diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-12-14 16:40:16 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-12-14 16:40:16 +0000 |
commit | 1ec429f8b763fd1b419afcfebd6e5bc701c8563f (patch) | |
tree | e9d5fdb793233821e76ab8bffb412a5ef699df54 | |
parent | c82d60ab0d0f0112752486c9b2f5e38e546772ff (diff) | |
parent | 0070c5a549188eaa17b5a4eabf1226891f5d6779 (diff) | |
download | kernel-aml_tz4_332714010.tar.gz |
Snap for 11219529 from 0070c5a549188eaa17b5a4eabf1226891f5d6779 to mainline-tzdata4-releaseaml_tz4_332714070aml_tz4_332714050aml_tz4_332714010aml_tz4_332714010
Change-Id: I8a7e8eaa5d747d009a32cea0205e84337e8e9d3d
5 files changed, 45 insertions, 20 deletions
diff --git a/encryption/utils.cpp b/encryption/utils.cpp index da3632cf..b7a0b575 100644 --- a/encryption/utils.cpp +++ b/encryption/utils.cpp @@ -37,6 +37,36 @@ using namespace android::dm; namespace android { namespace kernel { +// Context in fixed input string comprises of software provided context, +// padding to eight bytes (if required) and the key policy. +static const std::vector<std::vector<uint8_t>> HwWrappedEncryptionKeyContexts = + { + {'i', 'n', 'l', 'i', 'n', 'e', ' ', 'e', 'n', 'c', 'r', 'y', + 'p', 't', 'i', 'o', 'n', ' ', 'k', 'e', 'y', 0x0, 0x0, 0x0, + 0x00, 0x00, 0x00, 0x02, 0x43, 0x00, 0x82, 0x50, 0x0, 0x0, 0x0, 0x0}, + // Below for "legacy && kdf tied to Trusted Execution + // Environment(TEE)". + // Where as above caters ( "all latest targets" || ("legacy && kdf + // not tied to TEE)). + {'i', 'n', 'l', 'i', 'n', 'e', ' ', 'e', 'n', 'c', 'r', 'y', + 'p', 't', 'i', 'o', 'n', ' ', 'k', 'e', 'y', 0x0, 0x0, 0x0, + 0x00, 0x00, 0x00, 0x01, 0x43, 0x00, 0x82, 0x18, 0x0, 0x0, 0x0, 0x0}, +}; + +static bool GetKdfContext(std::vector<uint8_t> *ctx) { + std::string kdf = + android::base::GetProperty("ro.crypto.hw_wrapped_keys.kdf", "v1"); + if (kdf == "v1") { + *ctx = HwWrappedEncryptionKeyContexts[0]; + return true; + } + if (kdf == "legacykdf") { + *ctx = HwWrappedEncryptionKeyContexts[1]; + return true; + } + ADD_FAILURE() << "Unknown KDF: " << kdf; + return false; +} // Offset in bytes to the filesystem superblock, relative to the beginning of // the block device @@ -403,17 +433,12 @@ bool DeriveHwWrappedEncryptionKey(const std::vector<uint8_t> &master_key, std::vector<uint8_t> *enc_key) { std::vector<uint8_t> label{0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20}; - // Context in fixed input string comprises of software provided context, - // padding to eight bytes (if required) and the key policy. - std::vector<uint8_t> context = { - 'i', 'n', 'l', 'i', 'n', 'e', ' ', 'e', - 'n', 'c', 'r', 'y', 'p', 't', 'i', 'o', - 'n', ' ', 'k', 'e', 'y', 0x0, 0x0, 0x0, - 0x00, 0x00, 0x00, 0x02, 0x43, 0x00, 0x82, 0x50, - 0x0, 0x0, 0x0, 0x0}; - - return AesCmacKdfHelper(master_key, label, context, kAes256XtsKeySize, - enc_key); + + std::vector<uint8_t> ctx; + + if (!GetKdfContext(&ctx)) return false; + + return AesCmacKdfHelper(master_key, label, ctx, kAes256XtsKeySize, enc_key); } bool DeriveHwWrappedRawSecret(const std::vector<uint8_t> &master_key, diff --git a/linux_kselftest/testcases/vts_linux_kselftest_arm_32.xml b/linux_kselftest/testcases/vts_linux_kselftest_arm_32.xml index 75426602..0394223f 100644 --- a/linux_kselftest/testcases/vts_linux_kselftest_arm_32.xml +++ b/linux_kselftest/testcases/vts_linux_kselftest_arm_32.xml @@ -32,9 +32,9 @@ <test class="com.android.tradefed.testtype.binary.KernelTargetTest" > <option name="exit-code-skip" value="4" /> - <option name="test-command-line" key="binderfs_arm_32" value="chmod 755 &ktest_dir;/filesystems/binderfs/binderfs_test; cd &ktest_dir;/filesystems/binderfs; ./binderfs_test" /> + <option name="test-command-line" key="binderfs_arm_32" value="chmod 755 &ktest_dir;/filesystems/binderfs/binderfs_test; cd &ktest_dir;/filesystems/binderfs; ./binderfs_test" /> <option name="test-command-line" key="capabilities_test_execve_arm_32" value="chmod 755 &ktest_dir;/capabilities/test_execve; cd &ktest_dir;/capabilities; ./test_execve" /> - <option name="test-command-line" key="futex_functional_run.sh_arm_32" value="chmod 755 &ktest_dir;/futex/functional/run.sh; cd &ktest_dir;/futex/functional; ./run.sh" /> + <option name="test-command-line" key="futex_functional_run.sh_arm_32" value="chmod 755 &ktest_dir;/futex/functional/run.sh; cd &ktest_dir;/futex/functional; USE_COLOR=0 ./run.sh" /> <option name="test-command-line" key="kcmp_kcmp_test_arm_32" value="chmod 755 &ktest_dir;/kcmp/kcmp_test; cd &ktest_dir;/kcmp; ./kcmp_test" /> <option name="test-command-line" key="net_reuseaddr_conflict_arm_32" value="chmod 755 &ktest_dir;/net/reuseaddr_conflict; cd &ktest_dir;/net; ./reuseaddr_conflict" /> <option name="test-command-line" key="net_socket_arm_32" value="chmod 755 &ktest_dir;/net/socket; cd &ktest_dir;/net; ./socket" /> diff --git a/linux_kselftest/testcases/vts_linux_kselftest_arm_64.xml b/linux_kselftest/testcases/vts_linux_kselftest_arm_64.xml index 2a33f2c2..0cbe6945 100644 --- a/linux_kselftest/testcases/vts_linux_kselftest_arm_64.xml +++ b/linux_kselftest/testcases/vts_linux_kselftest_arm_64.xml @@ -32,12 +32,12 @@ <test class="com.android.tradefed.testtype.binary.KernelTargetTest" > <option name="exit-code-skip" value="4" /> - <option name="test-command-line" key="binderfs_arm_64" value="chmod 755 &ktest_dir;/filesystems/binderfs/binderfs_test; cd &ktest_dir;/filesystems/binderfs; ./binderfs_test" /> + <option name="test-command-line" key="binderfs_arm_64" value="chmod 755 &ktest_dir;/filesystems/binderfs/binderfs_test; cd &ktest_dir;/filesystems/binderfs; ./binderfs_test" /> <option name="test-command-line" key="breakpoints_breakpoint_test_arm64_arm_64" value="chmod 755 &ktest_dir;/breakpoints/breakpoint_test_arm64; cd &ktest_dir;/breakpoints; ./breakpoint_test_arm64" /> <option name="test-command-line" key="capabilities_test_execve_arm_64" value="chmod 755 &ktest_dir;/capabilities/test_execve; cd &ktest_dir;/capabilities; ./test_execve" /> - <option name="test-command-line" key="futex_functional_run.sh_arm_64" value="chmod 755 &ktest_dir;/futex/functional/run.sh; cd &ktest_dir;/futex/functional; ./run.sh" /> + <option name="test-command-line" key="futex_functional_run.sh_arm_64" value="chmod 755 &ktest_dir;/futex/functional/run.sh; cd &ktest_dir;/futex/functional; USE_COLOR=0 ./run.sh" /> <option name="test-command-line" key="kcmp_kcmp_test_arm_64" value="chmod 755 &ktest_dir;/kcmp/kcmp_test; cd &ktest_dir;/kcmp; ./kcmp_test" /> - <option name="test-command-line" key="kvm_pvm_wipe_mem_arm_64" value="chmod 755 &ktest_dir;/kvm/aarch64/pvm_wipe_mem; cd &ktest_dir;/kvm/aarch64; ./pvm_wipe_mem" /> + <option name="test-command-line" key="kvm_pvm_wipe_mem_arm_64" value="chmod 755 &ktest_dir;/kvm/aarch64/pvm_wipe_mem; cd &ktest_dir;/kvm/aarch64; ./pvm_wipe_mem" /> <option name="test-command-line" key="net_psock_tpacket_arm_64" value="chmod 755 &ktest_dir;/net/psock_tpacket; cd &ktest_dir;/net; ./psock_tpacket" /> <option name="test-command-line" key="net_reuseaddr_conflict_arm_64" value="chmod 755 &ktest_dir;/net/reuseaddr_conflict; cd &ktest_dir;/net; ./reuseaddr_conflict" /> <option name="test-command-line" key="net_socket_arm_64" value="chmod 755 &ktest_dir;/net/socket; cd &ktest_dir;/net; ./socket" /> diff --git a/linux_kselftest/testcases/vts_linux_kselftest_x86_32.xml b/linux_kselftest/testcases/vts_linux_kselftest_x86_32.xml index 01375908..60ccc0f1 100644 --- a/linux_kselftest/testcases/vts_linux_kselftest_x86_32.xml +++ b/linux_kselftest/testcases/vts_linux_kselftest_x86_32.xml @@ -33,9 +33,9 @@ <test class="com.android.tradefed.testtype.binary.KernelTargetTest" > <option name="exit-code-skip" value="4" /> - <option name="test-command-line" key="binderfs_x86_32" value="chmod 755 &ktest_dir;/filesystems/binderfs/binderfs_test; cd &ktest_dir;/filesystems/binderfs; ./binderfs_test" /> + <option name="test-command-line" key="binderfs_x86_32" value="chmod 755 &ktest_dir;/filesystems/binderfs/binderfs_test; cd &ktest_dir;/filesystems/binderfs; ./binderfs_test" /> <option name="test-command-line" key="capabilities_test_execve_x86_32" value="chmod 755 &ktest_dir;/capabilities/test_execve; cd &ktest_dir;/capabilities; ./test_execve" /> - <option name="test-command-line" key="futex_functional_run.sh_x86_32" value="chmod 755 &ktest_dir;/futex/functional/run.sh; cd &ktest_dir;/futex/functional; ./run.sh" /> + <option name="test-command-line" key="futex_functional_run.sh_x86_32" value="chmod 755 &ktest_dir;/futex/functional/run.sh; cd &ktest_dir;/futex/functional; USE_COLOR=0 ./run.sh" /> <option name="test-command-line" key="kcmp_kcmp_test_x86_32" value="chmod 755 &ktest_dir;/kcmp/kcmp_test; cd &ktest_dir;/kcmp; ./kcmp_test" /> <option name="test-command-line" key="net_reuseaddr_conflict_x86_32" value="chmod 755 &ktest_dir;/net/reuseaddr_conflict; cd &ktest_dir;/net; ./reuseaddr_conflict" /> <option name="test-command-line" key="net_socket_x86_32" value="chmod 755 &ktest_dir;/net/socket; cd &ktest_dir;/net; ./socket" /> diff --git a/linux_kselftest/testcases/vts_linux_kselftest_x86_64.xml b/linux_kselftest/testcases/vts_linux_kselftest_x86_64.xml index 2022e27c..85e5f2be 100644 --- a/linux_kselftest/testcases/vts_linux_kselftest_x86_64.xml +++ b/linux_kselftest/testcases/vts_linux_kselftest_x86_64.xml @@ -33,9 +33,9 @@ <test class="com.android.tradefed.testtype.binary.KernelTargetTest" > <option name="exit-code-skip" value="4" /> - <option name="test-command-line" key="binderfs_x86_64" value="chmod 755 &ktest_dir;/filesystems/binderfs/binderfs_test; cd &ktest_dir;/filesystems/binderfs; ./binderfs_test" /> + <option name="test-command-line" key="binderfs_x86_64" value="chmod 755 &ktest_dir;/filesystems/binderfs/binderfs_test; cd &ktest_dir;/filesystems/binderfs; ./binderfs_test" /> <option name="test-command-line" key="capabilities_test_execve_x86_64" value="chmod 755 &ktest_dir;/capabilities/test_execve; cd &ktest_dir;/capabilities; ./test_execve" /> - <option name="test-command-line" key="futex_functional_run.sh_x86_64" value="chmod 755 &ktest_dir;/futex/functional/run.sh; cd &ktest_dir;/futex/functional; ./run.sh" /> + <option name="test-command-line" key="futex_functional_run.sh_x86_64" value="chmod 755 &ktest_dir;/futex/functional/run.sh; cd &ktest_dir;/futex/functional; USE_COLOR=0 ./run.sh" /> <option name="test-command-line" key="kcmp_kcmp_test_x86_64" value="chmod 755 &ktest_dir;/kcmp/kcmp_test; cd &ktest_dir;/kcmp; ./kcmp_test" /> <option name="test-command-line" key="net_psock_tpacket_x86_64" value="chmod 755 &ktest_dir;/net/psock_tpacket; cd &ktest_dir;/net; ./psock_tpacket" /> <option name="test-command-line" key="net_reuseaddr_conflict_x86_64" value="chmod 755 &ktest_dir;/net/reuseaddr_conflict; cd &ktest_dir;/net; ./reuseaddr_conflict" /> |