfaces-2c94e430165edda0cc26c0784175b1984186443d.zip |
Allowing GSI patch level to be greater than vbmeta SPL
The GSI patch level might be greater than the vbmeta SPL, because
GSI system.img might be updated via the DSU flow, where vbmeta.img won't
be updated in this scenario.
https://developer.android.com/topic/dsu
Allowing GSI patch level to be greater than or equal to the vbmeta SPL,
since Treble allows new system.img works on old vendor images.
Bug: 145377203
Test: atest VtsHalKeymasterV4_0TargetTest
Change-Id: Ib761d80c88695eb2db08b0dc00e30fcdc2788865
Merged-In: Ib761d80c88695eb2db08b0dc00e30fcdc2788865
(cherry picked from commit 63c0129fa64838ce2f2b982246d74f683bcd5426)
-rw-r--r-- | keymaster/4.0/support/include/keymasterV4_0/authorization_set.h | 8 | ||||
-rw-r--r-- | keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp | 35 |
2 files changed, 36 insertions, 7 deletions
diff --git a/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h b/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h index ff08066bc0..3e29206e9e 100644 --- a/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h +++ b/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h @@ -17,6 +17,7 @@ #ifndef SYSTEM_SECURITY_KEYSTORE_KM4_AUTHORIZATION_SET_H_ #define SYSTEM_SECURITY_KEYSTORE_KM4_AUTHORIZATION_SET_H_ +#include <functional> #include <vector> #include <keymasterV4_0/keymaster_tags.h> @@ -165,11 +166,12 @@ class AuthorizationSet { */ bool Contains(Tag tag) const { return find(tag) != -1; } - template <TagType tag_type, Tag tag, typename ValueT> - bool Contains(TypedTag<tag_type, tag> ttag, const ValueT& value) const { + template <TagType tag_type, Tag tag, typename ValueT, typename Comparator = std::equal_to<>> + bool Contains(TypedTag<tag_type, tag> ttag, const ValueT& value, + Comparator cmp = Comparator()) const { for (const auto& param : data_) { auto entry = authorizationValue(ttag, param); - if (entry.isOk() && static_cast<ValueT>(entry.value()) == value) return true; + if (entry.isOk() && cmp(static_cast<ValueT>(entry.value()), value)) return true; } return false; } diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp index aa2de2a682..d6696673a2 100644 --- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp +++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp @@ -17,9 +17,12 @@ #define LOG_TAG "keymaster_hidl_hal_test" #include <cutils/log.h> -#include <iostream> #include <signal.h> +#include <functional> +#include <iostream> +#include <string> + #include <openssl/evp.h> #include <openssl/mem.h> #include <openssl/x509.h> @@ -32,6 +35,8 @@ #include "KeymasterHidlTest.h" +using namespace std::string_literals; + static bool arm_deleteAllKeys = false; static bool dump_Attestations = false; @@ -315,6 +320,12 @@ bool avb_verification_enabled() { return property_get("ro.boot.vbmeta.device_state", value, "") != 0; } +bool is_gsi() { + char property_value[PROPERTY_VALUE_MAX] = {}; + EXPECT_NE(property_get("ro.product.system.name", property_value, ""), 0); + return "mainline"s == property_value; +} + } // namespace bool verify_attestation_record(const string& challenge, const string& app_id, @@ -512,9 +523,25 @@ class NewKeyGenerationTest : public KeymasterHidlTest { EXPECT_TRUE(auths.Contains(TAG_OS_VERSION, os_version())) << "OS version is " << os_version() << " key reported " << auths.GetTagValue(TAG_OS_VERSION); - EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL, os_patch_level())) - << "OS patch level is " << os_patch_level() << " key reported " - << auths.GetTagValue(TAG_OS_PATCHLEVEL); + + if (is_gsi()) { + // In general, TAG_OS_PATCHLEVEL should be equal to os_patch_level() + // reported from the system.img in use. But it is allowed to boot a + // GSI system.img with newer patch level, which means TAG_OS_PATCHLEVEL + // might be less than or equal to os_patch_level() in this case. + EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL, // vbmeta.img patch level + os_patch_level(), // system.img patch level + std::less_equal<>())) + << "OS patch level is " << os_patch_level() + << ", which is less than key reported " << auths.GetTagValue(TAG_OS_PATCHLEVEL); + } else { + EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL, // vbmeta.img patch level + os_patch_level(), // system.img patch level + std::equal_to<>())) + << "OS patch level is " << os_patch_level() + << ", which is not equal to key reported " + << auths.GetTagValue(TAG_OS_PATCHLEVEL); + } } void CheckCharacteristics(const HidlBuf& key_blob, |