异常日志1:
# ./VtsHalKeymasterV4_0TargetTest --gtest_filter=PerInstance/EncryptionOperationsTest.TripleDesEcbRoundTripSuccess/0_default
Note: Google Test filter = PerInstance/EncryptionOperationsTest.TripleDesEcbRoundTripSuccess/0_default
[==========] Running 1 test from 1 test suite.
[----------] Global test environment set-up.
[----------] 1 test from PerInstance/EncryptionOperationsTest
[ RUN ] PerInstance/EncryptionOperationsTest.TripleDesEcbRoundTripSuccess/0_default
hardware/interfaces/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp:3719: Failure
Expected equality of these values:
ErrorCode::OK
Which is: OK
GenerateKey(auths)
Which is: UNSUPPORTED_ALGORITHM
[ FAILED ] PerInstance/EncryptionOperationsTest.TripleDesEcbRoundTripSuccess/0_default, where GetParam() = "default" (268 ms)
[----------] 1 test from PerInstance/EncryptionOperationsTest (268 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test suite ran. (269 ms total)
[ PASSED ] 0 tests.
[ FAILED ] 1 test, listed below:
[ FAILED ] PerInstance/EncryptionOperationsTest.TripleDesEcbRoundTripSuccess/0_default, where GetParam() = "default"
1 FAILED TEST
对应VTS测试代码:
/*
* EncryptionOperationsTest.TripleDesEcbRoundTripSuccess
*
* Verifies that 3DES is basically functional.
*/
TEST_P(EncryptionOperationsTest, TripleDesEcbRoundTripSuccess) {
auto auths = AuthorizationSetBuilder()
.TripleDesEncryptionKey(168)
.BlockMode(BlockMode::ECB)
.Authorization(TAG_NO_AUTH_REQUIRED)
.Padding(PaddingMode::NONE);
ASSERT_EQ(ErrorCode::OK, GenerateKey(auths));
// Two-block message.
string message = "1234567890123456";
auto inParams = AuthorizationSetBuilder().BlockMode(BlockMode::ECB).Padding(PaddingMode::NONE);
string ciphertext1 = EncryptMessage(message, inParams);
EXPECT_EQ(message.size(), ciphertext1.size());
string ciphertext2 = EncryptMessage(string(message), inParams);
EXPECT_EQ(message.size(), ciphertext2.size());
// ECB is deterministic.
EXPECT_EQ(ciphertext1, ciphertext2);
string plaintext = DecryptMessage(ciphertext1, inParams);
EXPECT_EQ(message, plaintext);
}
异常1分析:
optee keymaster3 中TA_generate_key未针对KM_ALGORITHM_TRIPLE_DES算法做实现,所以在第一个switch-case分支这里就报错了,optee-km3源码如下:
keymaster_error_t TA_generate_key(const keymaster_algorithm_t algorithm,
const uint32_t key_size,
uint8_t *key_material,
const keymaster_digest_t digest,
const uint64_t rsa_public_exponent)
{
TEE_ObjectHandle obj_h = TEE_HANDLE_NULL;
TEE_Result res = TEE_SUCCESS;
uint32_t padding = 0;
uint32_t *attributes = NULL;
uint32_t attr_count = 0;
uint32_t attr_size = 0;
uint32_t type = 0;
uint32_t a = 0;
uint32_t b = 0;
uint32_t curve = UNDEFINED;
uint8_t buffer[KM_MAX_ATTR_SIZE] = { 0 };
uint8_t *buf_pe = NULL;
uint64_t be_pe = 0;
TEE_Attribute *attrs_in = NULL;
uint32_t attrs_in_count = 0;
switch (algorithm) {
case KM_ALGORITHM_AES:
attributes = attributes_aes_hmac;
attr_count = KM_ATTR_COUNT_AES_HMAC;
type = TEE_TYPE_AES;
break;
case KM_ALGORITHM_HMAC:
attributes = attributes_aes_hmac;
attr_count = KM_ATTR_COUNT_AES_HMAC;
......break;
case KM_ALGORITHM_RSA:
attributes = attributes_rsa;
attr_count = KM_ATTR_COUNT_RSA;
type = TEE_TYPE_RSA_KEYPAIR;
attrs_in = TEE_Malloc(sizeof(TEE_Attribute),
TEE_MALLOC_FILL_ZERO);
......break;
case KM_ALGORITHM_EC:
attributes = attributes_ec;
attr_count = KM_ATTR_COUNT_EC;
type = TEE_TYPE_ECDSA_KEYPAIR;
attrs_in = TEE_Malloc(sizeof(TEE_Attribute),
TEE_MALLOC_FILL_ZERO);
......break;
default:
return KM_ERROR_UNSUPPORTED_ALGORITHM;
}
res = TEE_AllocateTransientObject(type, key_size, &obj_h);
if (res != TEE_SUCCESS) {
EMSG("Failed to allocate transient object, res=%x", res);
goto gk_out;
}
.............
gk_out:
if (obj_h != TEE_HANDLE_NULL)
TEE_FreeTransientObject(obj_h);
free_attrs(attrs_in, attrs_in_count);
return res;
}
代码中只处理了如下4中算法:
case KM_ALGORITHM_AES:
case KM_ALGORITHM_HMAC:
case KM_ALGORITHM_RSA:
case KM_ALGORITHM_EC:
KM_ALGORITHM_TRIPLE_DES = 33被归为缺省处理了。所以TA直接返回了不支持,VTS测试报错。
OPTEE CORE API文档中,TEE_GenerateKey:
这个接口涉及4个入参,针对TEE_TYPE_DES3算法,官方的说法是No parameter is necessary,所以只需要保证前面两个参数正常即可。
对比文档,并参考其他算法的实现方式,最终的改动是在TA_generate_key中增加了如下case:
case KM_ALGORITHM_TRIPLE_DES:
attributes = attributes_aes_hmac;
attr_count = KM_ATTR_COUNT_AES_HMAC;
type = TEE_TYPE_DES3;
break;
这段处理增加之后,异常1不复存在。也就是说GenerateKey过了。但其实结果并没有验证,从接下来的测试可见一斑。
VTS测试下来,出现了异常2.
异常2:
# ./VtsHalKeymasterV4_0TargetTest --gtest_filter=PerInstance/EncryptionOperationsTest.TripleDesEcbRoundTripSuccess/0_default
Note: Google Test filter = PerInstance/EncryptionOperationsTest.TripleDesEcbRoundTripSuccess/0_default
[==========] Running 1 test from 1 test suite.
[----------] Global test environment set-up.
[----------] 1 test from PerInstance/EncryptionOperationsTest
[ RUN ] PerInstance/EncryptionOperationsTest.TripleDesEcbRoundTripSuccess/0_default
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:462: Failure
Expected equality of these values:
ErrorCode::OK
Which is: OK
Begin(operation, key_blob, in_params, &begin_out_params, &op_handle_)
Which is: INCOMPATIBLE_DIGEST
Google Test trace:
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:456: ProcessMessage
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:605: EncryptMessage
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:611: EncryptMessage
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:616: EncryptMessage
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:470: Failure
Expected equality of these values:
ErrorCode::OK
Which is: OK
Update(op_handle_, update_params, message, &update_out_params, &output, &consumed)
Which is: INVALID_OPERATION_HANDLE
......
[ FAILED ] PerInstance/EncryptionOperationsTest.TripleDesEcbRoundTripSuccess/0_default, where GetParam() = "default" (4607 ms)
[----------] 1 test from PerInstance/EncryptionOperationsTest (4607 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test suite ran. (4609 ms total)
[ PASSED ] 0 tests.
[ FAILED ] 1 test, listed below:
[ FAILED ] PerInstance/EncryptionOperationsTest.TripleDesEcbRoundTripSuccess/0_default, where GetParam() = "default"
1 FAILED TEST
KeymasterHidlTest.cpp:462对应的测试代码为:EXPECT_EQ(ErrorCode::OK, Begin(operation, key_blob, in_params, &begin_out_params, &op_handle_));
这意味着前面生成出来的key,在begin操作中异常了。
TA中输出的关键异常log:
D/TA: TA_restore_key:799 after decrypt key_material size = 296
D/TA: dumpData:121 [000] 0b 00 00 00 00 00 00 00 02 00 00 10 00 00 00 00
D/TA: TA_restore_key:802 -->TA_populate_key_attrs
D/TA: TA_populate_key_attrs:599 padding = 4 type = 0xb
D/TA: TA_populate_key_attrs:623 HMAC attrs_count = 1 algorithm = 128
key的前面4个字节对应的是算法类型,应该为TEE_TYPE_DES3 0xA0000013,实际restore出来为0b 00 00 00。
回头找key生成过程中的异常,通过添加log,发现TA_generate_key生成的key_material是正常的(至少前面4个字节正常)。
但在TA_generateKey==>TA_generate_key之后,调用TA_serialize_param_set(key_material + key_buffer_size, ¶ms_t);这句的时候,key_materail就发生了变化。
原因:
key_buffer_size = TA_get_key_size(key_algorithm);中没有对KM_ALGORITHM_TRIPLE_DES处理,导致算出来的buffer size不对,直接返回了0,key_material前面的key被覆盖了。
修改点:
uint32_t TA_get_key_size(const keymaster_algorithm_t algorithm)
{
switch (algorithm) {
case KM_ALGORITHM_TRIPLE_DES:
/* attr_count * (size of tag + size of attribute +
* attribute data size) + size of algorithm + size of key size
*/
return KM_ATTR_COUNT_AES_HMAC *
(2 * sizeof(uint32_t) + KM_DES3_ATTR_SIZE)
+ sizeof(algorithm) + sizeof(uint32_t);
break;
............
default:
return 0;
}
}
异常3:
0374 D/TA: TA_restore_key:810 -->TA_populate_key_attrs
0375 D/TA: TA_populate_key_attrs:607 padding = 4 type = 0xa0000013
0383 D/TA: TA_check_hmac_key:549 type = a0000013
0384 D/TA: TA_check_hmac_key:582 default value: 0xa0000013, return -13
0385 E/TA: TA_restore_key:821 HMAC key checking failed res = -13
0386 E/TA: TA_restore_key:849 populate attrs is finished with err -13
0387 D/TA: TA_begin:1327 -->TA_serialize_rsp_err res = fffffff3
TA_populate_key_attrs中输入type打印正常,是DES3算法,但解析出去却变成了HMAC。
这里也缺少了针对DES3的处理。
解决方法:
keymaster_error_t TA_populate_key_attrs(uint8_t *key_material,
tee_key_attributes *att)
{
uint32_t padding = 0;
uint32_t tag;
int res = KM_ERROR_UNKNOWN_ERROR;
TEE_MemMove(&att->type, key_material, sizeof(att->type));
padding += sizeof(att->type);
DMSG("padding = %u *type = 0x%x", padding, att->type);
switch (att->type) {
case TEE_TYPE_DES3:
att->attrs_count = KM_ATTR_COUNT_AES_HMAC;
att->alg = KM_ALGORITHM_TRIPLE_DES;
break;
......default: /* HMAC */
att->attrs_count = KM_ATTR_COUNT_AES_HMAC;
att->alg = KM_ALGORITHM_HMAC;
DMSG("HMAC attrs_count = %u algorithm = %d",
att->attrs_count, att->alg);
}
......return KM_ERROR_OK;
out_err:
free_attrs(att->attrs, att->attrs_count);
TEE_MemFill((void*)att, 0, sizeof(*att));
return res;
}
继续测试。
异常:
394 D/TA: TA_begin:1261 -->TA_check_params
420 D/TA: TA_begin:1298 -->TA_create_operation, algorithm = 33
421 D/TA: TA_begin:1299 -->TA_create_operation, digest = -1
422 D/TA: TA_begin:1300 -->TA_create_operation, mode = 1
423 D/TA: TA_begin:1301 -->TA_create_operation, padding = 1
424 D/TA: TA_begin:1302 -->TA_create_operation, purpose = 0
425 D/TA: TA_begin:1303 -->TA_create_operation, mac_length = -1
426 E/TA: TA_create_operation:1060 Unsupported algorithm
427 D/TA: TA_begin:1327 -->TA_serialize_rsp_err res = fffffffc
看来是TA_create_operation中没有针对DES3算法的处理。
修改点:
@@ -834,7 +884,21 @@ keymaster_error_t TA_create_operation(TEE_OperationHandle *operation,
*operation = TEE_HANDLE_NULL;
+ DMSG("algorithm = %d, op_mode = %d, padding = %d, digest = %d", algorithm, op_mode, padding, digest);
switch (algorithm) {
+ case KM_ALGORITHM_TRIPLE_DES:
+ switch (op_mode) {
+ case KM_MODE_ECB:
+ algo = TEE_ALG_DES3_ECB_NOPAD;
+ break;
+ case KM_MODE_CBC:
+ algo = TEE_ALG_DES3_CBC_NOPAD;
+ break;
+ default:
+ algo = TEE_ALG_DES3_CMAC;
+ break;
+ }
+ break;
case (KM_ALGORITHM_AES):
switch (op_mode) {
case KM_MODE_ECB:
@@ -1025,6 +1089,12 @@ keymaster_error_t TA_create_operation(TEE_OperationHandle *operation,
}
DMSG("algorithm = %d op_mode = %d", algorithm, op_mode);
switch (algorithm) {
+ case KM_ALGORITHM_TRIPLE_DES:
+ DMSG("-->TEE_CipherInit");
+ TEE_CipherInit(*operation,
+ nonce.data,
+ nonce.data_length);
+ break;
case (KM_ALGORITHM_AES):
if (op_mode == KM_MODE_GCM) {
DMSG("-->TEE_AEInit");
更新版本。继续解决。
新的异常:
# ./VtsHalKeymasterV4_0TargetTest --gtest_filter=PerInstance/EncryptionOperationsTest.TripleDesEcbRoundTripSuccess/0_default
Note: Google Test filter = PerInstance/EncryptionOperationsTest.TripleDesEcbRoundTripSuccess/0_default
[==========] Running 1 test from 1 test suite.
[----------] Global test environment set-up.
[----------] 1 test from PerInstance/EncryptionOperationsTest
[ RUN ] PerInstance/EncryptionOperationsTest.TripleDesEcbRoundTripSuccess/0_default
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:477: Failure
Expected equality of these values:
ErrorCode::OK
Which is: OK
Finish(op_handle_, finish_params, message.substr(consumed), unused, &finish_out_params, &output)
Which is: INVALID_OPERATION_HANDLE
Google Test trace:
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:456: ProcessMessage
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:605: EncryptMessage
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:611: EncryptMessage
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:616: EncryptMessage
hardware/interfaces/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp:3724: Failure
Expected equality of these values:
message.size()
Which is: 16
ciphertext1.size()
Which is: 0
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:477: Failure
Expected equality of these values:
ErrorCode::OK
Which is: OK
Finish(op_handle_, finish_params, message.substr(consumed), unused, &finish_out_params, &output)
Which is: INVALID_OPERATION_HANDLE
Google Test trace:
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:456: ProcessMessage
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:605: EncryptMessage
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:611: EncryptMessage
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:616: EncryptMessage
hardware/interfaces/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp:3727: Failure
Expected equality of these values:
message.size()
Which is: 16
ciphertext2.size()
Which is: 0
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:477: Failure
Expected equality of these values:
ErrorCode::OK
Which is: OK
Finish(op_handle_, finish_params, message.substr(consumed), unused, &finish_out_params, &output)
Which is: INVALID_OPERATION_HANDLE
Google Test trace:
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:456: ProcessMessage
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:674: DecryptMessage
hardware/interfaces/keymaster/4.0/vts/functional/KeymasterHidlTest.cpp:683: DecryptMessage
hardware/interfaces/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp:3733: Failure
Expected equality of these values:
message
Which is: "1234567890123456"
plaintext
Which is: ""
[ FAILED ] PerInstance/EncryptionOperationsTest.TripleDesEcbRoundTripSuccess/0_default, where GetParam() = "default" (13538 ms)
[----------] 1 test from PerInstance/EncryptionOperationsTest (13538 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test suite ran. (13538 ms total)
[ PASSED ] 0 tests.
[ FAILED ] 1 test, listed below:
[ FAILED ] PerInstance/EncryptionOperationsTest.TripleDesEcbRoundTripSuccess/0_default, where GetParam() = "default"
1 FAILED TEST
对应VTS代码:
EXPECT_EQ(ErrorCode::OK, Finish(op_handle_, finish_params, message.substr(consumed), unused,
&finish_out_params, &output));
走到Finish操作啦。
标签:optee,PerInstance,default,TEE,KM,keymaster,key,test,TA From: https://www.cnblogs.com/xiululu/p/17126651.html