Allowing GSI patch level to be greater than vbmeta SPL

The GSI patch level might be greater than the vbmeta SPL, because GSI system.img might be updated via the DSU flow, where vbmeta.img won't be updated in this scenario. https://developer.android.com/topic/dsu Allowing GSI patch level to be greater than or equal to the vbmeta SPL, since Treble allows new system.img works on old vendor images. Bug: 145377203 Test: atest VtsHalKeymasterV4_0TargetTest Change-Id: Ib761d80c88695eb2db08b0dc00e30fcdc2788865 Merged-In: Ib761d80c88695eb2db08b0dc00e30fcdc2788865 (cherry picked from commit 63c0129fa64838ce2f2b982246d74f683bcd5426)
author: Bowgo Tsai <bowgotsai@google.com> 2020-03-13 14:54:37 +0800
committer: Bowgo Tsai <bowgotsai@google.com> 2020-09-02 11:00:22 +0800
commit: 2c94e430165edda0cc26c0784175b1984186443d (patch)
tree: ad6e143e8f3985d3c82b2aadd2388ee2f794b666
parent: 9ade092595a841393936ee2f38ddcfac92b73e81 (diff)
download: interfaces-2c94e430165edda0cc26c0784175b1984186443d.tar.gz
2 files changed, 36 insertions, 7 deletions
diff --git a/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h b/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h
index ff08066bc0..3e29206e9e 100644
--- a/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h
+++ b/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h
@@ -17,6 +17,7 @@
 #ifndef SYSTEM_SECURITY_KEYSTORE_KM4_AUTHORIZATION_SET_H_
 #define SYSTEM_SECURITY_KEYSTORE_KM4_AUTHORIZATION_SET_H_
 
+#include <functional>
 #include <vector>
 
 #include <keymasterV4_0/keymaster_tags.h>
@@ -165,11 +166,12 @@ class AuthorizationSet {
      */
     bool Contains(Tag tag) const { return find(tag) != -1; }
 
-    template <TagType tag_type, Tag tag, typename ValueT>
-    bool Contains(TypedTag<tag_type, tag> ttag, const ValueT& value) const {
+    template <TagType tag_type, Tag tag, typename ValueT, typename Comparator = std::equal_to<>>
+    bool Contains(TypedTag<tag_type, tag> ttag, const ValueT& value,
+                  Comparator cmp = Comparator()) const {
         for (const auto& param : data_) {
             auto entry = authorizationValue(ttag, param);
-            if (entry.isOk() && static_cast<ValueT>(entry.value()) == value) return true;
+            if (entry.isOk() && cmp(static_cast<ValueT>(entry.value()), value)) return true;
         }
         return false;
     }
diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
index aa2de2a682..d6696673a2 100644
--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
@@ -17,9 +17,12 @@
 #define LOG_TAG "keymaster_hidl_hal_test"
 #include <cutils/log.h>
 
-#include <iostream>
 #include <signal.h>
 
+#include <functional>
+#include <iostream>
+#include <string>
+
 #include <openssl/evp.h>
 #include <openssl/mem.h>
 #include <openssl/x509.h>
@@ -32,6 +35,8 @@
 
 #include "KeymasterHidlTest.h"
 
+using namespace std::string_literals;
+
 static bool arm_deleteAllKeys = false;
 static bool dump_Attestations = false;
 
@@ -315,6 +320,12 @@ bool avb_verification_enabled() {
     return property_get("ro.boot.vbmeta.device_state", value, "") != 0;
 }
 
+bool is_gsi() {
+    char property_value[PROPERTY_VALUE_MAX] = {};
+    EXPECT_NE(property_get("ro.product.system.name", property_value, ""), 0);
+    return "mainline"s == property_value;
+}
+
 }  // namespace
 
 bool verify_attestation_record(const string& challenge, const string& app_id,
@@ -512,9 +523,25 @@ class NewKeyGenerationTest : public KeymasterHidlTest {
         EXPECT_TRUE(auths.Contains(TAG_OS_VERSION, os_version()))
             << "OS version is " << os_version() << " key reported "
             << auths.GetTagValue(TAG_OS_VERSION);
-        EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL, os_patch_level()))
-            << "OS patch level is " << os_patch_level() << " key reported "
-            << auths.GetTagValue(TAG_OS_PATCHLEVEL);
+
+        if (is_gsi()) {
+            // In general, TAG_OS_PATCHLEVEL should be equal to os_patch_level()
+            // reported from the system.img in use. But it is allowed to boot a
+            // GSI system.img with newer patch level, which means TAG_OS_PATCHLEVEL
+            // might be less than or equal to os_patch_level() in this case.
+            EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL,  // vbmeta.img patch level
+                                       os_patch_level(),   // system.img patch level
+                                       std::less_equal<>()))
+                    << "OS patch level is " << os_patch_level()
+                    << ", which is less than key reported " << auths.GetTagValue(TAG_OS_PATCHLEVEL);
+        } else {
+            EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL,  // vbmeta.img patch level
+                                       os_patch_level(),   // system.img patch level
+                                       std::equal_to<>()))
+                    << "OS patch level is " << os_patch_level()
+                    << ", which is not equal to key reported "
+                    << auths.GetTagValue(TAG_OS_PATCHLEVEL);
+        }
     }
 
     void CheckCharacteristics(const HidlBuf& key_blob,
author	Bowgo Tsai <bowgotsai@google.com>	2020-03-13 14:54:37 +0800
committer	Bowgo Tsai <bowgotsai@google.com>	2020-09-02 11:00:22 +0800
commit	2c94e430165edda0cc26c0784175b1984186443d (patch)
tree	ad6e143e8f3985d3c82b2aadd2388ee2f794b666
parent	9ade092595a841393936ee2f38ddcfac92b73e81 (diff)
download	interfaces-2c94e430165edda0cc26c0784175b1984186443d.tar.gz