1 /*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Permission is hereby granted, free of charge, to any person
5 * obtaining a copy of this software and associated documentation
6 * files (the "Software"), to deal in the Software without
7 * restriction, including without limitation the rights to use, copy,
8 * modify, merge, publish, distribute, sublicense, and/or sell copies
9 * of the Software, and to permit persons to whom the Software is
10 * furnished to do so, subject to the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 #include <stdio.h>
26 #include <string.h>
27
28 #include <base/files/file_util.h>
29 #include <gtest/gtest.h>
30 #include <openssl/objects.h>
31 #include <openssl/pem.h>
32 #include <openssl/rsa.h>
33 #include <openssl/sha.h>
34
35 #include <libavb_atx/libavb_atx.h>
36
37 #include "avb_unittest_util.h"
38 #include "fake_avb_ops.h"
39
40 namespace {
41
42 const char kMetadataPath[] = "test/data/atx_metadata.bin";
43 const char kPermanentAttributesPath[] =
44 "test/data/atx_permanent_attributes.bin";
45 const char kPRKPrivateKeyPath[] = "test/data/testkey_atx_prk.pem";
46 const char kPIKPrivateKeyPath[] = "test/data/testkey_atx_pik.pem";
47
48 class ScopedRSA {
49 public:
ScopedRSA(const char * pem_key_path)50 ScopedRSA(const char* pem_key_path) {
51 FILE* file = fopen(pem_key_path, "r");
52 rsa_ = PEM_read_RSAPrivateKey(file, nullptr, nullptr, nullptr);
53 fclose(file);
54 }
55
~ScopedRSA()56 ~ScopedRSA() {
57 if (rsa_) {
58 RSA_free(rsa_);
59 }
60 }
61
62 // PKCS #1 v1.5 signature using SHA512. Returns true on success.
Sign(const void * data_to_sign,size_t length,uint8_t signature[])63 bool Sign(const void* data_to_sign, size_t length, uint8_t signature[]) {
64 uint8_t digest[AVB_SHA512_DIGEST_SIZE];
65 const unsigned char* data_to_sign_buf =
66 reinterpret_cast<const unsigned char*>(data_to_sign);
67 SHA512(data_to_sign_buf, length, digest);
68 unsigned int signature_length = 0;
69 return (1 == RSA_sign(NID_sha512,
70 digest,
71 AVB_SHA512_DIGEST_SIZE,
72 signature,
73 &signature_length,
74 rsa_));
75 }
76
77 private:
78 RSA* rsa_;
79 };
80
81 } /* namespace */
82
83 namespace avb {
84
85 class AvbAtxValidateTest : public ::testing::Test, public FakeAvbOpsDelegate {
86 public:
~AvbAtxValidateTest()87 ~AvbAtxValidateTest() override {}
88
SetUp()89 void SetUp() override {
90 ReadDefaultData();
91 ops_.set_delegate(this);
92 ops_.set_permanent_attributes(attributes_);
93 ops_.set_stored_rollback_indexes(
94 {{AVB_ATX_PIK_VERSION_LOCATION, 0}, {AVB_ATX_PSK_VERSION_LOCATION, 0}});
95 }
96
97 // FakeAvbOpsDelegate methods.
read_from_partition(const char * partition,int64_t offset,size_t num_bytes,void * buffer,size_t * out_num_read)98 AvbIOResult read_from_partition(const char* partition,
99 int64_t offset,
100 size_t num_bytes,
101 void* buffer,
102 size_t* out_num_read) override {
103 // Expect method not used.
104 return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
105 }
106
write_to_partition(const char * partition,int64_t offset,size_t num_bytes,const void * buffer)107 AvbIOResult write_to_partition(const char* partition,
108 int64_t offset,
109 size_t num_bytes,
110 const void* buffer) override {
111 // Expect method not used.
112 return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
113 }
114
validate_vbmeta_public_key(AvbOps * ops,const uint8_t * public_key_data,size_t public_key_length,const uint8_t * public_key_metadata,size_t public_key_metadata_length,bool * out_key_is_trusted)115 AvbIOResult validate_vbmeta_public_key(AvbOps* ops,
116 const uint8_t* public_key_data,
117 size_t public_key_length,
118 const uint8_t* public_key_metadata,
119 size_t public_key_metadata_length,
120 bool* out_key_is_trusted) override {
121 // Expect method not used.
122 return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
123 }
124
read_rollback_index(AvbOps * ops,size_t rollback_index_slot,uint64_t * out_rollback_index)125 AvbIOResult read_rollback_index(AvbOps* ops,
126 size_t rollback_index_slot,
127 uint64_t* out_rollback_index) override {
128 if ((fail_read_pik_rollback_index_ &&
129 rollback_index_slot == AVB_ATX_PIK_VERSION_LOCATION) ||
130 (fail_read_psk_rollback_index_ &&
131 rollback_index_slot == AVB_ATX_PSK_VERSION_LOCATION)) {
132 return AVB_IO_RESULT_ERROR_IO;
133 }
134 return ops_.read_rollback_index(
135 ops, rollback_index_slot, out_rollback_index);
136 }
137
write_rollback_index(AvbOps * ops,size_t rollback_index_slot,uint64_t rollback_index)138 AvbIOResult write_rollback_index(AvbOps* ops,
139 size_t rollback_index_slot,
140 uint64_t rollback_index) override {
141 // Expect method not used.
142 return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
143 }
144
read_is_device_unlocked(AvbOps * ops,bool * out_is_device_unlocked)145 AvbIOResult read_is_device_unlocked(AvbOps* ops,
146 bool* out_is_device_unlocked) override {
147 // Expect method not used.
148 return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
149 }
150
get_unique_guid_for_partition(AvbOps * ops,const char * partition,char * guid_buf,size_t guid_buf_size)151 AvbIOResult get_unique_guid_for_partition(AvbOps* ops,
152 const char* partition,
153 char* guid_buf,
154 size_t guid_buf_size) override {
155 // Expect method not used.
156 return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
157 }
158
get_size_of_partition(AvbOps * ops,const char * partition,uint64_t * out_size)159 AvbIOResult get_size_of_partition(AvbOps* ops,
160 const char* partition,
161 uint64_t* out_size) override {
162 // Expect method not used.
163 return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
164 }
165
read_permanent_attributes(AvbAtxPermanentAttributes * attributes)166 AvbIOResult read_permanent_attributes(
167 AvbAtxPermanentAttributes* attributes) override {
168 if (fail_read_permanent_attributes_) {
169 return AVB_IO_RESULT_ERROR_IO;
170 }
171 return ops_.read_permanent_attributes(attributes);
172 }
173
read_permanent_attributes_hash(uint8_t hash[AVB_SHA256_DIGEST_SIZE])174 AvbIOResult read_permanent_attributes_hash(
175 uint8_t hash[AVB_SHA256_DIGEST_SIZE]) override {
176 if (fail_read_permanent_attributes_hash_) {
177 return AVB_IO_RESULT_ERROR_IO;
178 }
179 return ops_.read_permanent_attributes_hash(hash);
180 }
181
182 protected:
Validate(bool * is_trusted)183 virtual AvbIOResult Validate(bool* is_trusted) {
184 return avb_atx_validate_vbmeta_public_key(
185 ops_.avb_ops(),
186 metadata_.product_signing_key_certificate.signed_data.public_key,
187 AVB_ATX_PUBLIC_KEY_SIZE,
188 reinterpret_cast<const uint8_t*>(&metadata_),
189 sizeof(metadata_),
190 is_trusted);
191 }
192
SignPIKCertificate()193 void SignPIKCertificate() {
194 memset(metadata_.product_intermediate_key_certificate.signature,
195 0,
196 AVB_RSA4096_NUM_BYTES);
197 ScopedRSA key(kPRKPrivateKeyPath);
198 ASSERT_TRUE(
199 key.Sign(&metadata_.product_intermediate_key_certificate.signed_data,
200 sizeof(AvbAtxCertificateSignedData),
201 metadata_.product_intermediate_key_certificate.signature));
202 }
203
SignPSKCertificate()204 void SignPSKCertificate() {
205 memset(metadata_.product_signing_key_certificate.signature,
206 0,
207 AVB_RSA4096_NUM_BYTES);
208 ScopedRSA key(kPIKPrivateKeyPath);
209 ASSERT_TRUE(key.Sign(&metadata_.product_signing_key_certificate.signed_data,
210 sizeof(AvbAtxCertificateSignedData),
211 metadata_.product_signing_key_certificate.signature));
212 }
213
214 FakeAvbOps ops_;
215 AvbAtxPermanentAttributes attributes_;
216 AvbAtxPublicKeyMetadata metadata_;
217 bool fail_read_permanent_attributes_{false};
218 bool fail_read_permanent_attributes_hash_{false};
219 bool fail_read_pik_rollback_index_{false};
220 bool fail_read_psk_rollback_index_{false};
221
222 private:
ReadDefaultData()223 void ReadDefaultData() {
224 std::string tmp;
225 ASSERT_TRUE(base::ReadFileToString(base::FilePath(kMetadataPath), &tmp));
226 ASSERT_EQ(tmp.size(), sizeof(AvbAtxPublicKeyMetadata));
227 memcpy(&metadata_, tmp.data(), tmp.size());
228 ASSERT_TRUE(
229 base::ReadFileToString(base::FilePath(kPermanentAttributesPath), &tmp));
230 ASSERT_EQ(tmp.size(), sizeof(AvbAtxPermanentAttributes));
231 memcpy(&attributes_, tmp.data(), tmp.size());
232 }
233 };
234
TEST_F(AvbAtxValidateTest,Success)235 TEST_F(AvbAtxValidateTest, Success) {
236 bool is_trusted = false;
237 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
238 EXPECT_TRUE(is_trusted);
239 }
240
TEST_F(AvbAtxValidateTest,SuccessAfterNewSign)241 TEST_F(AvbAtxValidateTest, SuccessAfterNewSign) {
242 std::string old_pik_sig(
243 reinterpret_cast<char*>(
244 metadata_.product_intermediate_key_certificate.signature),
245 AVB_RSA4096_NUM_BYTES);
246 std::string old_psk_sig(
247 reinterpret_cast<char*>(
248 metadata_.product_signing_key_certificate.signature),
249 AVB_RSA4096_NUM_BYTES);
250 SignPIKCertificate();
251 SignPSKCertificate();
252 std::string new_pik_sig(
253 reinterpret_cast<char*>(
254 metadata_.product_intermediate_key_certificate.signature),
255 AVB_RSA4096_NUM_BYTES);
256 std::string new_psk_sig(
257 reinterpret_cast<char*>(
258 metadata_.product_signing_key_certificate.signature),
259 AVB_RSA4096_NUM_BYTES);
260 EXPECT_EQ(old_pik_sig, new_pik_sig);
261 EXPECT_EQ(old_psk_sig, new_psk_sig);
262 bool is_trusted = false;
263 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
264 EXPECT_TRUE(is_trusted);
265 }
266
TEST_F(AvbAtxValidateTest,FailReadPermamentAttributes)267 TEST_F(AvbAtxValidateTest, FailReadPermamentAttributes) {
268 fail_read_permanent_attributes_ = true;
269 bool is_trusted = true;
270 EXPECT_EQ(AVB_IO_RESULT_ERROR_IO, Validate(&is_trusted));
271 EXPECT_FALSE(is_trusted);
272 }
273
TEST_F(AvbAtxValidateTest,FailReadPermamentAttributesHash)274 TEST_F(AvbAtxValidateTest, FailReadPermamentAttributesHash) {
275 fail_read_permanent_attributes_hash_ = true;
276 bool is_trusted = true;
277 EXPECT_EQ(AVB_IO_RESULT_ERROR_IO, Validate(&is_trusted));
278 EXPECT_FALSE(is_trusted);
279 }
280
TEST_F(AvbAtxValidateTest,UnsupportedPermanentAttributesVersion)281 TEST_F(AvbAtxValidateTest, UnsupportedPermanentAttributesVersion) {
282 attributes_.version = 25;
283 ops_.set_permanent_attributes(attributes_);
284 bool is_trusted = true;
285 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
286 EXPECT_FALSE(is_trusted);
287 }
288
TEST_F(AvbAtxValidateTest,PermanentAttributesHashMismatch)289 TEST_F(AvbAtxValidateTest, PermanentAttributesHashMismatch) {
290 ops_.set_permanent_attributes_hash("bad_hash");
291 bool is_trusted = true;
292 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
293 EXPECT_FALSE(is_trusted);
294 }
295
296 // A fixture with parameterized metadata length.
297 class AvbAtxValidateTestWithMetadataLength
298 : public AvbAtxValidateTest,
299 public ::testing::WithParamInterface<size_t> {
300 protected:
Validate(bool * is_trusted)301 AvbIOResult Validate(bool* is_trusted) override {
302 return avb_atx_validate_vbmeta_public_key(
303 ops_.avb_ops(),
304 metadata_.product_signing_key_certificate.signed_data.public_key,
305 AVB_ATX_PUBLIC_KEY_SIZE,
306 reinterpret_cast<const uint8_t*>(&metadata_),
307 GetParam(),
308 is_trusted);
309 }
310 };
311
TEST_P(AvbAtxValidateTestWithMetadataLength,InvalidMetadataLength)312 TEST_P(AvbAtxValidateTestWithMetadataLength, InvalidMetadataLength) {
313 bool is_trusted = true;
314 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
315 EXPECT_FALSE(is_trusted);
316 }
317
318 // Test a bunch of invalid metadata length values.
319 INSTANTIATE_TEST_CASE_P(P,
320 AvbAtxValidateTestWithMetadataLength,
321 ::testing::Values(0,
322 1,
323 sizeof(AvbAtxPublicKeyMetadata) - 1,
324 sizeof(AvbAtxPublicKeyMetadata) + 1,
325 -1));
326
TEST_F(AvbAtxValidateTest,UnsupportedMetadataVersion)327 TEST_F(AvbAtxValidateTest, UnsupportedMetadataVersion) {
328 metadata_.version = 25;
329 bool is_trusted = true;
330 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
331 EXPECT_FALSE(is_trusted);
332 }
333
TEST_F(AvbAtxValidateTest,FailReadPIKRollbackIndex)334 TEST_F(AvbAtxValidateTest, FailReadPIKRollbackIndex) {
335 fail_read_pik_rollback_index_ = true;
336 bool is_trusted = true;
337 EXPECT_EQ(AVB_IO_RESULT_ERROR_IO, Validate(&is_trusted));
338 EXPECT_FALSE(is_trusted);
339 }
340
TEST_F(AvbAtxValidateTest,UnsupportedPIKCertificateVersion)341 TEST_F(AvbAtxValidateTest, UnsupportedPIKCertificateVersion) {
342 metadata_.product_intermediate_key_certificate.signed_data.version = 25;
343 SignPIKCertificate();
344 bool is_trusted = true;
345 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
346 EXPECT_FALSE(is_trusted);
347 }
348
TEST_F(AvbAtxValidateTest,BadPIKCert_ModifiedSubjectPublicKey)349 TEST_F(AvbAtxValidateTest, BadPIKCert_ModifiedSubjectPublicKey) {
350 metadata_.product_intermediate_key_certificate.signed_data.public_key[0] ^= 1;
351 bool is_trusted = true;
352 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
353 EXPECT_FALSE(is_trusted);
354 }
355
TEST_F(AvbAtxValidateTest,BadPIKCert_ModifiedSubject)356 TEST_F(AvbAtxValidateTest, BadPIKCert_ModifiedSubject) {
357 metadata_.product_intermediate_key_certificate.signed_data.subject[0] ^= 1;
358 bool is_trusted = true;
359 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
360 EXPECT_FALSE(is_trusted);
361 }
362
TEST_F(AvbAtxValidateTest,BadPIKCert_ModifiedUsage)363 TEST_F(AvbAtxValidateTest, BadPIKCert_ModifiedUsage) {
364 metadata_.product_intermediate_key_certificate.signed_data.usage[0] ^= 1;
365 bool is_trusted = true;
366 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
367 EXPECT_FALSE(is_trusted);
368 }
369
TEST_F(AvbAtxValidateTest,BadPIKCert_ModifiedKeyVersion)370 TEST_F(AvbAtxValidateTest, BadPIKCert_ModifiedKeyVersion) {
371 metadata_.product_intermediate_key_certificate.signed_data.key_version ^= 1;
372 bool is_trusted = true;
373 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
374 EXPECT_FALSE(is_trusted);
375 }
376
TEST_F(AvbAtxValidateTest,BadPIKCert_BadSignature)377 TEST_F(AvbAtxValidateTest, BadPIKCert_BadSignature) {
378 metadata_.product_intermediate_key_certificate.signature[0] ^= 1;
379 bool is_trusted = true;
380 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
381 EXPECT_FALSE(is_trusted);
382 }
383
TEST_F(AvbAtxValidateTest,PIKCertSubjectIgnored)384 TEST_F(AvbAtxValidateTest, PIKCertSubjectIgnored) {
385 metadata_.product_intermediate_key_certificate.signed_data.subject[0] ^= 1;
386 SignPIKCertificate();
387 bool is_trusted = false;
388 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
389 EXPECT_TRUE(is_trusted);
390 }
391
TEST_F(AvbAtxValidateTest,PIKCertUnexpectedUsage)392 TEST_F(AvbAtxValidateTest, PIKCertUnexpectedUsage) {
393 metadata_.product_intermediate_key_certificate.signed_data.usage[0] ^= 1;
394 SignPIKCertificate();
395 bool is_trusted = true;
396 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
397 EXPECT_FALSE(is_trusted);
398 }
399
TEST_F(AvbAtxValidateTest,PIKRollback)400 TEST_F(AvbAtxValidateTest, PIKRollback) {
401 ops_.set_stored_rollback_indexes(
402 {{AVB_ATX_PIK_VERSION_LOCATION,
403 metadata_.product_intermediate_key_certificate.signed_data.key_version +
404 1},
405 {AVB_ATX_PSK_VERSION_LOCATION, 0}});
406 bool is_trusted = true;
407 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
408 EXPECT_FALSE(is_trusted);
409 }
410
TEST_F(AvbAtxValidateTest,FailReadPSKRollbackIndex)411 TEST_F(AvbAtxValidateTest, FailReadPSKRollbackIndex) {
412 fail_read_psk_rollback_index_ = true;
413 bool is_trusted = true;
414 EXPECT_EQ(AVB_IO_RESULT_ERROR_IO, Validate(&is_trusted));
415 EXPECT_FALSE(is_trusted);
416 }
417
TEST_F(AvbAtxValidateTest,UnsupportedPSKCertificateVersion)418 TEST_F(AvbAtxValidateTest, UnsupportedPSKCertificateVersion) {
419 metadata_.product_signing_key_certificate.signed_data.version = 25;
420 SignPSKCertificate();
421 bool is_trusted = true;
422 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
423 EXPECT_FALSE(is_trusted);
424 }
425
TEST_F(AvbAtxValidateTest,BadPSKCert_ModifiedSubjectPublicKey)426 TEST_F(AvbAtxValidateTest, BadPSKCert_ModifiedSubjectPublicKey) {
427 metadata_.product_signing_key_certificate.signed_data.public_key[0] ^= 1;
428 bool is_trusted = true;
429 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
430 EXPECT_FALSE(is_trusted);
431 }
432
TEST_F(AvbAtxValidateTest,BadPSKCert_ModifiedSubject)433 TEST_F(AvbAtxValidateTest, BadPSKCert_ModifiedSubject) {
434 metadata_.product_signing_key_certificate.signed_data.subject[0] ^= 1;
435 bool is_trusted = true;
436 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
437 EXPECT_FALSE(is_trusted);
438 }
439
TEST_F(AvbAtxValidateTest,BadPSKCert_ModifiedUsage)440 TEST_F(AvbAtxValidateTest, BadPSKCert_ModifiedUsage) {
441 metadata_.product_signing_key_certificate.signed_data.usage[0] ^= 1;
442 bool is_trusted = true;
443 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
444 EXPECT_FALSE(is_trusted);
445 }
446
TEST_F(AvbAtxValidateTest,BadPSKCert_ModifiedKeyVersion)447 TEST_F(AvbAtxValidateTest, BadPSKCert_ModifiedKeyVersion) {
448 metadata_.product_signing_key_certificate.signed_data.key_version ^= 1;
449 bool is_trusted = true;
450 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
451 EXPECT_FALSE(is_trusted);
452 }
453
TEST_F(AvbAtxValidateTest,BadPSKCert_BadSignature)454 TEST_F(AvbAtxValidateTest, BadPSKCert_BadSignature) {
455 metadata_.product_signing_key_certificate.signature[0] ^= 1;
456 bool is_trusted = true;
457 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
458 EXPECT_FALSE(is_trusted);
459 }
460
TEST_F(AvbAtxValidateTest,PSKCertUnexpectedSubject)461 TEST_F(AvbAtxValidateTest, PSKCertUnexpectedSubject) {
462 metadata_.product_signing_key_certificate.signed_data.subject[0] ^= 1;
463 SignPSKCertificate();
464 bool is_trusted = true;
465 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
466 EXPECT_FALSE(is_trusted);
467 }
468
TEST_F(AvbAtxValidateTest,PSKCertUnexpectedUsage)469 TEST_F(AvbAtxValidateTest, PSKCertUnexpectedUsage) {
470 metadata_.product_signing_key_certificate.signed_data.usage[0] ^= 1;
471 SignPSKCertificate();
472 bool is_trusted = true;
473 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
474 EXPECT_FALSE(is_trusted);
475 }
476
TEST_F(AvbAtxValidateTest,PSKRollback)477 TEST_F(AvbAtxValidateTest, PSKRollback) {
478 ops_.set_stored_rollback_indexes(
479 {{AVB_ATX_PIK_VERSION_LOCATION, 0},
480 {AVB_ATX_PSK_VERSION_LOCATION,
481 metadata_.product_signing_key_certificate.signed_data.key_version +
482 1}});
483 bool is_trusted = true;
484 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
485 EXPECT_FALSE(is_trusted);
486 }
487
488 // A fixture with parameterized public key length.
489 class AvbAtxValidateTestWithPublicKeyLength
490 : public AvbAtxValidateTest,
491 public ::testing::WithParamInterface<size_t> {
492 protected:
Validate(bool * is_trusted)493 AvbIOResult Validate(bool* is_trusted) override {
494 return avb_atx_validate_vbmeta_public_key(
495 ops_.avb_ops(),
496 metadata_.product_signing_key_certificate.signed_data.public_key,
497 GetParam(),
498 reinterpret_cast<const uint8_t*>(&metadata_),
499 sizeof(metadata_),
500 is_trusted);
501 }
502 };
503
TEST_P(AvbAtxValidateTestWithPublicKeyLength,InvalidPublicKeyLength)504 TEST_P(AvbAtxValidateTestWithPublicKeyLength, InvalidPublicKeyLength) {
505 bool is_trusted = true;
506 EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
507 EXPECT_FALSE(is_trusted);
508 }
509
510 // Test a bunch of invalid public key length values.
511 INSTANTIATE_TEST_CASE_P(P,
512 AvbAtxValidateTestWithPublicKeyLength,
513 ::testing::Values(0,
514 1,
515 AVB_ATX_PUBLIC_KEY_SIZE - 1,
516 AVB_ATX_PUBLIC_KEY_SIZE + 1,
517 AVB_ATX_PUBLIC_KEY_SIZE - 512,
518 -1));
519
TEST_F(AvbAtxValidateTest,PSKMismatch)520 TEST_F(AvbAtxValidateTest, PSKMismatch) {
521 uint8_t bad_key[AVB_ATX_PUBLIC_KEY_SIZE] = {};
522 bool is_trusted = true;
523 EXPECT_EQ(AVB_IO_RESULT_OK,
524 avb_atx_validate_vbmeta_public_key(
525 ops_.avb_ops(),
526 bad_key,
527 AVB_ATX_PUBLIC_KEY_SIZE,
528 reinterpret_cast<const uint8_t*>(&metadata_),
529 sizeof(metadata_),
530 &is_trusted));
531 EXPECT_FALSE(is_trusted);
532 }
533
534 // A fixture for testing avb_slot_verify() with ATX.
535 class AvbAtxSlotVerifyTest : public BaseAvbToolTest, public FakeAvbOpsDelegate {
536 public:
537 ~AvbAtxSlotVerifyTest() override = default;
538
SetUp()539 void SetUp() override {
540 BaseAvbToolTest::SetUp();
541 ReadAtxDefaultData();
542 ops_.set_partition_dir(testdir_);
543 ops_.set_delegate(this);
544 ops_.set_permanent_attributes(attributes_);
545 ops_.set_stored_rollback_indexes({{0, 0},
546 {1, 0},
547 {2, 0},
548 {3, 0},
549 {AVB_ATX_PIK_VERSION_LOCATION, 0},
550 {AVB_ATX_PSK_VERSION_LOCATION, 0}});
551 ops_.set_stored_is_device_unlocked(false);
552 }
553
554 // FakeAvbOpsDelegate methods. All forward to FakeAvbOps default except for
555 // validate_vbmeta_public_key().
read_from_partition(const char * partition,int64_t offset,size_t num_bytes,void * buffer,size_t * out_num_read)556 AvbIOResult read_from_partition(const char* partition,
557 int64_t offset,
558 size_t num_bytes,
559 void* buffer,
560 size_t* out_num_read) override {
561 return ops_.read_from_partition(
562 partition, offset, num_bytes, buffer, out_num_read);
563 }
564
write_to_partition(const char * partition,int64_t offset,size_t num_bytes,const void * buffer)565 AvbIOResult write_to_partition(const char* partition,
566 int64_t offset,
567 size_t num_bytes,
568 const void* buffer) override {
569 return ops_.write_to_partition(partition, offset, num_bytes, buffer);
570 }
571
validate_vbmeta_public_key(AvbOps * ops,const uint8_t * public_key_data,size_t public_key_length,const uint8_t * public_key_metadata,size_t public_key_metadata_length,bool * out_key_is_trusted)572 AvbIOResult validate_vbmeta_public_key(AvbOps* ops,
573 const uint8_t* public_key_data,
574 size_t public_key_length,
575 const uint8_t* public_key_metadata,
576 size_t public_key_metadata_length,
577 bool* out_key_is_trusted) override {
578 // Send to ATX implementation.
579 ++num_atx_calls_;
580 return avb_atx_validate_vbmeta_public_key(ops_.avb_ops(),
581 public_key_data,
582 public_key_length,
583 public_key_metadata,
584 public_key_metadata_length,
585 out_key_is_trusted);
586 }
587
read_rollback_index(AvbOps * ops,size_t rollback_index_slot,uint64_t * out_rollback_index)588 AvbIOResult read_rollback_index(AvbOps* ops,
589 size_t rollback_index_slot,
590 uint64_t* out_rollback_index) override {
591 return ops_.read_rollback_index(
592 ops, rollback_index_slot, out_rollback_index);
593 }
594
write_rollback_index(AvbOps * ops,size_t rollback_index_slot,uint64_t rollback_index)595 AvbIOResult write_rollback_index(AvbOps* ops,
596 size_t rollback_index_slot,
597 uint64_t rollback_index) override {
598 return ops_.write_rollback_index(ops, rollback_index_slot, rollback_index);
599 }
600
read_is_device_unlocked(AvbOps * ops,bool * out_is_device_unlocked)601 AvbIOResult read_is_device_unlocked(AvbOps* ops,
602 bool* out_is_device_unlocked) override {
603 return ops_.read_is_device_unlocked(ops, out_is_device_unlocked);
604 }
605
get_unique_guid_for_partition(AvbOps * ops,const char * partition,char * guid_buf,size_t guid_buf_size)606 AvbIOResult get_unique_guid_for_partition(AvbOps* ops,
607 const char* partition,
608 char* guid_buf,
609 size_t guid_buf_size) override {
610 return ops_.get_unique_guid_for_partition(
611 ops, partition, guid_buf, guid_buf_size);
612 }
613
get_size_of_partition(AvbOps * ops,const char * partition,uint64_t * out_size)614 AvbIOResult get_size_of_partition(AvbOps* ops,
615 const char* partition,
616 uint64_t* out_size) override {
617 return ops_.get_size_of_partition(ops, partition, out_size);
618 }
619
read_permanent_attributes(AvbAtxPermanentAttributes * attributes)620 AvbIOResult read_permanent_attributes(
621 AvbAtxPermanentAttributes* attributes) override {
622 return ops_.read_permanent_attributes(attributes);
623 }
624
read_permanent_attributes_hash(uint8_t hash[AVB_SHA256_DIGEST_SIZE])625 AvbIOResult read_permanent_attributes_hash(
626 uint8_t hash[AVB_SHA256_DIGEST_SIZE]) override {
627 return ops_.read_permanent_attributes_hash(hash);
628 }
629
630 protected:
631 FakeAvbOps ops_;
632 AvbAtxPermanentAttributes attributes_;
633 int num_atx_calls_ = 0;
634
635 private:
ReadAtxDefaultData()636 void ReadAtxDefaultData() {
637 std::string tmp;
638 ASSERT_TRUE(
639 base::ReadFileToString(base::FilePath(kPermanentAttributesPath), &tmp));
640 ASSERT_EQ(tmp.size(), sizeof(AvbAtxPermanentAttributes));
641 memcpy(&attributes_, tmp.data(), tmp.size());
642 }
643 };
644
TEST_F(AvbAtxSlotVerifyTest,SlotVerifyWithAtx)645 TEST_F(AvbAtxSlotVerifyTest, SlotVerifyWithAtx) {
646 std::string metadata_option = "--public_key_metadata=";
647 metadata_option += kMetadataPath;
648 GenerateVBMetaImage("vbmeta_a.img",
649 "SHA512_RSA4096",
650 0,
651 base::FilePath("test/data/testkey_atx_psk.pem"),
652 metadata_option);
653
654 ops_.set_expected_public_key(
655 PublicKeyAVB(base::FilePath("test/data/testkey_atx_psk.pem")));
656
657 AvbSlotVerifyData* slot_data = NULL;
658 const char* requested_partitions[] = {"boot", NULL};
659 EXPECT_EQ(AVB_SLOT_VERIFY_RESULT_OK,
660 avb_slot_verify(ops_.avb_ops(),
661 requested_partitions,
662 "_a",
663 AVB_SLOT_VERIFY_FLAGS_NONE,
664 AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE,
665 &slot_data));
666 EXPECT_NE(nullptr, slot_data);
667 avb_slot_verify_data_free(slot_data);
668 EXPECT_EQ(1, num_atx_calls_);
669 }
670
671 } // namespace avb
672