diff options
| author | Eric Biggers <ebiggers@google.com> | 2020-05-20 15:21:18 -0700 |
|---|---|---|
| committer | Eric Biggers <ebiggers@google.com> | 2020-05-21 11:20:56 -0700 |
| commit | 57f6846487c57293e18aa7a4b5159215231c5351 (patch) | |
| tree | b034f22497c3e4bbafea00ed2151432be5c17c7e | |
| parent | 23593d95199b0b92a46ae69f500783ce2f3a51a4 (diff) | |
| download | platform_test_vts-testcase_kernel-57f6846487c57293e18aa7a4b5159215231c5351.tar.gz platform_test_vts-testcase_kernel-57f6846487c57293e18aa7a4b5159215231c5351.tar.bz2 platform_test_vts-testcase_kernel-57f6846487c57293e18aa7a4b5159215231c5351.zip | |
VtsKernelEncryptionTest: verify the key identifier
Test that the key identifier is computed in the expected way.
This is most useful for the wrapped keys case, as this indirectly tests
that the "software secret" is computed in the expected way.
Test: 'atest vts_kernel_encryption_test' on Cuttlefish
Bug: 144046242
Bug: 153730132
Change-Id: If968bd18a4da99286d3b9ab62072056aaf4fd6a1
Merged-In: If968bd18a4da99286d3b9ab62072056aaf4fd6a1
| -rw-r--r-- | encryption/file_based_encryption_tests.cpp | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/encryption/file_based_encryption_tests.cpp b/encryption/file_based_encryption_tests.cpp index 5d12b52b..ea272c06 100644 --- a/encryption/file_based_encryption_tests.cpp +++ b/encryption/file_based_encryption_tests.cpp @@ -331,6 +331,7 @@ class FBEPolicyTest : public ::testing::Test { bool SetEncryptionPolicy(int contents_mode, int filenames_mode, int flags, bool required); bool GenerateTestFile(TestFileInfo *info); + bool VerifyKeyIdentifier(const std::vector<uint8_t> &master_key); bool DerivePerModeEncryptionKey(const std::vector<uint8_t> &master_key, int mode, FscryptHkdfContext context, std::vector<uint8_t> &enc_key); @@ -433,6 +434,9 @@ bool FBEPolicyTest::SetMasterKey(const std::vector<uint8_t> &master_key, GTEST_LOG_(INFO) << "Master key identifier is " << BytesToHex(master_key_specifier_.u.identifier); key_added_ = true; + if (!(flags & __FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED) && + !VerifyKeyIdentifier(master_key)) + return false; return true; } @@ -454,6 +458,9 @@ bool FBEPolicyTest::CreateAndSetHwWrappedKey(std::vector<uint8_t> *enc_key, // FIXME: placeholder value. Derive this correctly. *sw_secret = std::vector<uint8_t>(32, 0); + + if (!VerifyKeyIdentifier(*sw_secret)) return false; + return true; } @@ -583,6 +590,21 @@ static bool DeriveKey(const std::vector<uint8_t> &master_key, return true; } +// Derives the key identifier from |master_key| and verifies that it matches the +// value the kernel returned in |master_key_specifier_|. +bool FBEPolicyTest::VerifyKeyIdentifier( + const std::vector<uint8_t> &master_key) { + std::vector<uint8_t> hkdf_info = InitHkdfInfo(HKDF_CONTEXT_KEY_IDENTIFIER); + std::vector<uint8_t> computed_key_identifier(FSCRYPT_KEY_IDENTIFIER_SIZE); + if (!DeriveKey(master_key, hkdf_info, computed_key_identifier)) return false; + + std::vector<uint8_t> actual_key_identifier( + std::begin(master_key_specifier_.u.identifier), + std::end(master_key_specifier_.u.identifier)); + EXPECT_EQ(actual_key_identifier, computed_key_identifier); + return actual_key_identifier == computed_key_identifier; +} + // Derives a per-mode encryption key from |master_key|, |mode|, |context|, and // (if needed for the context) the filesystem UUID. bool FBEPolicyTest::DerivePerModeEncryptionKey( |