From: Tomasz Swierczek Date: Tue, 13 Feb 2024 08:51:33 +0000 (+0100) Subject: Add old_tee compile-time option X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=2ee79dc32678cf219573a8d6b91672e90c98ceff;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git Add old_tee compile-time option This setting can be used in pair with tz_backend compile-time flag to disable some algorithms not supported on older TEE backends. Currently unsupported: RSA & DSA 4096 Change-Id: I5a0e04ca604a034a07a68717f547ccacb59b17d3 --- diff --git a/packaging/security-tests.spec b/packaging/security-tests.spec index 2ea4cccb..e41bfff1 100644 --- a/packaging/security-tests.spec +++ b/packaging/security-tests.spec @@ -45,6 +45,7 @@ Requires: toybox-symlinks-ping %global ckm_test_dir %{?TZ_SYS_SHARE:%TZ_SYS_SHARE/ckm-test/}%{!?TZ_SYS_SHARE:/usr/share/ckm-test/} %global ckm_rw_data_dir %{?TZ_SYS_DATA:%TZ_SYS_DATA/ckm/}%{!?TZ_SYS_DATA:/opt/data/ckm/} %global tz_backend_enabled %{?tz_backend:%tz_backend}%{!?tz_backend:OFF} +%global use_old_tee %{?old_tee:%old_tee}%{!?old_tee:OFF} %global tz_ec_import_enabled %{?tz_ec_import:%tz_ec_import}%{!?tz_ec_import:OFF} %global sm_test_dir %{?TZ_SYS_SHARE:%TZ_SYS_SHARE/security-manager-test}%{!?TZ_SYS_SHARE:/usr/share/security-manager-test} @@ -64,7 +65,10 @@ cmake . -DCMAKE_INSTALL_PREFIX=%{_prefix} \ %if %{tz_backend_enabled} == ON -DTZ_BACKEND="ON" \ %if %{tz_ec_import_enabled} == ON - -DTZ_EC_IMPORT="ON" \ + -DTZ_EC_IMPORT="ON" \ +%endif +%if %{use_old_tee} == ON + -DTZ_LEGACY_BACKEND="ON" \ %endif %endif -DDPL_LOG="ON" \ diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 2a9368fd..c82c2248 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -34,11 +34,15 @@ ADD_DEFINITIONS(${SYS_FRAMEWORK_TEST_OTHER_CFLAGS}) OPTION("TZ_BACKEND" OFF) OPTION("TZ_EC_IMPORT" OFF) +OPTION("TZ_LEGACY_BACKEND" OFF) IF(TZ_BACKEND) ADD_DEFINITIONS("-DTZ_BACKEND") IF(TZ_EC_IMPORT) ADD_DEFINITIONS("-DTZ_EC_IMPORT") ENDIF(TZ_EC_IMPORT) + IF(TZ_LEGACY_BACKEND) + ADD_DEFINITIONS("-DTZ_LEGACY_BACKEND") + ENDIF(TZ_LEGACY_BACKEND) ENDIF(TZ_BACKEND) include(framework/config.cmake) diff --git a/src/ckm/unprivileged/encryption-decryption.cpp b/src/ckm/unprivileged/encryption-decryption.cpp index d87e46a6..a4a9e499 100644 --- a/src/ckm/unprivileged/encryption-decryption.cpp +++ b/src/ckm/unprivileged/encryption-decryption.cpp @@ -209,8 +209,9 @@ public: generateSymmetricKeys(256); generateRsaKeys(1024); generateRsaKeys(2048); +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations generateRsaKeys(4096); - +#endif PLAIN_DATA = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); #ifdef TZ_BACKEND ckmc_backend_info_h info; @@ -366,7 +367,9 @@ void testAllAlgorithms(const std::function& test) test( { CKMC_ALGO_RSA_OAEP, 1024 }); test( { CKMC_ALGO_RSA_OAEP, 2048 }); +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations test( { CKMC_ALGO_RSA_OAEP, 4096 }); +#endif } void testNoIvEnc(const Algo& algo) @@ -1181,7 +1184,9 @@ RUNNER_TEST_MULTIPLE(TED_0200_encrypt_decrypt_different_keys, SyncEnv, AsyncEnv, testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 1024}, false); testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 2048}, false); +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 4096}, false); +#endif } RUNNER_TEST_MULTIPLE(TED_0300_encrypt_decrypt, SyncEnv, AsyncEnv, CipherEnv) @@ -1471,21 +1476,27 @@ RUNNER_TEST_MULTIPLE(TED_1300_rsa_label, SyncEnv, AsyncEnv) RUNNER_IGNORED_MSG("RSA-OAEP labels are not supported in openssl"); encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 1024}, CKMC_PARAM_ED_LABEL); encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 2048}, CKMC_PARAM_ED_LABEL); +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 4096}, CKMC_PARAM_ED_LABEL); +#endif } RUNNER_TEST_MULTIPLE(TED_1330_rsa_longest_data, SyncEnv, AsyncEnv) { testRsaLongestData({CKMC_ALGO_RSA_OAEP, 1024}, 86); testRsaLongestData({CKMC_ALGO_RSA_OAEP, 2048}, 214); +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations testRsaLongestData({CKMC_ALGO_RSA_OAEP, 4096}, 470); +#endif } RUNNER_TEST_MULTIPLE(TED_1350_rsa_data_too_long, SyncEnv, AsyncEnv) { testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 1024}, 87); testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 2048}, 215); +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 4096}, 471); +#endif } RUNNER_TEST_MULTIPLE(TED_1360_rsa_different_hashes, SyncEnv, AsyncEnv) diff --git a/src/ckm/unprivileged/key-wrapping.cpp b/src/ckm/unprivileged/key-wrapping.cpp index f22489c0..c1b7c5f2 100644 --- a/src/ckm/unprivileged/key-wrapping.cpp +++ b/src/ckm/unprivileged/key-wrapping.cpp @@ -107,14 +107,14 @@ public: RSA_KEY_2048_PUB_ALIAS.c_str(), UNEXPORTABLE, EXPORTABLE); - +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations assert_positive(ckmc_create_key_pair_rsa, 4096, RSA_KEY_4096_PRV_ALIAS.c_str(), RSA_KEY_4096_PUB_ALIAS.c_str(), UNEXPORTABLE, EXPORTABLE); - +#endif assert_positive(ckmc_create_key_aes, 128, AES_KEY_128_ALIAS.c_str(), UNEXPORTABLE); assert_positive(ckmc_create_key_aes, 192, AES_KEY_192_ALIAS.c_str(), UNEXPORTABLE); assert_positive(ckmc_create_key_aes, 256, AES_KEY_256_ALIAS.c_str(), UNEXPORTABLE); @@ -145,8 +145,10 @@ public: ckmc_remove_key(RSA_KEY_1024_PUB_ALIAS.c_str()); ckmc_remove_key(RSA_KEY_2048_PRV_ALIAS.c_str()); ckmc_remove_key(RSA_KEY_2048_PUB_ALIAS.c_str()); +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations ckmc_remove_key(RSA_KEY_4096_PRV_ALIAS.c_str()); ckmc_remove_key(RSA_KEY_4096_PUB_ALIAS.c_str()); +#endif ckmc_remove_key(AES_KEY_128_ALIAS.c_str()); ckmc_remove_key(AES_KEY_192_ALIAS.c_str()); ckmc_remove_key(AES_KEY_256_ALIAS.c_str()); @@ -1173,11 +1175,13 @@ RUNNER_TEST(TKW_VALID_ARGS_RSA_OAEP_2048){ testImportValidArgs(RSA_OAEP_ALGO, 32, RSA_KEY_2048_PUB_ALIAS, RSA_KEY_2048_PRV_ALIAS); } +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations RUNNER_TEST(TKW_VALID_ARGS_RSA_OAEP_4096){ testImportValidArgs(RSA_OAEP_ALGO, 16, RSA_KEY_4096_PUB_ALIAS, RSA_KEY_4096_PRV_ALIAS); testImportValidArgs(RSA_OAEP_ALGO, 24, RSA_KEY_4096_PUB_ALIAS, RSA_KEY_4096_PRV_ALIAS); testImportValidArgs(RSA_OAEP_ALGO, 32, RSA_KEY_4096_PUB_ALIAS, RSA_KEY_4096_PRV_ALIAS); } +#endif RUNNER_TEST(TKW_RSAOAEP_INVALID_BUFF_LENGTH){ testImportInvalidBuffLen(RSA_OAEP_ALGO, 8, RSA_KEY_1024_PUB_ALIAS, RSA_KEY_1024_PRV_ALIAS); @@ -1186,9 +1190,11 @@ RUNNER_TEST(TKW_RSAOAEP_INVALID_BUFF_LENGTH){ testImportInvalidBuffLen(RSA_OAEP_ALGO, 8, RSA_KEY_2048_PUB_ALIAS, RSA_KEY_2048_PRV_ALIAS); testImportInvalidBuffLen(RSA_OAEP_ALGO, 12, RSA_KEY_2048_PUB_ALIAS, RSA_KEY_2048_PRV_ALIAS); testImportInvalidBuffLen(RSA_OAEP_ALGO, 82, RSA_KEY_2048_PUB_ALIAS, RSA_KEY_2048_PRV_ALIAS); +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations testImportInvalidBuffLen(RSA_OAEP_ALGO, 8, RSA_KEY_4096_PUB_ALIAS, RSA_KEY_4096_PRV_ALIAS); testImportInvalidBuffLen(RSA_OAEP_ALGO, 12, RSA_KEY_4096_PUB_ALIAS, RSA_KEY_4096_PRV_ALIAS); testImportInvalidBuffLen(RSA_OAEP_ALGO, 82, RSA_KEY_4096_PUB_ALIAS, RSA_KEY_4096_PRV_ALIAS); +#endif } RUNNER_TEST(TKW_RSAOAEP_EXPORT_INVALID_HASH){ @@ -1219,9 +1225,11 @@ RUNNER_TEST(TKW_WRONG_TYPE_WRAPPING_KEY){ testImportInvalidBuffLen(RSA_OAEP_ALGO, 16, RSA_KEY_2048_PUB_ALIAS, RSA_KEY_2048_PUB_ALIAS); testImportInvalidBuffLen(RSA_OAEP_ALGO, 24, RSA_KEY_2048_PUB_ALIAS, RSA_KEY_2048_PUB_ALIAS); testImportInvalidBuffLen(RSA_OAEP_ALGO, 32, RSA_KEY_2048_PUB_ALIAS, RSA_KEY_2048_PUB_ALIAS); +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations testImportInvalidBuffLen(RSA_OAEP_ALGO, 16, RSA_KEY_4096_PUB_ALIAS, RSA_KEY_4096_PUB_ALIAS); testImportInvalidBuffLen(RSA_OAEP_ALGO, 24, RSA_KEY_4096_PUB_ALIAS, RSA_KEY_4096_PUB_ALIAS); testImportInvalidBuffLen(RSA_OAEP_ALGO, 32, RSA_KEY_4096_PUB_ALIAS, RSA_KEY_4096_PUB_ALIAS); +#endif } RUNNER_TEST(TKW_DIF_POLICIES_EXPORTABLE_IMPORTED){ @@ -1499,7 +1507,9 @@ RUNNER_TEST(TKW_IMPORT_EXPORT_RSA_LABEL){ RUNNER_IGNORED_MSG("RSA-OAEP labels are not supported in openssl"); testImportExportCustomParameters(RSA_OAEP_ALGO, RSA_KEY_1024_PUB_ALIAS, nullptr, RSA_KEY_1024_PRV_ALIAS, nullptr, DEFAULT_IV, CKMC_PARAM_ED_LABEL, AAD64); testImportExportCustomParameters(RSA_OAEP_ALGO, RSA_KEY_2048_PUB_ALIAS, nullptr, RSA_KEY_2048_PRV_ALIAS, nullptr, DEFAULT_IV, CKMC_PARAM_ED_LABEL, AAD64); +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations testImportExportCustomParameters(RSA_OAEP_ALGO, RSA_KEY_4096_PUB_ALIAS, nullptr, RSA_KEY_4096_PRV_ALIAS, nullptr, DEFAULT_IV, CKMC_PARAM_ED_LABEL, AAD64); +#endif } RUNNER_TEST(TKW_IMPORT_EXPORT_RSA_HASH){ @@ -1518,7 +1528,9 @@ RUNNER_TEST(TKW_IMPORT_EXPORT_RSA_HASH){ }; test(RSA_KEY_1024_PUB_ALIAS, RSA_KEY_1024_PRV_ALIAS); test(RSA_KEY_2048_PUB_ALIAS, RSA_KEY_2048_PRV_ALIAS); +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations test(RSA_KEY_4096_PUB_ALIAS, RSA_KEY_4096_PRV_ALIAS); +#endif } RUNNER_TEST(TKW_RSA_WRAPPED_KEY){ @@ -1731,17 +1743,20 @@ RUNNER_TEST(TKW_IMPORT_EXPORT_RSA_OAEP){ testImportExportValidArgs(RSA_OAEP_ALGO, 16, RSA_KEY_2048_PUB_ALIAS, nullptr, RSA_KEY_2048_PRV_ALIAS, nullptr, UNEXPORTABLE, nullptr); testImportExportValidArgs(RSA_OAEP_ALGO, 24, RSA_KEY_2048_PUB_ALIAS, nullptr, RSA_KEY_2048_PRV_ALIAS, nullptr, UNEXPORTABLE, nullptr); testImportExportValidArgs(RSA_OAEP_ALGO, 32, RSA_KEY_2048_PUB_ALIAS, nullptr, RSA_KEY_2048_PRV_ALIAS, nullptr, UNEXPORTABLE, nullptr); +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations testImportExportValidArgs(RSA_OAEP_ALGO, 16, RSA_KEY_4096_PUB_ALIAS, nullptr, RSA_KEY_4096_PRV_ALIAS, nullptr, UNEXPORTABLE, nullptr); testImportExportValidArgs(RSA_OAEP_ALGO, 24, RSA_KEY_4096_PUB_ALIAS, nullptr, RSA_KEY_4096_PRV_ALIAS, nullptr, UNEXPORTABLE, nullptr); testImportExportValidArgs(RSA_OAEP_ALGO, 32, RSA_KEY_4096_PUB_ALIAS, nullptr, RSA_KEY_4096_PRV_ALIAS, nullptr, UNEXPORTABLE, nullptr); - +#endif testImportExportValidArgs(RSA_OAEP_ALGO, 16, RSA_KEY_1024_PUB_ALIAS, nullptr, RSA_KEY_1024_PRV_ALIAS, nullptr, UNEXPORTABLE_PASS, KEY_PASSWORD); testImportExportValidArgs(RSA_OAEP_ALGO, 24, RSA_KEY_1024_PUB_ALIAS, nullptr, RSA_KEY_1024_PRV_ALIAS, nullptr, UNEXPORTABLE_PASS, KEY_PASSWORD); testImportExportValidArgs(RSA_OAEP_ALGO, 32, RSA_KEY_1024_PUB_ALIAS, nullptr, RSA_KEY_1024_PRV_ALIAS, nullptr, UNEXPORTABLE_PASS, KEY_PASSWORD); testImportExportValidArgs(RSA_OAEP_ALGO, 16, RSA_KEY_2048_PUB_ALIAS, nullptr, RSA_KEY_2048_PRV_ALIAS, nullptr, UNEXPORTABLE_PASS, KEY_PASSWORD); testImportExportValidArgs(RSA_OAEP_ALGO, 24, RSA_KEY_2048_PUB_ALIAS, nullptr, RSA_KEY_2048_PRV_ALIAS, nullptr, UNEXPORTABLE_PASS, KEY_PASSWORD); testImportExportValidArgs(RSA_OAEP_ALGO, 32, RSA_KEY_2048_PUB_ALIAS, nullptr, RSA_KEY_2048_PRV_ALIAS, nullptr, UNEXPORTABLE_PASS, KEY_PASSWORD); +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations testImportExportValidArgs(RSA_OAEP_ALGO, 16, RSA_KEY_4096_PUB_ALIAS, nullptr, RSA_KEY_4096_PRV_ALIAS, nullptr, UNEXPORTABLE_PASS, KEY_PASSWORD); testImportExportValidArgs(RSA_OAEP_ALGO, 24, RSA_KEY_4096_PUB_ALIAS, nullptr, RSA_KEY_4096_PRV_ALIAS, nullptr, UNEXPORTABLE_PASS, KEY_PASSWORD); testImportExportValidArgs(RSA_OAEP_ALGO, 32, RSA_KEY_4096_PUB_ALIAS, nullptr, RSA_KEY_4096_PRV_ALIAS, nullptr, UNEXPORTABLE_PASS, KEY_PASSWORD); +#endif } diff --git a/src/ckm/unprivileged/sign-verify.cpp b/src/ckm/unprivileged/sign-verify.cpp index 088e1322..58fb5180 100644 --- a/src/ckm/unprivileged/sign-verify.cpp +++ b/src/ckm/unprivileged/sign-verify.cpp @@ -121,7 +121,9 @@ public: m_manager = Manager::create(); generateKeys(RSA, 1024); generateKeys(RSA, 2048); +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations generateKeys(RSA, 4096); +#endif generateKeys(DSA, 1024); #ifndef TZ_BACKEND /* @@ -130,7 +132,9 @@ public: */ generateKeys(DSA, 2048); generateKeys(DSA, 3072); +#ifndef TZ_LEGACY_BACKEND // no support for DSA 4k keys in old TEE implementations generateKeys(DSA, 4096); +#endif #endif generateKeys(ECDSA, EC_PRIME192V1); generateKeys(ECDSA, EC_PRIME256V1); @@ -398,6 +402,7 @@ RUNNER_TEST(TSV_0140_sign_verify_rsa_2048_pw) testSignVerify(RSA, 2048, PASSWORD_PROTECTED); } +#ifndef TZ_LEGACY_BACKEND // no support for RSA 4k keys in old TEE implementations RUNNER_TEST(TSV_0150_sign_verify_rsa_4096) { testSignVerify(RSA, 4096, PRIMARY); @@ -407,7 +412,7 @@ RUNNER_TEST(TSV_0160_sign_verify_rsa_4096_pw) { testSignVerify(RSA, 4096, PASSWORD_PROTECTED); } - +#endif // DSA RUNNER_TEST(TSV_0210_sign_verify_dsa_1024) @@ -440,6 +445,7 @@ RUNNER_TEST(TSV_0260_sign_verify_dsa_3072_pw) testSignVerify(DSA, 3072, PASSWORD_PROTECTED); } +#ifndef TZ_LEGACY_BACKEND // no support for DSA 4k keys in old TEE implementations RUNNER_TEST(TSV_0270_sign_verify_dsa_4096) { testSignVerify(DSA, 4096, PRIMARY); @@ -449,7 +455,7 @@ RUNNER_TEST(TSV_0280_sign_verify_dsa_4096_pw) { testSignVerify(DSA, 4096, PASSWORD_PROTECTED); } - +#endif // ECDSA RUNNER_TEST(TSV_0310_sign_verify_ecdsa_PRIME192V1)