From 6661661714865a6f70cebbce142dd0ba22f00a4c Mon Sep 17 00:00:00 2001
From: Andrew Scull <ascull@google.com>
Date: Thu, 17 Jun 2021 16:41:03 +0000
Subject: [PATCH] Basic Keystore availability test

Loop up the Keystore service from the test payload to make sure it can
be found and communicated with.

Bug: 190578423
Test: atest MicrodroidHostTestCases
Change-Id: I1dd863202b7de5405658ee5e922b955e3cba6741
---
 microdroid/Android.bp                         |  2 ++
 .../sepolicy/system/private/keystore_keys.te  |  3 ++
 .../system/private/microdroid_launcher.te     | 15 ++++++++++
 .../android/virt/test/MicrodroidTestCase.java |  3 ++
 tests/testapk/Android.bp                      |  7 +++--
 tests/testapk/src/native/testbinary.cpp       | 28 +++++++++++++++++++
 6 files changed, 56 insertions(+), 2 deletions(-)

diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 6424988f..55d1eaef 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -77,6 +77,8 @@ android_system_image {
         "cgroups.json",
         "public.libraries.android.txt",
 
+        "android.system.keystore2-V1-ndk_platform",
+
         // TODO(b/185767624): remove hidl after full keymint support
         "hwservicemanager",
 
diff --git a/microdroid/sepolicy/system/private/keystore_keys.te b/microdroid/sepolicy/system/private/keystore_keys.te
index 2f976085..03625dc7 100644
--- a/microdroid/sepolicy/system/private/keystore_keys.te
+++ b/microdroid/sepolicy/system/private/keystore_keys.te
@@ -20,3 +20,6 @@ type locksettings_key, keystore2_key_type;
 # A keystore2 namespace for resume on reboot.
 type resume_on_reboot_key, keystore2_key_type;
 
+# A keystore2 namespace for VM payloads.
+type vm_payload_key, keystore2_key_type;
+
diff --git a/microdroid/sepolicy/system/private/microdroid_launcher.te b/microdroid/sepolicy/system/private/microdroid_launcher.te
index 5a313b65..6bcd4f1d 100644
--- a/microdroid/sepolicy/system/private/microdroid_launcher.te
+++ b/microdroid/sepolicy/system/private/microdroid_launcher.te
@@ -24,3 +24,18 @@ allow microdroid_launcher devpts:chr_file rw_file_perms;
 
 # Allow to set debug prop
 set_prop(microdroid_launcher, debug_prop)
+
+# Talk to binder services (for keystore)
+binder_use(microdroid_launcher);
+
+# Allow payloads to use keystore
+use_keystore(microdroid_launcher);
+
+# Allow payloads to use and manage their keys
+allow microdroid_launcher vm_payload_key:keystore2_key {
+    delete
+    get_info
+    manage_blob
+    rebind
+    use
+};
diff --git a/tests/hostside/java/android/virt/test/MicrodroidTestCase.java b/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
index 4aa8eb59..f9794f78 100644
--- a/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
+++ b/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
@@ -104,6 +104,9 @@ public class MicrodroidTestCase extends BaseHostJUnit4Test {
                 runOnMicrodroid(microdroidLauncher, testLib, "arg1", "arg2"),
                 is("Hello Microdroid " + testLib + " arg1 arg2"));
 
+        // Check that keystore was found by the payload
+        assertThat(runOnMicrodroid("getprop", "debug.microdroid.test_keystore"), is("PASS"));
+
         // Shutdown microdroid
         runOnAndroid(VIRT_APEX + "bin/vm", "stop", cid);
     }
diff --git a/tests/testapk/Android.bp b/tests/testapk/Android.bp
index 35f2f081..1122b259 100644
--- a/tests/testapk/Android.bp
+++ b/tests/testapk/Android.bp
@@ -6,7 +6,7 @@ android_app {
     name: "MicrodroidTestApp",
     srcs: ["src/java/**/*.java"],
     jni_libs: ["MicrodroidTestNativeLib"],
-    sdk_version: "current",
+    platform_apis: true,
     use_embedded_native_libs: true,
 }
 
@@ -14,7 +14,10 @@ android_app {
 cc_library_shared {
     name: "MicrodroidTestNativeLib",
     srcs: ["src/native/*.cpp"],
-    sdk_version: "current",
+    shared_libs: [
+        "android.system.keystore2-V1-ndk_platform",
+        "libbinder_ndk",
+    ],
 }
 
 genrule {
diff --git a/tests/testapk/src/native/testbinary.cpp b/tests/testapk/src/native/testbinary.cpp
index c3eefc4c..682ab2aa 100644
--- a/tests/testapk/src/native/testbinary.cpp
+++ b/tests/testapk/src/native/testbinary.cpp
@@ -13,9 +13,36 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+#include <aidl/android/system/keystore2/IKeystoreService.h>
+#include <android/binder_auto_utils.h>
+#include <android/binder_manager.h>
 #include <stdio.h>
 #include <sys/system_properties.h>
 
+using aidl::android::hardware::security::keymint::SecurityLevel;
+
+using aidl::android::system::keystore2::IKeystoreSecurityLevel;
+using aidl::android::system::keystore2::IKeystoreService;
+
+namespace {
+
+bool test_keystore() {
+    ndk::SpAIBinder binder(
+            AServiceManager_getService("android.system.keystore2.IKeystoreService/default"));
+    auto service = IKeystoreService::fromBinder(binder);
+    if (service == nullptr) {
+        return false;
+    }
+    std::shared_ptr<IKeystoreSecurityLevel> securityLevel;
+    auto status = service->getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT, &securityLevel);
+    if (!status.isOk()) {
+        return false;
+    }
+    return true;
+}
+
+} // Anonymous namespace
+
 extern "C" int android_native_main(int argc, char* argv[]) {
     printf("Hello Microdroid ");
     for (int i = 0; i < argc; i++) {
@@ -28,5 +55,6 @@ extern "C" int android_native_main(int argc, char* argv[]) {
     printf("\n");
 
     __system_property_set("debug.microdroid.app.run", "true");
+    __system_property_set("debug.microdroid.test_keystore", test_keystore() ? "PASS" : "FAIL");
     return 0;
 }