Support for multiple versions of DeviceInfo
We need to be able to generate different (specifically older) version of
DeviceInfo to make IRPC v3 backwards compatible.
Bug: 260920864
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Test: atest RemoteProvisionerUnitTests
Change-Id: I8b921b172b3d45a17a02a7bc81dce54e7167b3d8
diff --git a/android_keymaster/android_keymaster.cpp b/android_keymaster/android_keymaster.cpp
index 561bdcf..743a8fd 100644
--- a/android_keymaster/android_keymaster.cpp
+++ b/android_keymaster/android_keymaster.cpp
@@ -460,7 +460,8 @@
}
response->keys_to_sign_mac = KeymasterBlob(pubKeysToSignMac->data(), pubKeysToSignMac->size());
- std::unique_ptr<cppbor::Map> device_info_map = rem_prov_ctx->CreateDeviceInfo();
+ std::unique_ptr<cppbor::Map> device_info_map =
+ rem_prov_ctx->CreateDeviceInfo(2 /* csrVersion */);
std::vector<uint8_t> device_info = device_info_map->encode();
response->device_info_blob = KeymasterBlob(device_info.data(), device_info.size());
auto protectedDataPayload = rem_prov_ctx->BuildProtectedDataPayload(
diff --git a/contexts/pure_soft_remote_provisioning_context.cpp b/contexts/pure_soft_remote_provisioning_context.cpp
index feff175..c0eea3a 100644
--- a/contexts/pure_soft_remote_provisioning_context.cpp
+++ b/contexts/pure_soft_remote_provisioning_context.cpp
@@ -71,7 +71,8 @@
return result;
}
-std::unique_ptr<cppbor::Map> PureSoftRemoteProvisioningContext::CreateDeviceInfo() const {
+std::unique_ptr<cppbor::Map>
+PureSoftRemoteProvisioningContext::CreateDeviceInfo(uint32_t csrVersion) const {
auto result = std::make_unique<cppbor::Map>(cppbor::Map());
// The following placeholders show how the DeviceInfo map would be populated.
@@ -101,7 +102,10 @@
if (vendor_patchlevel_) {
result->add(cppbor::Tstr("vendor_patch_level"), cppbor::Uint(*vendor_patchlevel_));
}
- result->add(cppbor::Tstr("version"), cppbor::Uint(2));
+ // "version" field was removed from DeviceInfo in CSR v3.
+ if (csrVersion < 3) {
+ result->add(cppbor::Tstr("version"), cppbor::Uint(csrVersion));
+ }
result->add(cppbor::Tstr("fused"), cppbor::Uint(0));
// "software" security level is not supported, so lie and say we're a TEE
@@ -203,13 +207,14 @@
cppcose::ErrMsgOr<cppbor::Array>
PureSoftRemoteProvisioningContext::BuildCsr(const std::vector<uint8_t>& challenge,
cppbor::Array keysToSign) const {
- auto deviceInfo = std::move(*CreateDeviceInfo());
+ uint32_t csrVersion = 3;
+ auto deviceInfo = std::move(*CreateDeviceInfo(csrVersion));
auto signedDataPayload =
cppbor::Array().add(std::move(deviceInfo)).add(challenge).add(std::move(keysToSign));
auto signedData = constructCoseSign1(devicePrivKey_, signedDataPayload.encode(), {} /* aad */);
return cppbor::Array()
- .add(3 /* version */)
+ .add(csrVersion)
.add(cppbor::Map() /* UdsCerts */)
.add(std::move(*bcc_.clone()->asArray()) /* DiceCertChain */)
.add(std::move(*signedData) /* SignedData */);
diff --git a/include/keymaster/contexts/pure_soft_remote_provisioning_context.h b/include/keymaster/contexts/pure_soft_remote_provisioning_context.h
index 630446c..7d7e51e 100644
--- a/include/keymaster/contexts/pure_soft_remote_provisioning_context.h
+++ b/include/keymaster/contexts/pure_soft_remote_provisioning_context.h
@@ -38,7 +38,7 @@
~PureSoftRemoteProvisioningContext() override = default;
std::vector<uint8_t> DeriveBytesFromHbk(const std::string& context,
size_t numBytes) const override;
- std::unique_ptr<cppbor::Map> CreateDeviceInfo() const override;
+ std::unique_ptr<cppbor::Map> CreateDeviceInfo(uint32_t csrVersion) const override;
cppcose::ErrMsgOr<std::vector<uint8_t>>
BuildProtectedDataPayload(bool isTestMode, //
const std::vector<uint8_t>& macKey, //
diff --git a/include/keymaster/remote_provisioning_context.h b/include/keymaster/remote_provisioning_context.h
index f6e3b72..cc65502 100644
--- a/include/keymaster/remote_provisioning_context.h
+++ b/include/keymaster/remote_provisioning_context.h
@@ -34,7 +34,7 @@
virtual ~RemoteProvisioningContext(){};
virtual std::vector<uint8_t> DeriveBytesFromHbk(const std::string& context,
size_t numBytes) const = 0;
- virtual std::unique_ptr<cppbor::Map> CreateDeviceInfo() const = 0;
+ virtual std::unique_ptr<cppbor::Map> CreateDeviceInfo(uint32_t csrVersion) const = 0;
virtual cppcose::ErrMsgOr<std::vector<uint8_t>>
BuildProtectedDataPayload(bool testMode, //
const std::vector<uint8_t>& macKey, //
