Basic Keystore availability test

Loop up the Keystore service from the test payload to make sure it can
be found and communicated with.

Bug: 190578423
Test: atest MicrodroidHostTestCases
Change-Id: I1dd863202b7de5405658ee5e922b955e3cba6741

microdroid/Android.bp

@@ -77,6 +77,8 @@ android_system_image {
         "cgroups.json",
         "public.libraries.android.txt",
 
+        "android.system.keystore2-V1-ndk_platform",
+
         // TODO(b/185767624): remove hidl after full keymint support
         "hwservicemanager",
 

microdroid/sepolicy/system/private/keystore_keys.te

@@ -20,3 +20,6 @@ type locksettings_key, keystore2_key_type;
 # A keystore2 namespace for resume on reboot.
 type resume_on_reboot_key, keystore2_key_type;
 
+# A keystore2 namespace for VM payloads.
+type vm_payload_key, keystore2_key_type;
+

microdroid/sepolicy/system/private/microdroid_launcher.te

@@ -24,3 +24,18 @@ allow microdroid_launcher devpts:chr_file rw_file_perms;
 
 # Allow to set debug prop
 set_prop(microdroid_launcher, debug_prop)
+
+# Talk to binder services (for keystore)
+binder_use(microdroid_launcher);
+
+# Allow payloads to use keystore
+use_keystore(microdroid_launcher);
+
+# Allow payloads to use and manage their keys
+allow microdroid_launcher vm_payload_key:keystore2_key {
+    delete
+    get_info
+    manage_blob
+    rebind
+    use
+};

tests/hostside/java/android/virt/test/MicrodroidTestCase.java

@@ -104,6 +104,9 @@ public class MicrodroidTestCase extends BaseHostJUnit4Test {
                 runOnMicrodroid(microdroidLauncher, testLib, "arg1", "arg2"),
                 is("Hello Microdroid " + testLib + " arg1 arg2"));
 
+        // Check that keystore was found by the payload
+        assertThat(runOnMicrodroid("getprop", "debug.microdroid.test_keystore"), is("PASS"));
+
         // Shutdown microdroid
         runOnAndroid(VIRT_APEX + "bin/vm", "stop", cid);
     }

tests/testapk/Android.bp

@@ -6,7 +6,7 @@ android_app {
     name: "MicrodroidTestApp",
     srcs: ["src/java/**/*.java"],
     jni_libs: ["MicrodroidTestNativeLib"],
-    sdk_version: "current",
+    platform_apis: true,
     use_embedded_native_libs: true,
 }
 
@@ -14,7 +14,10 @@ android_app {
 cc_library_shared {
     name: "MicrodroidTestNativeLib",
     srcs: ["src/native/*.cpp"],
-    sdk_version: "current",
+    shared_libs: [
+        "android.system.keystore2-V1-ndk_platform",
+        "libbinder_ndk",
+    ],
 }
 
 genrule {

tests/testapk/src/native/testbinary.cpp

@@ -13,9 +13,36 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+#include <aidl/android/system/keystore2/IKeystoreService.h>
+#include <android/binder_auto_utils.h>
+#include <android/binder_manager.h>
 #include <stdio.h>
 #include <sys/system_properties.h>
 
+using aidl::android::hardware::security::keymint::SecurityLevel;
+
+using aidl::android::system::keystore2::IKeystoreSecurityLevel;
+using aidl::android::system::keystore2::IKeystoreService;
+
+namespace {
+
+bool test_keystore() {
+    ndk::SpAIBinder binder(
+            AServiceManager_getService("android.system.keystore2.IKeystoreService/default"));
+    auto service = IKeystoreService::fromBinder(binder);
+    if (service == nullptr) {
+        return false;
+    }
+    std::shared_ptr<IKeystoreSecurityLevel> securityLevel;
+    auto status = service->getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT, &securityLevel);
+    if (!status.isOk()) {
+        return false;
+    }
+    return true;
+}
+
+} // Anonymous namespace
+
 extern "C" int android_native_main(int argc, char* argv[]) {
     printf("Hello Microdroid ");
     for (int i = 0; i < argc; i++) {
@@ -28,5 +55,6 @@ extern "C" int android_native_main(int argc, char* argv[]) {
     printf("\n");
 
     __system_property_set("debug.microdroid.app.run", "true");
+    __system_property_set("debug.microdroid.test_keystore", test_keystore() ? "PASS" : "FAIL");
     return 0;
 }