• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2016 The Android Open Source Project
3  *
4  * Permission is hereby granted, free of charge, to any person
5  * obtaining a copy of this software and associated documentation
6  * files (the "Software"), to deal in the Software without
7  * restriction, including without limitation the rights to use, copy,
8  * modify, merge, publish, distribute, sublicense, and/or sell copies
9  * of the Software, and to permit persons to whom the Software is
10  * furnished to do so, subject to the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #include <stdio.h>
26 #include <string.h>
27 
28 #include <base/files/file_util.h>
29 #include <gtest/gtest.h>
30 #include <openssl/objects.h>
31 #include <openssl/pem.h>
32 #include <openssl/rsa.h>
33 #include <openssl/sha.h>
34 
35 #include <libavb_atx/libavb_atx.h>
36 
37 #include "avb_unittest_util.h"
38 #include "fake_avb_ops.h"
39 
40 namespace {
41 
42 const char kMetadataPath[] = "test/data/atx_metadata.bin";
43 const char kPermanentAttributesPath[] =
44     "test/data/atx_permanent_attributes.bin";
45 const char kPRKPrivateKeyPath[] = "test/data/testkey_atx_prk.pem";
46 const char kPIKPrivateKeyPath[] = "test/data/testkey_atx_pik.pem";
47 
48 class ScopedRSA {
49  public:
ScopedRSA(const char * pem_key_path)50   ScopedRSA(const char* pem_key_path) {
51     FILE* file = fopen(pem_key_path, "r");
52     rsa_ = PEM_read_RSAPrivateKey(file, nullptr, nullptr, nullptr);
53     fclose(file);
54   }
55 
~ScopedRSA()56   ~ScopedRSA() {
57     if (rsa_) {
58       RSA_free(rsa_);
59     }
60   }
61 
62   // PKCS #1 v1.5 signature using SHA512. Returns true on success.
Sign(const void * data_to_sign,size_t length,uint8_t signature[])63   bool Sign(const void* data_to_sign, size_t length, uint8_t signature[]) {
64     uint8_t digest[AVB_SHA512_DIGEST_SIZE];
65     const unsigned char* data_to_sign_buf =
66         reinterpret_cast<const unsigned char*>(data_to_sign);
67     SHA512(data_to_sign_buf, length, digest);
68     unsigned int signature_length = 0;
69     return (1 == RSA_sign(NID_sha512,
70                           digest,
71                           AVB_SHA512_DIGEST_SIZE,
72                           signature,
73                           &signature_length,
74                           rsa_));
75   }
76 
77  private:
78   RSA* rsa_;
79 };
80 
81 } /* namespace */
82 
83 namespace avb {
84 
85 class AvbAtxValidateTest : public ::testing::Test, public FakeAvbOpsDelegate {
86  public:
~AvbAtxValidateTest()87   ~AvbAtxValidateTest() override {}
88 
SetUp()89   void SetUp() override {
90     ReadDefaultData();
91     ops_.set_delegate(this);
92     ops_.set_permanent_attributes(attributes_);
93     ops_.set_stored_rollback_indexes(
94         {{AVB_ATX_PIK_VERSION_LOCATION, 0}, {AVB_ATX_PSK_VERSION_LOCATION, 0}});
95   }
96 
97   // FakeAvbOpsDelegate methods.
read_from_partition(const char * partition,int64_t offset,size_t num_bytes,void * buffer,size_t * out_num_read)98   AvbIOResult read_from_partition(const char* partition,
99                                   int64_t offset,
100                                   size_t num_bytes,
101                                   void* buffer,
102                                   size_t* out_num_read) override {
103     // Expect method not used.
104     return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
105   }
106 
write_to_partition(const char * partition,int64_t offset,size_t num_bytes,const void * buffer)107   AvbIOResult write_to_partition(const char* partition,
108                                  int64_t offset,
109                                  size_t num_bytes,
110                                  const void* buffer) override {
111     // Expect method not used.
112     return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
113   }
114 
validate_vbmeta_public_key(AvbOps * ops,const uint8_t * public_key_data,size_t public_key_length,const uint8_t * public_key_metadata,size_t public_key_metadata_length,bool * out_key_is_trusted)115   AvbIOResult validate_vbmeta_public_key(AvbOps* ops,
116                                          const uint8_t* public_key_data,
117                                          size_t public_key_length,
118                                          const uint8_t* public_key_metadata,
119                                          size_t public_key_metadata_length,
120                                          bool* out_key_is_trusted) override {
121     // Expect method not used.
122     return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
123   }
124 
read_rollback_index(AvbOps * ops,size_t rollback_index_slot,uint64_t * out_rollback_index)125   AvbIOResult read_rollback_index(AvbOps* ops,
126                                   size_t rollback_index_slot,
127                                   uint64_t* out_rollback_index) override {
128     if ((fail_read_pik_rollback_index_ &&
129          rollback_index_slot == AVB_ATX_PIK_VERSION_LOCATION) ||
130         (fail_read_psk_rollback_index_ &&
131          rollback_index_slot == AVB_ATX_PSK_VERSION_LOCATION)) {
132       return AVB_IO_RESULT_ERROR_IO;
133     }
134     return ops_.read_rollback_index(
135         ops, rollback_index_slot, out_rollback_index);
136   }
137 
write_rollback_index(AvbOps * ops,size_t rollback_index_slot,uint64_t rollback_index)138   AvbIOResult write_rollback_index(AvbOps* ops,
139                                    size_t rollback_index_slot,
140                                    uint64_t rollback_index) override {
141     // Expect method not used.
142     return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
143   }
144 
read_is_device_unlocked(AvbOps * ops,bool * out_is_device_unlocked)145   AvbIOResult read_is_device_unlocked(AvbOps* ops,
146                                       bool* out_is_device_unlocked) override {
147     // Expect method not used.
148     return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
149   }
150 
get_unique_guid_for_partition(AvbOps * ops,const char * partition,char * guid_buf,size_t guid_buf_size)151   AvbIOResult get_unique_guid_for_partition(AvbOps* ops,
152                                             const char* partition,
153                                             char* guid_buf,
154                                             size_t guid_buf_size) override {
155     // Expect method not used.
156     return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
157   }
158 
get_size_of_partition(AvbOps * ops,const char * partition,uint64_t * out_size)159   AvbIOResult get_size_of_partition(AvbOps* ops,
160                                     const char* partition,
161                                     uint64_t* out_size) override {
162     // Expect method not used.
163     return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;
164   }
165 
read_permanent_attributes(AvbAtxPermanentAttributes * attributes)166   AvbIOResult read_permanent_attributes(
167       AvbAtxPermanentAttributes* attributes) override {
168     if (fail_read_permanent_attributes_) {
169       return AVB_IO_RESULT_ERROR_IO;
170     }
171     return ops_.read_permanent_attributes(attributes);
172   }
173 
read_permanent_attributes_hash(uint8_t hash[AVB_SHA256_DIGEST_SIZE])174   AvbIOResult read_permanent_attributes_hash(
175       uint8_t hash[AVB_SHA256_DIGEST_SIZE]) override {
176     if (fail_read_permanent_attributes_hash_) {
177       return AVB_IO_RESULT_ERROR_IO;
178     }
179     return ops_.read_permanent_attributes_hash(hash);
180   }
181 
182  protected:
Validate(bool * is_trusted)183   virtual AvbIOResult Validate(bool* is_trusted) {
184     return avb_atx_validate_vbmeta_public_key(
185         ops_.avb_ops(),
186         metadata_.product_signing_key_certificate.signed_data.public_key,
187         AVB_ATX_PUBLIC_KEY_SIZE,
188         reinterpret_cast<const uint8_t*>(&metadata_),
189         sizeof(metadata_),
190         is_trusted);
191   }
192 
SignPIKCertificate()193   void SignPIKCertificate() {
194     memset(metadata_.product_intermediate_key_certificate.signature,
195            0,
196            AVB_RSA4096_NUM_BYTES);
197     ScopedRSA key(kPRKPrivateKeyPath);
198     ASSERT_TRUE(
199         key.Sign(&metadata_.product_intermediate_key_certificate.signed_data,
200                  sizeof(AvbAtxCertificateSignedData),
201                  metadata_.product_intermediate_key_certificate.signature));
202   }
203 
SignPSKCertificate()204   void SignPSKCertificate() {
205     memset(metadata_.product_signing_key_certificate.signature,
206            0,
207            AVB_RSA4096_NUM_BYTES);
208     ScopedRSA key(kPIKPrivateKeyPath);
209     ASSERT_TRUE(key.Sign(&metadata_.product_signing_key_certificate.signed_data,
210                          sizeof(AvbAtxCertificateSignedData),
211                          metadata_.product_signing_key_certificate.signature));
212   }
213 
214   FakeAvbOps ops_;
215   AvbAtxPermanentAttributes attributes_;
216   AvbAtxPublicKeyMetadata metadata_;
217   bool fail_read_permanent_attributes_{false};
218   bool fail_read_permanent_attributes_hash_{false};
219   bool fail_read_pik_rollback_index_{false};
220   bool fail_read_psk_rollback_index_{false};
221 
222  private:
ReadDefaultData()223   void ReadDefaultData() {
224     std::string tmp;
225     ASSERT_TRUE(base::ReadFileToString(base::FilePath(kMetadataPath), &tmp));
226     ASSERT_EQ(tmp.size(), sizeof(AvbAtxPublicKeyMetadata));
227     memcpy(&metadata_, tmp.data(), tmp.size());
228     ASSERT_TRUE(
229         base::ReadFileToString(base::FilePath(kPermanentAttributesPath), &tmp));
230     ASSERT_EQ(tmp.size(), sizeof(AvbAtxPermanentAttributes));
231     memcpy(&attributes_, tmp.data(), tmp.size());
232   }
233 };
234 
TEST_F(AvbAtxValidateTest,Success)235 TEST_F(AvbAtxValidateTest, Success) {
236   bool is_trusted = false;
237   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
238   EXPECT_TRUE(is_trusted);
239 }
240 
TEST_F(AvbAtxValidateTest,SuccessAfterNewSign)241 TEST_F(AvbAtxValidateTest, SuccessAfterNewSign) {
242   std::string old_pik_sig(
243       reinterpret_cast<char*>(
244           metadata_.product_intermediate_key_certificate.signature),
245       AVB_RSA4096_NUM_BYTES);
246   std::string old_psk_sig(
247       reinterpret_cast<char*>(
248           metadata_.product_signing_key_certificate.signature),
249       AVB_RSA4096_NUM_BYTES);
250   SignPIKCertificate();
251   SignPSKCertificate();
252   std::string new_pik_sig(
253       reinterpret_cast<char*>(
254           metadata_.product_intermediate_key_certificate.signature),
255       AVB_RSA4096_NUM_BYTES);
256   std::string new_psk_sig(
257       reinterpret_cast<char*>(
258           metadata_.product_signing_key_certificate.signature),
259       AVB_RSA4096_NUM_BYTES);
260   EXPECT_EQ(old_pik_sig, new_pik_sig);
261   EXPECT_EQ(old_psk_sig, new_psk_sig);
262   bool is_trusted = false;
263   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
264   EXPECT_TRUE(is_trusted);
265 }
266 
TEST_F(AvbAtxValidateTest,FailReadPermamentAttributes)267 TEST_F(AvbAtxValidateTest, FailReadPermamentAttributes) {
268   fail_read_permanent_attributes_ = true;
269   bool is_trusted = true;
270   EXPECT_EQ(AVB_IO_RESULT_ERROR_IO, Validate(&is_trusted));
271   EXPECT_FALSE(is_trusted);
272 }
273 
TEST_F(AvbAtxValidateTest,FailReadPermamentAttributesHash)274 TEST_F(AvbAtxValidateTest, FailReadPermamentAttributesHash) {
275   fail_read_permanent_attributes_hash_ = true;
276   bool is_trusted = true;
277   EXPECT_EQ(AVB_IO_RESULT_ERROR_IO, Validate(&is_trusted));
278   EXPECT_FALSE(is_trusted);
279 }
280 
TEST_F(AvbAtxValidateTest,UnsupportedPermanentAttributesVersion)281 TEST_F(AvbAtxValidateTest, UnsupportedPermanentAttributesVersion) {
282   attributes_.version = 25;
283   ops_.set_permanent_attributes(attributes_);
284   bool is_trusted = true;
285   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
286   EXPECT_FALSE(is_trusted);
287 }
288 
TEST_F(AvbAtxValidateTest,PermanentAttributesHashMismatch)289 TEST_F(AvbAtxValidateTest, PermanentAttributesHashMismatch) {
290   ops_.set_permanent_attributes_hash("bad_hash");
291   bool is_trusted = true;
292   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
293   EXPECT_FALSE(is_trusted);
294 }
295 
296 // A fixture with parameterized metadata length.
297 class AvbAtxValidateTestWithMetadataLength
298     : public AvbAtxValidateTest,
299       public ::testing::WithParamInterface<size_t> {
300  protected:
Validate(bool * is_trusted)301   AvbIOResult Validate(bool* is_trusted) override {
302     return avb_atx_validate_vbmeta_public_key(
303         ops_.avb_ops(),
304         metadata_.product_signing_key_certificate.signed_data.public_key,
305         AVB_ATX_PUBLIC_KEY_SIZE,
306         reinterpret_cast<const uint8_t*>(&metadata_),
307         GetParam(),
308         is_trusted);
309   }
310 };
311 
TEST_P(AvbAtxValidateTestWithMetadataLength,InvalidMetadataLength)312 TEST_P(AvbAtxValidateTestWithMetadataLength, InvalidMetadataLength) {
313   bool is_trusted = true;
314   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
315   EXPECT_FALSE(is_trusted);
316 }
317 
318 // Test a bunch of invalid metadata length values.
319 INSTANTIATE_TEST_CASE_P(P,
320                         AvbAtxValidateTestWithMetadataLength,
321                         ::testing::Values(0,
322                                           1,
323                                           sizeof(AvbAtxPublicKeyMetadata) - 1,
324                                           sizeof(AvbAtxPublicKeyMetadata) + 1,
325                                           -1));
326 
TEST_F(AvbAtxValidateTest,UnsupportedMetadataVersion)327 TEST_F(AvbAtxValidateTest, UnsupportedMetadataVersion) {
328   metadata_.version = 25;
329   bool is_trusted = true;
330   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
331   EXPECT_FALSE(is_trusted);
332 }
333 
TEST_F(AvbAtxValidateTest,FailReadPIKRollbackIndex)334 TEST_F(AvbAtxValidateTest, FailReadPIKRollbackIndex) {
335   fail_read_pik_rollback_index_ = true;
336   bool is_trusted = true;
337   EXPECT_EQ(AVB_IO_RESULT_ERROR_IO, Validate(&is_trusted));
338   EXPECT_FALSE(is_trusted);
339 }
340 
TEST_F(AvbAtxValidateTest,UnsupportedPIKCertificateVersion)341 TEST_F(AvbAtxValidateTest, UnsupportedPIKCertificateVersion) {
342   metadata_.product_intermediate_key_certificate.signed_data.version = 25;
343   SignPIKCertificate();
344   bool is_trusted = true;
345   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
346   EXPECT_FALSE(is_trusted);
347 }
348 
TEST_F(AvbAtxValidateTest,BadPIKCert_ModifiedSubjectPublicKey)349 TEST_F(AvbAtxValidateTest, BadPIKCert_ModifiedSubjectPublicKey) {
350   metadata_.product_intermediate_key_certificate.signed_data.public_key[0] ^= 1;
351   bool is_trusted = true;
352   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
353   EXPECT_FALSE(is_trusted);
354 }
355 
TEST_F(AvbAtxValidateTest,BadPIKCert_ModifiedSubject)356 TEST_F(AvbAtxValidateTest, BadPIKCert_ModifiedSubject) {
357   metadata_.product_intermediate_key_certificate.signed_data.subject[0] ^= 1;
358   bool is_trusted = true;
359   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
360   EXPECT_FALSE(is_trusted);
361 }
362 
TEST_F(AvbAtxValidateTest,BadPIKCert_ModifiedUsage)363 TEST_F(AvbAtxValidateTest, BadPIKCert_ModifiedUsage) {
364   metadata_.product_intermediate_key_certificate.signed_data.usage[0] ^= 1;
365   bool is_trusted = true;
366   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
367   EXPECT_FALSE(is_trusted);
368 }
369 
TEST_F(AvbAtxValidateTest,BadPIKCert_ModifiedKeyVersion)370 TEST_F(AvbAtxValidateTest, BadPIKCert_ModifiedKeyVersion) {
371   metadata_.product_intermediate_key_certificate.signed_data.key_version ^= 1;
372   bool is_trusted = true;
373   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
374   EXPECT_FALSE(is_trusted);
375 }
376 
TEST_F(AvbAtxValidateTest,BadPIKCert_BadSignature)377 TEST_F(AvbAtxValidateTest, BadPIKCert_BadSignature) {
378   metadata_.product_intermediate_key_certificate.signature[0] ^= 1;
379   bool is_trusted = true;
380   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
381   EXPECT_FALSE(is_trusted);
382 }
383 
TEST_F(AvbAtxValidateTest,PIKCertSubjectIgnored)384 TEST_F(AvbAtxValidateTest, PIKCertSubjectIgnored) {
385   metadata_.product_intermediate_key_certificate.signed_data.subject[0] ^= 1;
386   SignPIKCertificate();
387   bool is_trusted = false;
388   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
389   EXPECT_TRUE(is_trusted);
390 }
391 
TEST_F(AvbAtxValidateTest,PIKCertUnexpectedUsage)392 TEST_F(AvbAtxValidateTest, PIKCertUnexpectedUsage) {
393   metadata_.product_intermediate_key_certificate.signed_data.usage[0] ^= 1;
394   SignPIKCertificate();
395   bool is_trusted = true;
396   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
397   EXPECT_FALSE(is_trusted);
398 }
399 
TEST_F(AvbAtxValidateTest,PIKRollback)400 TEST_F(AvbAtxValidateTest, PIKRollback) {
401   ops_.set_stored_rollback_indexes(
402       {{AVB_ATX_PIK_VERSION_LOCATION,
403         metadata_.product_intermediate_key_certificate.signed_data.key_version +
404             1},
405        {AVB_ATX_PSK_VERSION_LOCATION, 0}});
406   bool is_trusted = true;
407   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
408   EXPECT_FALSE(is_trusted);
409 }
410 
TEST_F(AvbAtxValidateTest,FailReadPSKRollbackIndex)411 TEST_F(AvbAtxValidateTest, FailReadPSKRollbackIndex) {
412   fail_read_psk_rollback_index_ = true;
413   bool is_trusted = true;
414   EXPECT_EQ(AVB_IO_RESULT_ERROR_IO, Validate(&is_trusted));
415   EXPECT_FALSE(is_trusted);
416 }
417 
TEST_F(AvbAtxValidateTest,UnsupportedPSKCertificateVersion)418 TEST_F(AvbAtxValidateTest, UnsupportedPSKCertificateVersion) {
419   metadata_.product_signing_key_certificate.signed_data.version = 25;
420   SignPSKCertificate();
421   bool is_trusted = true;
422   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
423   EXPECT_FALSE(is_trusted);
424 }
425 
TEST_F(AvbAtxValidateTest,BadPSKCert_ModifiedSubjectPublicKey)426 TEST_F(AvbAtxValidateTest, BadPSKCert_ModifiedSubjectPublicKey) {
427   metadata_.product_signing_key_certificate.signed_data.public_key[0] ^= 1;
428   bool is_trusted = true;
429   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
430   EXPECT_FALSE(is_trusted);
431 }
432 
TEST_F(AvbAtxValidateTest,BadPSKCert_ModifiedSubject)433 TEST_F(AvbAtxValidateTest, BadPSKCert_ModifiedSubject) {
434   metadata_.product_signing_key_certificate.signed_data.subject[0] ^= 1;
435   bool is_trusted = true;
436   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
437   EXPECT_FALSE(is_trusted);
438 }
439 
TEST_F(AvbAtxValidateTest,BadPSKCert_ModifiedUsage)440 TEST_F(AvbAtxValidateTest, BadPSKCert_ModifiedUsage) {
441   metadata_.product_signing_key_certificate.signed_data.usage[0] ^= 1;
442   bool is_trusted = true;
443   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
444   EXPECT_FALSE(is_trusted);
445 }
446 
TEST_F(AvbAtxValidateTest,BadPSKCert_ModifiedKeyVersion)447 TEST_F(AvbAtxValidateTest, BadPSKCert_ModifiedKeyVersion) {
448   metadata_.product_signing_key_certificate.signed_data.key_version ^= 1;
449   bool is_trusted = true;
450   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
451   EXPECT_FALSE(is_trusted);
452 }
453 
TEST_F(AvbAtxValidateTest,BadPSKCert_BadSignature)454 TEST_F(AvbAtxValidateTest, BadPSKCert_BadSignature) {
455   metadata_.product_signing_key_certificate.signature[0] ^= 1;
456   bool is_trusted = true;
457   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
458   EXPECT_FALSE(is_trusted);
459 }
460 
TEST_F(AvbAtxValidateTest,PSKCertUnexpectedSubject)461 TEST_F(AvbAtxValidateTest, PSKCertUnexpectedSubject) {
462   metadata_.product_signing_key_certificate.signed_data.subject[0] ^= 1;
463   SignPSKCertificate();
464   bool is_trusted = true;
465   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
466   EXPECT_FALSE(is_trusted);
467 }
468 
TEST_F(AvbAtxValidateTest,PSKCertUnexpectedUsage)469 TEST_F(AvbAtxValidateTest, PSKCertUnexpectedUsage) {
470   metadata_.product_signing_key_certificate.signed_data.usage[0] ^= 1;
471   SignPSKCertificate();
472   bool is_trusted = true;
473   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
474   EXPECT_FALSE(is_trusted);
475 }
476 
TEST_F(AvbAtxValidateTest,PSKRollback)477 TEST_F(AvbAtxValidateTest, PSKRollback) {
478   ops_.set_stored_rollback_indexes(
479       {{AVB_ATX_PIK_VERSION_LOCATION, 0},
480        {AVB_ATX_PSK_VERSION_LOCATION,
481         metadata_.product_signing_key_certificate.signed_data.key_version +
482             1}});
483   bool is_trusted = true;
484   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
485   EXPECT_FALSE(is_trusted);
486 }
487 
488 // A fixture with parameterized public key length.
489 class AvbAtxValidateTestWithPublicKeyLength
490     : public AvbAtxValidateTest,
491       public ::testing::WithParamInterface<size_t> {
492  protected:
Validate(bool * is_trusted)493   AvbIOResult Validate(bool* is_trusted) override {
494     return avb_atx_validate_vbmeta_public_key(
495         ops_.avb_ops(),
496         metadata_.product_signing_key_certificate.signed_data.public_key,
497         GetParam(),
498         reinterpret_cast<const uint8_t*>(&metadata_),
499         sizeof(metadata_),
500         is_trusted);
501   }
502 };
503 
TEST_P(AvbAtxValidateTestWithPublicKeyLength,InvalidPublicKeyLength)504 TEST_P(AvbAtxValidateTestWithPublicKeyLength, InvalidPublicKeyLength) {
505   bool is_trusted = true;
506   EXPECT_EQ(AVB_IO_RESULT_OK, Validate(&is_trusted));
507   EXPECT_FALSE(is_trusted);
508 }
509 
510 // Test a bunch of invalid public key length values.
511 INSTANTIATE_TEST_CASE_P(P,
512                         AvbAtxValidateTestWithPublicKeyLength,
513                         ::testing::Values(0,
514                                           1,
515                                           AVB_ATX_PUBLIC_KEY_SIZE - 1,
516                                           AVB_ATX_PUBLIC_KEY_SIZE + 1,
517                                           AVB_ATX_PUBLIC_KEY_SIZE - 512,
518                                           -1));
519 
TEST_F(AvbAtxValidateTest,PSKMismatch)520 TEST_F(AvbAtxValidateTest, PSKMismatch) {
521   uint8_t bad_key[AVB_ATX_PUBLIC_KEY_SIZE] = {};
522   bool is_trusted = true;
523   EXPECT_EQ(AVB_IO_RESULT_OK,
524             avb_atx_validate_vbmeta_public_key(
525                 ops_.avb_ops(),
526                 bad_key,
527                 AVB_ATX_PUBLIC_KEY_SIZE,
528                 reinterpret_cast<const uint8_t*>(&metadata_),
529                 sizeof(metadata_),
530                 &is_trusted));
531   EXPECT_FALSE(is_trusted);
532 }
533 
534 // A fixture for testing avb_slot_verify() with ATX.
535 class AvbAtxSlotVerifyTest : public BaseAvbToolTest, public FakeAvbOpsDelegate {
536  public:
537   ~AvbAtxSlotVerifyTest() override = default;
538 
SetUp()539   void SetUp() override {
540     BaseAvbToolTest::SetUp();
541     ReadAtxDefaultData();
542     ops_.set_partition_dir(testdir_);
543     ops_.set_delegate(this);
544     ops_.set_permanent_attributes(attributes_);
545     ops_.set_stored_rollback_indexes({{0, 0},
546                                       {1, 0},
547                                       {2, 0},
548                                       {3, 0},
549                                       {AVB_ATX_PIK_VERSION_LOCATION, 0},
550                                       {AVB_ATX_PSK_VERSION_LOCATION, 0}});
551     ops_.set_stored_is_device_unlocked(false);
552   }
553 
554   // FakeAvbOpsDelegate methods. All forward to FakeAvbOps default except for
555   // validate_vbmeta_public_key().
read_from_partition(const char * partition,int64_t offset,size_t num_bytes,void * buffer,size_t * out_num_read)556   AvbIOResult read_from_partition(const char* partition,
557                                   int64_t offset,
558                                   size_t num_bytes,
559                                   void* buffer,
560                                   size_t* out_num_read) override {
561     return ops_.read_from_partition(
562         partition, offset, num_bytes, buffer, out_num_read);
563   }
564 
write_to_partition(const char * partition,int64_t offset,size_t num_bytes,const void * buffer)565   AvbIOResult write_to_partition(const char* partition,
566                                  int64_t offset,
567                                  size_t num_bytes,
568                                  const void* buffer) override {
569     return ops_.write_to_partition(partition, offset, num_bytes, buffer);
570   }
571 
validate_vbmeta_public_key(AvbOps * ops,const uint8_t * public_key_data,size_t public_key_length,const uint8_t * public_key_metadata,size_t public_key_metadata_length,bool * out_key_is_trusted)572   AvbIOResult validate_vbmeta_public_key(AvbOps* ops,
573                                          const uint8_t* public_key_data,
574                                          size_t public_key_length,
575                                          const uint8_t* public_key_metadata,
576                                          size_t public_key_metadata_length,
577                                          bool* out_key_is_trusted) override {
578     // Send to ATX implementation.
579     ++num_atx_calls_;
580     return avb_atx_validate_vbmeta_public_key(ops_.avb_ops(),
581                                               public_key_data,
582                                               public_key_length,
583                                               public_key_metadata,
584                                               public_key_metadata_length,
585                                               out_key_is_trusted);
586   }
587 
read_rollback_index(AvbOps * ops,size_t rollback_index_slot,uint64_t * out_rollback_index)588   AvbIOResult read_rollback_index(AvbOps* ops,
589                                   size_t rollback_index_slot,
590                                   uint64_t* out_rollback_index) override {
591     return ops_.read_rollback_index(
592         ops, rollback_index_slot, out_rollback_index);
593   }
594 
write_rollback_index(AvbOps * ops,size_t rollback_index_slot,uint64_t rollback_index)595   AvbIOResult write_rollback_index(AvbOps* ops,
596                                    size_t rollback_index_slot,
597                                    uint64_t rollback_index) override {
598     return ops_.write_rollback_index(ops, rollback_index_slot, rollback_index);
599   }
600 
read_is_device_unlocked(AvbOps * ops,bool * out_is_device_unlocked)601   AvbIOResult read_is_device_unlocked(AvbOps* ops,
602                                       bool* out_is_device_unlocked) override {
603     return ops_.read_is_device_unlocked(ops, out_is_device_unlocked);
604   }
605 
get_unique_guid_for_partition(AvbOps * ops,const char * partition,char * guid_buf,size_t guid_buf_size)606   AvbIOResult get_unique_guid_for_partition(AvbOps* ops,
607                                             const char* partition,
608                                             char* guid_buf,
609                                             size_t guid_buf_size) override {
610     return ops_.get_unique_guid_for_partition(
611         ops, partition, guid_buf, guid_buf_size);
612   }
613 
get_size_of_partition(AvbOps * ops,const char * partition,uint64_t * out_size)614   AvbIOResult get_size_of_partition(AvbOps* ops,
615                                     const char* partition,
616                                     uint64_t* out_size) override {
617     return ops_.get_size_of_partition(ops, partition, out_size);
618   }
619 
read_permanent_attributes(AvbAtxPermanentAttributes * attributes)620   AvbIOResult read_permanent_attributes(
621       AvbAtxPermanentAttributes* attributes) override {
622     return ops_.read_permanent_attributes(attributes);
623   }
624 
read_permanent_attributes_hash(uint8_t hash[AVB_SHA256_DIGEST_SIZE])625   AvbIOResult read_permanent_attributes_hash(
626       uint8_t hash[AVB_SHA256_DIGEST_SIZE]) override {
627     return ops_.read_permanent_attributes_hash(hash);
628   }
629 
630  protected:
631   FakeAvbOps ops_;
632   AvbAtxPermanentAttributes attributes_;
633   int num_atx_calls_ = 0;
634 
635  private:
ReadAtxDefaultData()636   void ReadAtxDefaultData() {
637     std::string tmp;
638     ASSERT_TRUE(
639         base::ReadFileToString(base::FilePath(kPermanentAttributesPath), &tmp));
640     ASSERT_EQ(tmp.size(), sizeof(AvbAtxPermanentAttributes));
641     memcpy(&attributes_, tmp.data(), tmp.size());
642   }
643 };
644 
TEST_F(AvbAtxSlotVerifyTest,SlotVerifyWithAtx)645 TEST_F(AvbAtxSlotVerifyTest, SlotVerifyWithAtx) {
646   std::string metadata_option = "--public_key_metadata=";
647   metadata_option += kMetadataPath;
648   GenerateVBMetaImage("vbmeta_a.img",
649                       "SHA512_RSA4096",
650                       0,
651                       base::FilePath("test/data/testkey_atx_psk.pem"),
652                       metadata_option);
653 
654   ops_.set_expected_public_key(
655       PublicKeyAVB(base::FilePath("test/data/testkey_atx_psk.pem")));
656 
657   AvbSlotVerifyData* slot_data = NULL;
658   const char* requested_partitions[] = {"boot", NULL};
659   EXPECT_EQ(AVB_SLOT_VERIFY_RESULT_OK,
660             avb_slot_verify(ops_.avb_ops(),
661                             requested_partitions,
662                             "_a",
663                             AVB_SLOT_VERIFY_FLAGS_NONE,
664                             AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE,
665                             &slot_data));
666   EXPECT_NE(nullptr, slot_data);
667   avb_slot_verify_data_free(slot_data);
668   EXPECT_EQ(1, num_atx_calls_);
669 }
670 
671 }  // namespace avb
672