Add "bootCertificateChainSignature" to Drm plugin getPropertyByteArray()

This allows Widevine RKP HAL to query BCC signature via DRM interface during BCC extraction for remote provisioning phase 3. The query returns the "additional_signature" field from OEMCrypto_GetBootCertificateChain(). Test: Manual BCC extraction on Pixel 9 Bug: 355160637 Change-Id: I1a310a80c0cfef82ee3697f06c1293d5c1c3896a
2024-09-09 11:43:00 -07:00
parent 4ef3e2cee8
commit d92d3a884d
5 changed files with 42 additions and 0 deletions
--- a/libwvdrmengine/cdm/core/include/wv_cdm_constants.h
+++ b/libwvdrmengine/cdm/core/include/wv_cdm_constants.h
@@ -124,6 +124,8 @@ static const std::string QUERY_KEY_PRODUCTION_READY = "ProductionReady";
 // Internal query key.  Should not be exposed to Android apps.
 static const std::string QUERY_KEY_DEBUG_BOOT_CERTIFICATE_CHAIN =
    "DebugBootCertificateChain";
+static const std::string QUERY_KEY_DEBUG_BOOT_CERTIFICATE_CHAIN_SIGNATURE =
+    "DebugBootCertificateChainSignature";
 static const std::string QUERY_KEY_DEVICE_INFORMATION = "DeviceInformation";

 static const std::string QUERY_VALUE_TRUE = "True";
--- a/libwvdrmengine/cdm/core/src/cdm_engine.cpp
+++ b/libwvdrmengine/cdm/core/src/cdm_engine.cpp
@@ -903,6 +903,26 @@ CdmResponseType CdmEngine::QueryStatus(RequestedSecurityLevel security_level,
    LOGE("Failed to extract BCC: status = %d", status.ToInt());
    return status;
  }
+  if (query_token == QUERY_KEY_DEBUG_BOOT_CERTIFICATE_CHAIN_SIGNATURE) {
+    std::string bcc_unused;
+    std::string signature;
+    const CdmResponseType status = crypto_session->GetBootCertificateChain(
+        security_level, &bcc_unused, &signature);
+    if (status == NO_ERROR) {
+      LOGV("BCC signature length: %zu", signature.size());
+      *query_response = std::move(signature);
+      return CdmResponseType(NO_ERROR);
+    }
+    if (status == NOT_IMPLEMENTED_ERROR ||
+        status == PROVISIONING_TYPE_IS_NOT_BOOT_CERTIFICATE_CHAIN_ERROR) {
+      LOGD("BCC signature not available: %s", status.ToString().c_str());
+      *query_response = QUERY_VALUE_NONE;
+      return CdmResponseType(NO_ERROR);
+    }
+    LOGE("Failed to extract BCC signature: status = %s",
+         status.ToString().c_str());
+    return status;
+  }
  if (query_token == QUERY_KEY_DEVICE_INFORMATION) {
    std::string device_info;
    const CdmResponseType status =
--- a/libwvdrmengine/cdm/test/request_license_test.cpp
+++ b/libwvdrmengine/cdm/test/request_license_test.cpp
@@ -5388,6 +5388,12 @@ TEST_F(WvCdmRequestLicenseTest, QueryStatus) {
    // actual value.
    EXPECT_FALSE(value.empty()) << "BCC is empty";
    EXPECT_NE(value, wvcdm::QUERY_VALUE_NONE) << "BCC is none";
+    // BCC signature is optional. Do not validate the actual value.
+    EXPECT_EQ(
+        wvcdm::NO_ERROR,
+        decryptor_->QueryStatus(
+            kLevelDefault,
+            wvcdm::QUERY_KEY_DEBUG_BOOT_CERTIFICATE_CHAIN_SIGNATURE, &value));
  } else {
    EXPECT_EQ(value, wvcdm::QUERY_VALUE_NONE);
  }