diff --git a/libwvdrmengine/cdm/core/include/cdm_engine.h b/libwvdrmengine/cdm/core/include/cdm_engine.h index a3c8e767..9e00f191 100644 --- a/libwvdrmengine/cdm/core/include/cdm_engine.h +++ b/libwvdrmengine/cdm/core/include/cdm_engine.h @@ -327,12 +327,6 @@ class CdmEngine { return CryptoSession::SetDebugIgnoreKeyboxCount(count); } - // This tells the OEMCrypto adapter to allow the device to continue with a - // test keybox. Otherwise, the keybox is reported as invalid. - static CdmResponseType SetAllowTestKeybox(bool allow) { - return CryptoSession::SetAllowTestKeybox(allow); - } - static CdmResponseType ParseDecryptHashString(const std::string& hash_string, CdmSessionId* id, uint32_t* frame_number, diff --git a/libwvdrmengine/cdm/core/include/crypto_session.h b/libwvdrmengine/cdm/core/include/crypto_session.h index 5d78f882..e74e736a 100644 --- a/libwvdrmengine/cdm/core/include/crypto_session.h +++ b/libwvdrmengine/cdm/core/include/crypto_session.h @@ -331,10 +331,6 @@ class CryptoSession { // report that it needs provisioning instead. static CdmResponseType SetDebugIgnoreKeyboxCount(uint32_t count); - // This tells the OEMCrypto adapter to allow the device to continue with a - // test keybox. Otherwise, the keybox is reported as invalid. - static CdmResponseType SetAllowTestKeybox(bool allow); - // Returns a system-wide singleton instance of SystemFallbackPolicy // to be used for communicating OTA keybox provisioning state between // apps. Returns a null pointer if OTA provisioning is not supported, diff --git a/libwvdrmengine/cdm/core/include/oemcrypto_adapter.h b/libwvdrmengine/cdm/core/include/oemcrypto_adapter.h index afcf32bd..79af2264 100644 --- a/libwvdrmengine/cdm/core/include/oemcrypto_adapter.h +++ b/libwvdrmengine/cdm/core/include/oemcrypto_adapter.h @@ -20,10 +20,6 @@ OEMCryptoResult OEMCrypto_InitializeAndCheckKeybox( // report that it needs provisioning instead. OEMCryptoResult OEMCrypto_SetDebugIgnoreKeyboxCount(uint32_t count); -// This tells the OEMCrypto adapter to allow the device to continue with a -// test keybox. Otherwise, the keybox is reported as invalid. -OEMCryptoResult OEMCrypto_SetAllowTestKeybox(bool allow); - // This attempts to open a session at the desired security level. // If one level is not available, the other will be used instead. OEMCryptoResult OEMCrypto_OpenSession(OEMCrypto_SESSION* session, diff --git a/libwvdrmengine/cdm/core/src/crypto_session.cpp b/libwvdrmengine/cdm/core/src/crypto_session.cpp index b9fe6703..b748e757 100644 --- a/libwvdrmengine/cdm/core/src/crypto_session.cpp +++ b/libwvdrmengine/cdm/core/src/crypto_session.cpp @@ -3280,11 +3280,6 @@ CdmResponseType CryptoSession::SetDebugIgnoreKeyboxCount(uint32_t count) { return MapOEMCryptoResult(status, UNKNOWN_ERROR, "SetDebugIgnoreKeyboxCount"); } -CdmResponseType CryptoSession::SetAllowTestKeybox(bool allow) { - OEMCryptoResult status = OEMCrypto_SetAllowTestKeybox(allow); - return MapOEMCryptoResult(status, UNKNOWN_ERROR, "SetAllowTestKeybox"); -} - okp::SystemFallbackPolicy* CryptoSession::GetOkpFallbackPolicy() { const auto getter = [&]() -> okp::SystemFallbackPolicy* { // If not set, then OTA keybox provisioning is not supported or diff --git a/libwvdrmengine/cdm/core/src/oemcrypto_adapter_dynamic.cpp b/libwvdrmengine/cdm/core/src/oemcrypto_adapter_dynamic.cpp index 5a955bba..08f52835 100644 --- a/libwvdrmengine/cdm/core/src/oemcrypto_adapter_dynamic.cpp +++ b/libwvdrmengine/cdm/core/src/oemcrypto_adapter_dynamic.cpp @@ -626,17 +626,6 @@ std::string GetIgnoreCountFile() { return path; } -std::string GetAllowTestKeyboxFile() { - std::string path; - if (!wvcdm::Properties::GetDeviceFilesBasePath(wvcdm::kSecurityLevelL1, - &path)) { - LOGW("GetAllowTestKeyboxFile: Unable to get base path"); - path = "/data/"; - } - path += "debug_allow_test_keybox.txt"; - return path; -} - uint32_t GetDebugIgnoreKeyboxCount() { const std::string filename = GetIgnoreCountFile(); wvutil::FileSystem file_system; @@ -689,49 +678,6 @@ OEMCryptoResult SetDebugIgnoreKeyboxCount(uint32_t count) { return OEMCrypto_SUCCESS; } -bool GetAllowTestKeybox() { - const std::string filename = GetAllowTestKeyboxFile(); - wvutil::FileSystem file_system; - if (!file_system.Exists(filename)) { - return 0; - } - auto file = file_system.Open(filename, file_system.kReadOnly); - if (!file) { - LOGE("Error opening %s", filename.c_str()); - return 0; - } - ssize_t size = file_system.FileSize(filename); - std::string contents(size, ' '); - ssize_t size_read = file->Read(const_cast(contents.data()), size); - if (size != size_read) { - LOGE("Short allow_test_keybox = %zu", size_read); - return 0; - } - // skip whitespace or any extra garbage. - return (std::string::npos != contents.find("true")); -} - -OEMCryptoResult SetAllowTestKeybox(bool allow) { - const std::string filename = GetAllowTestKeyboxFile(); - wvutil::FileSystem file_system; - auto file = - file_system.Open(filename, file_system.kCreate | file_system.kTruncate); - if (!file) { - LOGE("Could not create file %s", filename.c_str()); - return OEMCrypto_ERROR_UNKNOWN_FAILURE; - } - const std::string contents = allow ? "true\n" : "false\n"; - const size_t size = contents.size(); - ssize_t size_written = file->Write(contents.data(), size); - if (static_cast(size) != size_written) { - LOGE("Wrote %zd bytes of %s, not %zd, to file %s", size_written, - contents.c_str(), size, filename.c_str()); - return OEMCrypto_ERROR_UNKNOWN_FAILURE; - } - LOGD("Wrote %s to %s", contents.c_str(), filename.c_str()); - return OEMCrypto_SUCCESS; -} - typedef enum OEMCryptoSessionType { SESSION_TYPE_OEMCRYPTO = 0, SESSION_TYPE_ENTITLED_KEY = 1, @@ -1314,18 +1260,6 @@ class Adapter { return result; } - // Check the system ID of the keybox. This should only be called if the device - // uses provisioning 2.0. - bool UsingTestKeybox() { - uint8_t key_data[256]; - size_t key_data_len = sizeof(key_data); - OEMCryptoResult sts = OEMCrypto_GetKeyData(key_data, &key_data_len); - if (sts != OEMCrypto_SUCCESS) return true; - uint32_t* data = reinterpret_cast(key_data); - uint32_t system_id = htonl(data[1]); - return system_id == 7912; - } - // Check the L1 keybox or cert. If it is valid, return success. If not, try to // install one. If one is not available, but OTA provisioning is supported, // return OEMCrypto_ERROR_NEEDS_KEYBOX_PROVISIONING. If none of these work, @@ -1361,19 +1295,6 @@ class Adapter { // Check if the keybox or oem certificate is valid, if so, we are finished // with initialization. Record some metrics and return success. const OEMCryptoResult rot_valid = level1_.IsKeyboxOrOEMCertValid(); - // For production systems, we do wish to use a test keybox. We do not force - // a fallback to L3 at this point, because this can be overridden by test - // code that requires a test keybox. - if ((rot_valid == OEMCrypto_SUCCESS) && - (provisioning_method == OEMCrypto_Keybox) && UsingTestKeybox()) { - if (GetAllowTestKeybox()) { - LOGW("Allowing device with test keybox installed."); - } else { - LOGW("Device has test keybox installed."); - return OEMCrypto_ERROR_KEYBOX_INVALID; - } - } - if (rot_valid == OEMCrypto_SUCCESS) { // The keybox or certificate is valid -- that means initialization is done // and we only have save some metrics and return. @@ -1824,9 +1745,6 @@ OEMCryptoResult OEMCrypto_GetOEMPublicCertificate( OEMCryptoResult OEMCrypto_SetDebugIgnoreKeyboxCount(uint32_t count) { return SetDebugIgnoreKeyboxCount(count); } -OEMCryptoResult OEMCrypto_SetAllowTestKeybox(bool allow) { - return SetAllowTestKeybox(allow); -} OEMCrypto_WatermarkingSupport OEMCrypto_GetWatermarkingSupport( wvcdm::RequestedSecurityLevel level) { diff --git a/libwvdrmengine/cdm/core/test/test_base.cpp b/libwvdrmengine/cdm/core/test/test_base.cpp index d6fde02a..1c478342 100644 --- a/libwvdrmengine/cdm/core/test/test_base.cpp +++ b/libwvdrmengine/cdm/core/test/test_base.cpp @@ -205,7 +205,6 @@ TestCryptoSession::TestCryptoSession(metrics::CryptoMetrics* crypto_metrics, void TestCryptoSession::MaybeInstallTestKeybox() { if (IsTestKeyboxNeeded()) { - CryptoSession::SetAllowTestKeybox(true); ReinitializeForTest(); WvCdmTestBase::InstallTestRootOfTrust(); } diff --git a/libwvdrmengine/cdm/include/wv_content_decryption_module.h b/libwvdrmengine/cdm/include/wv_content_decryption_module.h index 1fda7669..5eb9f055 100644 --- a/libwvdrmengine/cdm/include/wv_content_decryption_module.h +++ b/libwvdrmengine/cdm/include/wv_content_decryption_module.h @@ -232,10 +232,6 @@ class WvContentDecryptionModule : public android::RefBase, public TimerHandler { // device to request a keybox OTA reprovisioning. virtual CdmResponseType SetDebugIgnoreKeyboxCount(uint32_t count); - // Allow the device to continue with a test keybox. Otherwise, it will fall - // back to L3. - virtual CdmResponseType SetAllowTestKeybox(bool allow); - virtual CdmResponseType SetDecryptHash(const std::string& hash_data, CdmSessionId* session_id); virtual CdmResponseType GetDecryptHashError(const CdmSessionId& session_id, diff --git a/libwvdrmengine/cdm/src/wv_content_decryption_module.cpp b/libwvdrmengine/cdm/src/wv_content_decryption_module.cpp index 1315d39c..3c313476 100644 --- a/libwvdrmengine/cdm/src/wv_content_decryption_module.cpp +++ b/libwvdrmengine/cdm/src/wv_content_decryption_module.cpp @@ -668,10 +668,6 @@ CdmResponseType WvContentDecryptionModule::SetDebugIgnoreKeyboxCount( return CdmEngine::SetDebugIgnoreKeyboxCount(count); } -CdmResponseType WvContentDecryptionModule::SetAllowTestKeybox(bool allow) { - return CdmEngine::SetAllowTestKeybox(allow); -} - CdmResponseType WvContentDecryptionModule::SetDecryptHash( const std::string& hash_data, CdmSessionId* id) { if (id == nullptr) {