We detect a TA crash by not being able to reconnect to its channel. We
were previously connecting to the TA at the beginning of each fuzz
iteration, but this results in only detecting a crash on the following
iteration. By moving this connection to the end of the fuzz iteration,
we can detect a crash corresponding to the correct fuzz iteration and
libFuzzer will produce the correct crashing input.
Test: /data/fuzz/arm64/trusty_keymaster_fuzzer/trusty_keymaster_fuzzer
Bug: 185407818
Change-Id: I6808c72611fcabab5b314218f8b588dd7d944188
Otherwise, these error logs don't end up in bugreports, making it very
difficult to debug.
When using locally, users will have to check logcat instead of stderr.
Bug: 183919392
Bug: 115420908
Test: m
Change-Id: I3b829347971d05968b851e11ce784829d12ef098
The parameter is intended to make the API backwards compatible with
legacy ION devices. It will be ignored for devices that support DMA-BUF
heaps.
Test: build
Bug: 154310076
Change-Id: Ic5b49269283caa7d05d9468f8ed7f02e1b3c1f1e
Merged-In: Ic5b49269283caa7d05d9468f8ed7f02e1b3c1f1e
Added SPDX-license-identifier-Apache-2.0 to:
libstats/pull_lazy/Android.bp
libstats/socket_lazy/Android.bp
trusty/utils/acvp/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Exempt-From-Owner-Approval: janitorial work
Change-Id: I33005150521238b61d1a8c923749b17d36bba693
We need to do this to make sure that target TA is connected to coverage
service.
Bug: 171750250
Test: trusty_test_fuzzer
Change-Id: I207b8c674a0c5630dd6baf966d3dfb243a855be0
The non-test fuzz targets should run automatically in Haiku.
None of these should be built for Host, and all but the
trusty_test_fuzzer should be built for Target.
Test: built locally (make haiku) and checked that non-test trusty fuzz
targets are included as expected.
Change-Id: Ic67b1e1ddea8ed61b83deef66acdeb0891489195
ConfirmationUI messages are a higher-level abstraction than TIPC
messages (which is what TIPC fuzzer fuzzes).
Bug: 174402999
Test: trusty_confirmationui_msg_fuzzer
Change-Id: I1e1e2c7070b87b78d6236993330df65202840ce6
The keymaster TA has 30841 distinct coverage counters, so 0x4000 counter
slots is not enough to handle this TA. Increase maximum number of
coverage counters to 0x8000.
Test: adb shell trusty_keymaster_fuzzer
Bug: 175918322
Change-Id: I879d18538edb4933a4205c8f73b7939ddbf69e37
Add an initial corpus for the keymaster fuzzer derived from running the
keystore2 unittests.
Test: adb shell "cd /data/fuzz/arm64/trusty_keymaster_fuzzer/ && ./trusty_keymaster_fuzzer corpus"
Bug: 175918322
Change-Id: I839bb9bacee1800cf2da25aedbb4ce3eccf16cba
libtrusty can be depended on by multiple thing in a fuzzer's
dependencies tree. It's no longer convenient to link to statically.
Leave tests statically linked. Test infra doesn't seem to handle shared
test libs correctly.
Bug: 171750250
Test: trusty_test_fuzzer libtrusty_coverage_test
Change-Id: Ic7d003151e43fb5bab63354fd42ea9667332743f
In order to validate the BoringSSL implementation in Trusty using ACVP,
we need a modulewrapper tool that forwards requests to Trusty and back
to the ACVP tool. Adds this tool, which interfaces with the Trusty ACVP
testing service.
Test: make trusty_acvp_modulewrapper
Test: adb shell "acvptool -wrapper trusty_acvp_modulewrapper -json vectors/ACVP-AES-CBC"
Bug: 173805789
Change-Id: I3028e44c00f8e315dfd94ea34c004bbd25fab788
Fix a typo in one of the short command line options
for the Trusty application loader. The typo caused
the tool to incorrectly accept the -s short option
and ignore it, but not accept the -D option which
is the short version of --dev.
Bug: 115420908
Test: m
Change-Id: I9d03f8dd20adedbd820621ae8f9b4d13137041ed
The header SecureDPU.h is moved out from the device specific folder as
it can be shared for different devices.
Bug: 176508588
Test: Pass TUI VTS test on the emulator.
Change-Id: I7695b49c4f7a247b570ced61145471efef3d0a3d
Trusty Keymaster will currently disconnect the client on an invalid
message. This includes the newly introduced GET_VERSION2 message.
While in the future we could change this behavior, this is a backcompat
path and so we can't assume a changed Trusty. Reconnect on failed
GET_VERSION2 before attempting version negotiation.
Bug: 177843218
Test: Set PIN on device using older Trusty
Change-Id: Ie60e4aaafa43e375797e6288b97834cac42413f4
* changes:
trusty: Add simple fuzzer for keymaster TA
trusty: Increase limit on coverage counters
trusty: Write out sancov file when fuzzer exits
trusty: Switch to dmabuf for coverage shared memory
Adds a simple libfuzzer-based coverage guided fuzzer for keymaster.
Current coverage is low, so we'll need to improve this with an initial
corpus or a more sophisticated protocol aware fuzzer.
Bug: 175918322
Test: make trusty_keymaster_fuzzer
Test: adb shell /data/fuzz/arm64/trusty_keymaster_fuzzer/trusty_keymaster_fuzzer
Change-Id: Iad1713e1a73cc5a6a3ec742cc433d1337aca9bc3
Keymaster has more than 4096 counters, so we need to allocate a larger
section for the libfuzzer extra counters. Increases the size of the
extra counters section to 16384.
Bug: 171750250
Test: atest libtrusty_coverage_test
Change-Id: Iaee2c74b6d0c7ae8a2e5a30525759f89f825a091
Add emission of sancov file when CoverageRecord is destroyed. This
will occur when a fuzzer driver exits cleanly, i.e. -runs=0 with an
existing corpus.
Test: make trusty_gatekeeper_fuzzer
Test: adb shell ./trusty_gatekeeper_fuzzer -runs=0 corpus
Bug: 175221942
Change-Id: I6bd1c8b2f2091e894c35f7a4874b54577a91c8fc
Trusty shared memory now uses dmabuf instead of memfd. Switch the
coverage buffer allocation to use libdmabufheap.
Test: atest libtrusty_coverage_test
Bug: None
Change-Id: I067dd0774d19b42380ce5cb8ceb3541fa77ef9f0
