diff options
| author | 2023-03-14 12:37:39 +0000 | |
|---|---|---|
| committer | 2023-03-14 12:37:39 +0000 | |
| commit | 5513e8be197c9f86a01e2000af544708c990f787 (patch) | |
| tree | ce07577fcaee608e225bb1ce668e6eca462908e8 | |
| parent | d935ef616f3df219e3f9ab84cf514a11463a6c60 (diff) | |
| parent | 8e1e309bf80090b56c92ca38d07d874bf12b944d (diff) | |
Merge "Keystore: Attestation fix for AOSP and GSI builds" am: d37d9aadbf am: 8e1e309bf8
Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/2449489
Change-Id: I648944543218f661c2d273c9a0dee62facb8885e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| -rw-r--r-- | core/api/test-current.txt | 2 | ||||
| -rwxr-xr-x | core/java/android/os/Build.java | 48 | ||||
| -rw-r--r-- | keystore/java/android/security/keystore2/AndroidKeyStoreKeyPairGeneratorSpi.java | 10 |
3 files changed, 49 insertions, 11 deletions
diff --git a/core/api/test-current.txt b/core/api/test-current.txt index d74f61384393..45bde8790a6a 100644 --- a/core/api/test-current.txt +++ b/core/api/test-current.txt @@ -1699,7 +1699,9 @@ package android.os { method public static boolean is64BitAbi(String); method public static boolean isDebuggable(); field @Nullable public static final String BRAND_FOR_ATTESTATION; + field @Nullable public static final String DEVICE_FOR_ATTESTATION; field public static final boolean IS_EMULATOR; + field @Nullable public static final String MANUFACTURER_FOR_ATTESTATION; field @Nullable public static final String MODEL_FOR_ATTESTATION; field @Nullable public static final String PRODUCT_FOR_ATTESTATION; } diff --git a/core/java/android/os/Build.java b/core/java/android/os/Build.java index 832f23cdb3e2..735a0689be5e 100755 --- a/core/java/android/os/Build.java +++ b/core/java/android/os/Build.java @@ -64,17 +64,27 @@ public class Build { /** * The product name for attestation. In non-default builds (like the AOSP build) the value of * the 'PRODUCT' system property may be different to the one provisioned to KeyMint, - * and Keymint attestation would still attest to the product name, it's running on. + * and Keymint attestation would still attest to the product name which was provisioned. * @hide */ @Nullable @TestApi - public static final String PRODUCT_FOR_ATTESTATION = - getString("ro.product.name_for_attestation"); + public static final String PRODUCT_FOR_ATTESTATION = getVendorDeviceIdProperty("name"); /** The name of the industrial design. */ public static final String DEVICE = getString("ro.product.device"); + /** + * The device name for attestation. In non-default builds (like the AOSP build) the value of + * the 'DEVICE' system property may be different to the one provisioned to KeyMint, + * and Keymint attestation would still attest to the device name which was provisioned. + * @hide + */ + @Nullable + @TestApi + public static final String DEVICE_FOR_ATTESTATION = + getVendorDeviceIdProperty("device"); + /** The name of the underlying board, like "goldfish". */ public static final String BOARD = getString("ro.product.board"); @@ -97,19 +107,29 @@ public class Build { /** The manufacturer of the product/hardware. */ public static final String MANUFACTURER = getString("ro.product.manufacturer"); + /** + * The manufacturer name for attestation. In non-default builds (like the AOSP build) the value + * of the 'MANUFACTURER' system property may be different to the one provisioned to KeyMint, + * and Keymint attestation would still attest to the manufacturer which was provisioned. + * @hide + */ + @Nullable + @TestApi + public static final String MANUFACTURER_FOR_ATTESTATION = + getVendorDeviceIdProperty("manufacturer"); + /** The consumer-visible brand with which the product/hardware will be associated, if any. */ public static final String BRAND = getString("ro.product.brand"); /** * The product brand for attestation. In non-default builds (like the AOSP build) the value of * the 'BRAND' system property may be different to the one provisioned to KeyMint, - * and Keymint attestation would still attest to the product brand, it's running on. + * and Keymint attestation would still attest to the product brand which was provisioned. * @hide */ @Nullable @TestApi - public static final String BRAND_FOR_ATTESTATION = - getString("ro.product.brand_for_attestation"); + public static final String BRAND_FOR_ATTESTATION = getVendorDeviceIdProperty("brand"); /** The end-user-visible name for the end product. */ public static final String MODEL = getString("ro.product.model"); @@ -117,13 +137,12 @@ public class Build { /** * The product model for attestation. In non-default builds (like the AOSP build) the value of * the 'MODEL' system property may be different to the one provisioned to KeyMint, - * and Keymint attestation would still attest to the product model, it's running on. + * and Keymint attestation would still attest to the product model which was provisioned. * @hide */ @Nullable @TestApi - public static final String MODEL_FOR_ATTESTATION = - getString("ro.product.model_for_attestation"); + public static final String MODEL_FOR_ATTESTATION = getVendorDeviceIdProperty("model"); /** The manufacturer of the device's primary system-on-chip. */ @NonNull @@ -1530,6 +1549,17 @@ public class Build { private static String getString(String property) { return SystemProperties.get(property, UNKNOWN); } + /** + * Return attestation specific proerties. + * @param property model, name, brand, device or manufacturer. + * @return property value or UNKNOWN + */ + private static String getVendorDeviceIdProperty(String property) { + String attestProp = getString( + TextUtils.formatSimple("ro.product.%s_for_attestation", property)); + return attestProp.equals(UNKNOWN) + ? getString(TextUtils.formatSimple("ro.product.vendor.%s", property)) : UNKNOWN; + } private static String[] getStringList(String property, String separator) { String value = SystemProperties.get(property); diff --git a/keystore/java/android/security/keystore2/AndroidKeyStoreKeyPairGeneratorSpi.java b/keystore/java/android/security/keystore2/AndroidKeyStoreKeyPairGeneratorSpi.java index c1f6c29ca86e..c3b0f9bc16d3 100644 --- a/keystore/java/android/security/keystore2/AndroidKeyStoreKeyPairGeneratorSpi.java +++ b/keystore/java/android/security/keystore2/AndroidKeyStoreKeyPairGeneratorSpi.java @@ -808,9 +808,12 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato KeymasterDefs.KM_TAG_ATTESTATION_ID_BRAND, platformReportedBrand.getBytes(StandardCharsets.UTF_8) )); + final String platformReportedDevice = + isPropertyEmptyOrUnknown(Build.DEVICE_FOR_ATTESTATION) + ? Build.DEVICE : Build.DEVICE_FOR_ATTESTATION; params.add(KeyStore2ParameterUtils.makeBytes( KeymasterDefs.KM_TAG_ATTESTATION_ID_DEVICE, - Build.DEVICE.getBytes(StandardCharsets.UTF_8) + platformReportedDevice.getBytes(StandardCharsets.UTF_8) )); final String platformReportedProduct = isPropertyEmptyOrUnknown(Build.PRODUCT_FOR_ATTESTATION) @@ -819,9 +822,12 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato KeymasterDefs.KM_TAG_ATTESTATION_ID_PRODUCT, platformReportedProduct.getBytes(StandardCharsets.UTF_8) )); + final String platformReportedManufacturer = + isPropertyEmptyOrUnknown(Build.MANUFACTURER_FOR_ATTESTATION) + ? Build.MANUFACTURER : Build.MANUFACTURER_FOR_ATTESTATION; params.add(KeyStore2ParameterUtils.makeBytes( KeymasterDefs.KM_TAG_ATTESTATION_ID_MANUFACTURER, - Build.MANUFACTURER.getBytes(StandardCharsets.UTF_8) + platformReportedManufacturer.getBytes(StandardCharsets.UTF_8) )); final String platformReportedModel = isPropertyEmptyOrUnknown(Build.MODEL_FOR_ATTESTATION) |