Home | History | Annotate | Download | only in test 
      1 /*
      2  * Copyright (C) 2017 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 #include <android-base/endian.h>
     18 
     19 #include <MockAvb.client.h>
     20 #include <OemLock.h>
     21 
     22 #include <avb.h>
     23 
     24 #include <gtest/gtest.h>
     25 
     26 using ::testing::_;
     27 using ::testing::DoAll;
     28 using ::testing::ElementsAreArray;
     29 using ::testing::Eq;
     30 using ::testing::Return;
     31 using ::testing::SetArgPointee;
     32 
     33 using ::android::hardware::hidl_string;
     34 using ::android::hardware::hidl_vec;
     35 using ::android::hardware::oemlock::OemLock;
     36 using ::android::hardware::oemlock::OemLockStatus;
     37 using ::android::hardware::oemlock::OemLockSecureStatus;
     38 
     39 using ::nugget::app::avb::MockAvb;
     40 using ::nugget::app::avb::CarrierUnlock;
     41 using ::nugget::app::avb::CarrierUnlockRequest;
     42 using ::nugget::app::avb::GetLockRequest;
     43 using ::nugget::app::avb::GetLockResponse;
     44 using ::nugget::app::avb::LockIndex;
     45 using ::nugget::app::avb::SetDeviceLockRequest;
     46 
     47 namespace {
     48 
     49 /**
     50  * The signature from the server is a concatenation of a few values. This is a
     51  * helper to do the concatenation.
     52  */
     53 hidl_vec<uint8_t> makeSignature(uint64_t version, uint64_t nonce,
     54                                 const std::vector<uint8_t>& token) {
     55     const uint64_t token_offset = sizeof(uint64_t) * 2;
     56     hidl_vec<uint8_t> signature(token_offset + token.size());
     57 
     58     // Little-endian in the first 8 bytes
     59     const uint64_t version_le = htole64(version);
     60     memcpy(signature.data(), &version_le, sizeof(uint64_t));
     61 
     62     // Little-endian in the second 8 bytes
     63     const uint64_t nonce_le = htole64(nonce);
     64     memcpy(signature.data() + sizeof(uint64_t), &nonce_le, sizeof(uint64_t));
     65 
     66     // Remaining data is the token
     67     memcpy(signature.data() + token_offset, token.data(), token.size());
     68     return signature;
     69 }
     70 
     71 } // namespace
     72 
     73 // getName
     74 
     75 TEST(OemLockHalTest, getNameReports01) {
     76     MockAvb mockService;
     77 
     78     // This doesn't need to go to the AVB app
     79 
     80     OemLock hal{mockService};
     81     hal.getName([](OemLockStatus status, const hidl_string& name) {
     82         ASSERT_THAT(status, Eq(OemLockStatus::OK));
     83         EXPECT_THAT(name, Eq("01"));
     84     });
     85 }
     86 
     87 // setOemUnlockAllowedByCarrier
     88 
     89 MATCHER_P(CarrierUnlockEq, msg, "") {
     90     const auto& argToken = arg.token();
     91     const auto& msgToken = msg.token();
     92     return argToken.version() == msgToken.version()
     93         && argToken.nonce() == msgToken.nonce()
     94         && argToken.signature() == msgToken.signature();
     95 }
     96 
     97 TEST(OemLockHalTest, setOemUnlockAllowedByCarrierSendsUnlockSignatureToAvb) {
     98     constexpr uint64_t version = 93;
     99     constexpr uint64_t nonce = 3486438654;
    100     const std::vector<uint8_t> token {
    101         1, 2, 3, 4, 5, 6, 7, 8, 9, 0,
    102         0, 2, 4, 6, 8, 1, 3, 5, 7, 9,
    103     };
    104 
    105     MockAvb mockService;
    106 
    107     auto unlock = std::make_unique<CarrierUnlock>();
    108     unlock->set_version(version);
    109     unlock->set_nonce(nonce);
    110     unlock->set_signature(token.data(), token.size());
    111     CarrierUnlockRequest request;
    112     request.set_allocated_token(unlock.release());
    113     EXPECT_CALL(mockService, CarrierUnlock(CarrierUnlockEq(request), _))
    114             .WillOnce(Return(APP_SUCCESS));
    115 
    116     OemLock hal{mockService};
    117     ASSERT_THAT(hal.setOemUnlockAllowedByCarrier(true, makeSignature(version, nonce, token)),
    118                 Eq(OemLockSecureStatus::OK));
    119 }
    120 
    121 TEST(OemLockHalTest, setOemUnlockAllowedByCarrierInvalidSignatureIfUnauthorizedByApp) {
    122     MockAvb mockService;
    123 
    124     EXPECT_CALL(mockService, CarrierUnlock(_, _)).WillOnce(Return(APP_ERROR_AVB_AUTHORIZATION));
    125 
    126     OemLock hal{mockService};
    127     ASSERT_THAT(hal.setOemUnlockAllowedByCarrier(true, makeSignature(1, 2, {3, 4, 5})),
    128                 Eq(OemLockSecureStatus::INVALID_SIGNATURE));
    129 }
    130 
    131 TEST(OemLockHalTest, setOemUnlockAllowedByCarrierFailsOnAvbError) {
    132     MockAvb mockService;
    133 
    134     EXPECT_CALL(mockService, CarrierUnlock(_, _)).WillOnce(Return(APP_ERROR_INTERNAL));
    135 
    136     OemLock hal{mockService};
    137     ASSERT_THAT(hal.setOemUnlockAllowedByCarrier(true, makeSignature(1, 2, {3, 4, 5})),
    138                 Eq(OemLockSecureStatus::FAILED));
    139 }
    140 
    141 TEST(OemLockHalTest, setOemUnlockAllowedByCarrierShortSignatureIsInvalid) {
    142     MockAvb mockService;
    143     OemLock hal{mockService};
    144     ASSERT_THAT(hal.setOemUnlockAllowedByCarrier(true, hidl_vec<uint8_t>{}),
    145                 Eq(OemLockSecureStatus::INVALID_SIGNATURE));
    146 }
    147 
    148 TEST(OemLockHalTest, setOemUnlockAllowedByCarrierFailsToDisallow) {
    149     MockAvb mockService;
    150     OemLock hal{mockService};
    151     ASSERT_THAT(hal.setOemUnlockAllowedByCarrier(false, hidl_vec<uint8_t>{}),
    152                 Eq(OemLockSecureStatus::FAILED));
    153 }
    154 
    155 // isOemUnlockAllowedByCarrier
    156 
    157 MATCHER_P(GetLockEq, msg, "") {
    158     return arg.lock() == msg.lock();
    159 }
    160 
    161 TEST(OemLockHalTest, isOemUnlockAllowedByCarrierChecksCarrierLock) {
    162     MockAvb mockService;
    163 
    164     GetLockRequest request;
    165     request.set_lock(LockIndex::CARRIER);
    166     EXPECT_CALL(mockService, GetLock(GetLockEq(request), _)).WillOnce(Return(APP_ERROR_RPC));
    167 
    168     OemLock hal{mockService};
    169     hal.isOemUnlockAllowedByCarrier([](OemLockStatus status, bool allowed) {
    170         ASSERT_THAT(status, Eq(OemLockStatus::FAILED));
    171         (void) allowed;
    172     });
    173 }
    174 
    175 TEST(OemLockHalTest, isOemUnlockAllowedByCarrierWhenAllowed) {
    176     MockAvb mockService;
    177 
    178     GetLockResponse response;
    179     response.set_locked(0);
    180     EXPECT_CALL(mockService, GetLock(_, _))
    181             .WillOnce(DoAll(SetArgPointee<1>(response), Return(APP_SUCCESS)));
    182 
    183     OemLock hal{mockService};
    184     hal.isOemUnlockAllowedByCarrier([](OemLockStatus status, bool allowed) {
    185         ASSERT_THAT(status, Eq(OemLockStatus::OK));
    186         ASSERT_TRUE(allowed);
    187     });
    188 }
    189 
    190 TEST(OemLockHalTest, isOemUnlockAllowedByCarrierWhenNotAllowed) {
    191     MockAvb mockService;
    192 
    193     GetLockResponse response;
    194     response.set_locked(1);
    195     EXPECT_CALL(mockService, GetLock(_, _))
    196             .WillOnce(DoAll(SetArgPointee<1>(response), Return(APP_SUCCESS)));
    197 
    198     OemLock hal{mockService};
    199     hal.isOemUnlockAllowedByCarrier([](OemLockStatus status, bool allowed) {
    200         ASSERT_THAT(status, Eq(OemLockStatus::OK));
    201         ASSERT_FALSE(allowed);
    202     });
    203 }
    204 
    205 TEST(OemLockHalTest, isOemUnlockAllowedByCarrierFailsonAvbError) {
    206     MockAvb mockService;
    207 
    208     EXPECT_CALL(mockService, GetLock(_, _)).WillOnce(Return(APP_ERROR_INTERNAL));
    209 
    210     OemLock hal{mockService};
    211     hal.isOemUnlockAllowedByCarrier([](OemLockStatus status, bool allowed) {
    212         ASSERT_THAT(status, Eq(OemLockStatus::FAILED));
    213         (void) allowed;
    214     });
    215 }
    216 
    217 // setOemUnlockAllowedByDevice
    218 
    219 MATCHER_P(SetDeviceLockEq, msg, "") {
    220     return arg.locked() == msg.locked();
    221 }
    222 
    223 TEST(OemLockHalTest, setOemUnlockAllowedByDevice) {
    224     MockAvb mockService;
    225 
    226     SetDeviceLockRequest request;
    227     request.set_locked(0);
    228     EXPECT_CALL(mockService, SetDeviceLock(SetDeviceLockEq(request), _))
    229             .WillOnce(Return(APP_SUCCESS));
    230 
    231     OemLock hal{mockService};
    232     ASSERT_THAT(hal.setOemUnlockAllowedByDevice(true), Eq(OemLockStatus::OK));
    233 }
    234 
    235 TEST(OemLockHalTest, setOemUnlockNotAllowedByDevice) {
    236     MockAvb mockService;
    237 
    238     SetDeviceLockRequest request;
    239     request.set_locked(1);
    240     EXPECT_CALL(mockService, SetDeviceLock(SetDeviceLockEq(request), _))
    241             .WillOnce(Return(APP_SUCCESS));
    242 
    243     OemLock hal{mockService};
    244     ASSERT_THAT(hal.setOemUnlockAllowedByDevice(false), Eq(OemLockStatus::OK));
    245 }
    246 
    247 TEST(OemLockHalTest, setOemUnlockAllowedByDeviceFailsOnAppError) {
    248     MockAvb mockService;
    249 
    250     EXPECT_CALL(mockService, SetDeviceLock(_, _)).WillOnce(Return(APP_ERROR_INTERNAL));
    251 
    252     OemLock hal{mockService};
    253     ASSERT_THAT(hal.setOemUnlockAllowedByDevice(true), Eq(OemLockStatus::FAILED));
    254 }
    255 
    256 // isOemUnlockAllowedByDevice
    257 
    258 TEST(OemLockHalTest, isOemUnlockAllowedByDeviceChecksDeviceLock) {
    259     MockAvb mockService;
    260 
    261     GetLockRequest request;
    262     request.set_lock(LockIndex::DEVICE);
    263     EXPECT_CALL(mockService, GetLock(GetLockEq(request), _)).WillOnce(Return(APP_ERROR_RPC));
    264 
    265     OemLock hal{mockService};
    266     hal.isOemUnlockAllowedByDevice([](OemLockStatus status, bool allowed) {
    267         ASSERT_THAT(status, Eq(OemLockStatus::FAILED));
    268         (void) allowed;
    269     });
    270 }
    271 
    272 TEST(OemLockHalTest, isOemUnlockAllowedByDeviceWhenAllowed) {
    273     MockAvb mockService;
    274 
    275     GetLockResponse response;
    276     response.set_locked(0);
    277     EXPECT_CALL(mockService, GetLock(_, _))
    278             .WillOnce(DoAll(SetArgPointee<1>(response), Return(APP_SUCCESS)));
    279 
    280     OemLock hal{mockService};
    281     hal.isOemUnlockAllowedByDevice([](OemLockStatus status, bool allowed) {
    282         ASSERT_THAT(status, Eq(OemLockStatus::OK));
    283         ASSERT_TRUE(allowed);
    284     });
    285 }
    286 
    287 TEST(OemLockHalTest, isOemUnlockAllowedByDeviceWhenNotAllowed) {
    288     MockAvb mockService;
    289 
    290     GetLockResponse response;
    291     response.set_locked(1);
    292     EXPECT_CALL(mockService, GetLock(_, _))
    293             .WillOnce(DoAll(SetArgPointee<1>(response), Return(APP_SUCCESS)));
    294 
    295     OemLock hal{mockService};
    296     hal.isOemUnlockAllowedByDevice([](OemLockStatus status, bool allowed) {
    297         ASSERT_THAT(status, Eq(OemLockStatus::OK));
    298         ASSERT_FALSE(allowed);
    299     });
    300 }
    301 
    302 TEST(OemLockHalTest, isOemUnlockAllowedByDeviceFailsonAvbError) {
    303     MockAvb mockService;
    304 
    305     EXPECT_CALL(mockService, GetLock(_, _)).WillOnce(Return(APP_ERROR_INTERNAL));
    306 
    307     OemLock hal{mockService};
    308     hal.isOemUnlockAllowedByDevice([](OemLockStatus status, bool allowed) {
    309         ASSERT_THAT(status, Eq(OemLockStatus::FAILED));
    310         (void) allowed;
    311     });
    312 }
    313 
    314 // carrierUnlockFromSignature
    315 
    316 TEST(OemLockHalTest, carrierUnlockFromSignatureParsesFields) {
    317     constexpr uint64_t version = 0x1234567890abcdef;
    318     constexpr uint64_t nonce = 0x24680ace13579bdf;
    319     const std::vector<uint8_t> token {
    320         1, 2, 3, 4, 5, 6, 7, 8, 9, 0,
    321         0, 2, 4, 6, 8, 1, 3, 5, 7, 9,
    322     };
    323 
    324     const auto signature = makeSignature(version, nonce, token);
    325 
    326     CarrierUnlock unlock;
    327     ASSERT_TRUE(OemLock::carrierUnlockFromSignature(signature, &unlock));
    328     EXPECT_THAT(unlock.version(), Eq(version));
    329     EXPECT_THAT(unlock.nonce(), Eq(nonce));
    330     EXPECT_THAT(unlock.signature().size(), Eq(token.size()));
    331     EXPECT_THAT(unlock.signature(), ElementsAreArray(token));
    332 }
    333 
    334 TEST(OemLockHalTest, carrierUnlockFromSignatureCrashesOnNullptr) {
    335     hidl_vec<uint8_t> signature(sizeof(uint64_t) * 2);
    336     ASSERT_DEATH(OemLock::carrierUnlockFromSignature(signature, nullptr), "");
    337 }
    338 
    339 TEST(OemLockHalTest, carrierUnlockFromSignatureFailsOnShortSignature) {
    340     hidl_vec<uint8_t> signature((sizeof(uint64_t) * 2) - 1);
    341     CarrierUnlock unlock;
    342     ASSERT_FALSE(OemLock::carrierUnlockFromSignature(signature, &unlock));
    343 }
    344