mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-08-04 04:14:26 -04:00
Cleanup
- Removes unused files/patches - Removes many guards, these likely don't work anyway due to patchsets having dependencies - No functional change Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
parent
af25d96aee
commit
afe1135384
449 changed files with 193 additions and 22661 deletions
|
@ -1,72 +0,0 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Tad <tad@spotco.us>
|
||||
Date: Tue, 6 Apr 2021 05:04:32 -0400
|
||||
Subject: [PATCH] Allow setting OTA public keys from environment variable
|
||||
|
||||
Change-Id: Ib2a00de63b0c7a8790640462d13a84daf2076fa7
|
||||
---
|
||||
core/product_config.mk | 5 +++++
|
||||
target/product/security/Android.mk | 21 +++++++++++++++++----
|
||||
2 files changed, 22 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/core/product_config.mk b/core/product_config.mk
|
||||
index 37146d3a9..7dc8113f5 100644
|
||||
--- a/core/product_config.mk
|
||||
+++ b/core/product_config.mk
|
||||
@@ -395,6 +395,11 @@ PRODUCT_OTA_PUBLIC_KEYS := $(sort $(PRODUCT_OTA_PUBLIC_KEYS))
|
||||
PRODUCT_EXTRA_OTA_KEYS := $(sort $(PRODUCT_EXTRA_OTA_KEYS))
|
||||
PRODUCT_EXTRA_RECOVERY_KEYS := $(sort $(PRODUCT_EXTRA_RECOVERY_KEYS))
|
||||
|
||||
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
|
||||
+ PRODUCT_OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
|
||||
+ PRODUCT_EXTRA_RECOVERY_KEYS := $(OTA_KEY_OVERRIDE_DIR)/extra
|
||||
+endif
|
||||
+
|
||||
# Resolve and setup per-module dex-preopt configs.
|
||||
DEXPREOPT_DISABLED_MODULES :=
|
||||
# If a module has multiple setups, the first takes precedence.
|
||||
diff --git a/target/product/security/Android.mk b/target/product/security/Android.mk
|
||||
index ad25a9261..c2dca4dc4 100644
|
||||
--- a/target/product/security/Android.mk
|
||||
+++ b/target/product/security/Android.mk
|
||||
@@ -70,11 +70,17 @@ include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
extra_ota_keys := $(addsuffix .x509.pem,$(PRODUCT_EXTRA_OTA_KEYS))
|
||||
|
||||
-$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
|
||||
+OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
|
||||
+
|
||||
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
|
||||
+ OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
|
||||
+endif
|
||||
+
|
||||
+$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(OTA_PUBLIC_KEYS)
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_OTA_KEYS := $(extra_ota_keys)
|
||||
$(LOCAL_BUILT_MODULE): \
|
||||
$(SOONG_ZIP) \
|
||||
- $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
|
||||
+ $(OTA_PUBLIC_KEYS) \
|
||||
$(extra_ota_keys)
|
||||
$(SOONG_ZIP) -o $@ -j -symlinks=false \
|
||||
$(addprefix -f ,$(PRIVATE_CERT) $(PRIVATE_EXTRA_OTA_KEYS))
|
||||
@@ -95,11 +101,18 @@ include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
extra_recovery_keys := $(addsuffix .x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))
|
||||
|
||||
-$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
|
||||
+OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
|
||||
+
|
||||
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
|
||||
+ OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
|
||||
+ extra_recovery_keys := $(OTA_KEY_OVERRIDE_DIR)/extra.x509.pem
|
||||
+endif
|
||||
+
|
||||
+$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(OTA_PUBLIC_KEYS)
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_RECOVERY_KEYS := $(extra_recovery_keys)
|
||||
$(LOCAL_BUILT_MODULE): \
|
||||
$(SOONG_ZIP) \
|
||||
- $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
|
||||
+ $(OTA_PUBLIC_KEYS) \
|
||||
$(extra_recovery_keys)
|
||||
$(SOONG_ZIP) -o $@ -j -symlinks=false \
|
||||
$(addprefix -f ,$(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS))
|
|
@ -1,36 +0,0 @@
|
|||
From 7d0c4f3aa7c7640afc0496a9c901eeb49c65b47d Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Muhomor <muhomor.dmitry@gmail.com>
|
||||
Date: Tue, 31 Jan 2023 19:32:46 +0200
|
||||
Subject: [PATCH] require fs-verity when installing system package updates
|
||||
|
||||
---
|
||||
.../android/server/pm/InstallPackageHelper.java | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/services/core/java/com/android/server/pm/InstallPackageHelper.java b/services/core/java/com/android/server/pm/InstallPackageHelper.java
|
||||
index e929e4762126..2bfbd199d7f5 100644
|
||||
--- a/services/core/java/com/android/server/pm/InstallPackageHelper.java
|
||||
+++ b/services/core/java/com/android/server/pm/InstallPackageHelper.java
|
||||
@@ -1513,6 +1513,22 @@ && cannotInstallWithBadPermissionGroups(parsedPackage)) {
|
||||
"Failed to set up verity: " + e);
|
||||
}
|
||||
|
||||
+ boolean checkVerity = true;
|
||||
+ if (Build.IS_DEBUGGABLE) {
|
||||
+ if (SystemProperties.getBoolean("persist.disable_install_time_fsverity_check", false)) {
|
||||
+ checkVerity = false;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (checkVerity && PackageVerityExt.getSystemPackage(parsedPackage) != null) {
|
||||
+ try {
|
||||
+ PackageVerityExt.checkFsVerity(parsedPackage);
|
||||
+ } catch (PackageManagerException e) {
|
||||
+ throw new PrepareFailure(INSTALL_FAILED_INTERNAL_ERROR,
|
||||
+ "fs-verity not set up for system package update " + e);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
final PackageFreezer freezer =
|
||||
freezePackageForInstall(pkgName, installFlags, "installPackageLI");
|
||||
boolean shouldCloseFreezerBeforeReturn = true;
|
|
@ -1,510 +0,0 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Danny Lin <danny@kdrag0n.dev>
|
||||
Date: Mon, 11 Oct 2021 19:59:51 -0700
|
||||
Subject: [PATCH 1/8] Alter model name to avoid SafetyNet HW attestation
|
||||
enforcement
|
||||
|
||||
As of September 2, Google is enforcing SafetyNet's previously
|
||||
opportunistic hardware-backed attestation based on device information.
|
||||
Append a space to the device model name in order to avoid such
|
||||
enforcement.
|
||||
|
||||
Also contains:
|
||||
Spoof build fingerprint for Google Play Services
|
||||
|
||||
SafetyNet's CTS profile attestation checks whether Build.FINGERPRINT
|
||||
matches that of the device's stock OS, which has passed CTS testing.
|
||||
Spoof the fingerprint for Google Play Services to help pass SafetyNet.
|
||||
|
||||
We used to set the real system build fingerprint to the stock one, but
|
||||
Android relies on each build having a unique fingerprint in order to
|
||||
clear the correct caches and update persistent state for system changes.
|
||||
On devices that no longer receive updates from the OEM, the build
|
||||
fingerprint never changes and Android doesn't account for updates
|
||||
correctly, which causes issues when updating without wiping data.
|
||||
Only spoofing the fingerprint for Google Play Services fixes this issue.
|
||||
|
||||
Corresponding vendor commit:
|
||||
"Only use stock build fingerprint for Google Play Services"
|
||||
|
||||
NB: This code is under the gmscompat package, but it does not depend on
|
||||
any code from gmscompat.
|
||||
|
||||
Change-Id: I26a2498eb2e2163933303b03f6d516e5fb30fe51
|
||||
|
||||
* We don't need to spoof the fingerprint here since we do it globally, but we
|
||||
use the Build field spoofing code it added for model
|
||||
|
||||
Change-Id: Ib7779e0aae40cab3730a56785e9231896917ab0a
|
||||
---
|
||||
core/java/android/app/Instrumentation.java | 4 ++
|
||||
.../internal/gmscompat/AttestationHooks.java | 59 +++++++++++++++++++
|
||||
2 files changed, 63 insertions(+)
|
||||
create mode 100644 core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
|
||||
diff --git a/core/java/android/app/Instrumentation.java b/core/java/android/app/Instrumentation.java
|
||||
index 556058b567f9..44449588bbab 100644
|
||||
--- a/core/java/android/app/Instrumentation.java
|
||||
+++ b/core/java/android/app/Instrumentation.java
|
||||
@@ -57,6 +57,8 @@ import android.view.WindowManagerGlobal;
|
||||
|
||||
import com.android.internal.content.ReferrerIntent;
|
||||
|
||||
+import com.android.internal.gmscompat.AttestationHooks;
|
||||
+
|
||||
import java.io.File;
|
||||
import java.lang.annotation.Retention;
|
||||
import java.lang.annotation.RetentionPolicy;
|
||||
@@ -1242,6 +1244,7 @@ public class Instrumentation {
|
||||
Application app = getFactory(context.getPackageName())
|
||||
.instantiateApplication(cl, className);
|
||||
app.attach(context);
|
||||
+ AttestationHooks.initApplicationBeforeOnCreate(app);
|
||||
return app;
|
||||
}
|
||||
|
||||
@@ -1259,6 +1262,7 @@ public class Instrumentation {
|
||||
ClassNotFoundException {
|
||||
Application app = (Application)clazz.newInstance();
|
||||
app.attach(context);
|
||||
+ AttestationHooks.initApplicationBeforeOnCreate(app);
|
||||
return app;
|
||||
}
|
||||
|
||||
diff --git a/core/java/com/android/internal/gmscompat/AttestationHooks.java b/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
new file mode 100644
|
||||
index 000000000000..621156eb84b9
|
||||
--- /dev/null
|
||||
+++ b/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
@@ -0,0 +1,59 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2021 The Android Open Source Project
|
||||
+ *
|
||||
+ * Licensed under the Apache License, Version 2.0 (the "License");
|
||||
+ * you may not use this file except in compliance with the License.
|
||||
+ * You may obtain a copy of the License at
|
||||
+ *
|
||||
+ * http://www.apache.org/licenses/LICENSE-2.0
|
||||
+ *
|
||||
+ * Unless required by applicable law or agreed to in writing, software
|
||||
+ * distributed under the License is distributed on an "AS IS" BASIS,
|
||||
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
+ * See the License for the specific language governing permissions and
|
||||
+ * limitations under the License.
|
||||
+ */
|
||||
+
|
||||
+package com.android.internal.gmscompat;
|
||||
+
|
||||
+import android.app.Application;
|
||||
+import android.os.Build;
|
||||
+import android.os.SystemProperties;
|
||||
+import android.util.Log;
|
||||
+
|
||||
+import java.lang.reflect.Field;
|
||||
+
|
||||
+/** @hide */
|
||||
+public final class AttestationHooks {
|
||||
+ private static final String TAG = "GmsCompat/Attestation";
|
||||
+ private static final String PACKAGE_GMS = "com.google.android.gms";
|
||||
+
|
||||
+ private AttestationHooks() { }
|
||||
+
|
||||
+ private static void setBuildField(String key, String value) {
|
||||
+ try {
|
||||
+ // Unlock
|
||||
+ Field field = Build.class.getDeclaredField(key);
|
||||
+ field.setAccessible(true);
|
||||
+
|
||||
+ // Edit
|
||||
+ field.set(null, value);
|
||||
+
|
||||
+ // Lock
|
||||
+ field.setAccessible(false);
|
||||
+ } catch (NoSuchFieldException | IllegalAccessException e) {
|
||||
+ Log.e(TAG, "Failed to spoof Build." + key, e);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ private static void spoofBuildGms() {
|
||||
+ // Alter model name to avoid hardware attestation enforcement
|
||||
+ setBuildField("MODEL", Build.MODEL + " ");
|
||||
+ }
|
||||
+
|
||||
+ public static void initApplicationBeforeOnCreate(Application app) {
|
||||
+ if (PACKAGE_GMS.equals(app.getPackageName())) {
|
||||
+ spoofBuildGms();
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Danny Lin <danny@kdrag0n.dev>
|
||||
Date: Mon, 11 Oct 2021 20:00:44 -0700
|
||||
Subject: [PATCH 2/8] keystore: Block key attestation for SafetyNet
|
||||
|
||||
SafetyNet (part of Google Play Services) opportunistically uses
|
||||
hardware-backed key attestation via KeyStore as a strong integrity
|
||||
check. This causes SafetyNet to fail on custom ROMs because the verified
|
||||
boot key and bootloader unlock state can be detected from attestation
|
||||
certificates.
|
||||
|
||||
As a workaround, we can take advantage of the fact that SafetyNet's
|
||||
usage of key attestation is opportunistic (i.e. falls back to basic
|
||||
integrity checks if it fails) and prevent it from getting the
|
||||
attestation certificate chain from KeyStore. This is done by checking
|
||||
the stack for DroidGuard, which is the codename for SafetyNet, and
|
||||
pretending that the device doesn't support key attestation.
|
||||
|
||||
Key attestation has only been blocked for SafetyNet specifically, as
|
||||
Google Play Services and other apps have many valid reasons to use it.
|
||||
For example, it appears to be involved in Google's mobile security key
|
||||
ferature.
|
||||
|
||||
Change-Id: I5146439d47f42dc6231cb45c4dab9f61540056f6
|
||||
---
|
||||
.../internal/gmscompat/AttestationHooks.java | 16 ++++++++++++++++
|
||||
.../security/keystore2/AndroidKeyStoreSpi.java | 3 +++
|
||||
2 files changed, 19 insertions(+)
|
||||
|
||||
diff --git a/core/java/com/android/internal/gmscompat/AttestationHooks.java b/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
index 621156eb84b9..fe12dfe02a9f 100644
|
||||
--- a/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
+++ b/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
@@ -22,12 +22,15 @@ import android.os.SystemProperties;
|
||||
import android.util.Log;
|
||||
|
||||
import java.lang.reflect.Field;
|
||||
+import java.util.Arrays;
|
||||
|
||||
/** @hide */
|
||||
public final class AttestationHooks {
|
||||
private static final String TAG = "GmsCompat/Attestation";
|
||||
private static final String PACKAGE_GMS = "com.google.android.gms";
|
||||
|
||||
+ private static volatile boolean sIsGms = false;
|
||||
+
|
||||
private AttestationHooks() { }
|
||||
|
||||
private static void setBuildField(String key, String value) {
|
||||
@@ -53,7 +56,20 @@ public final class AttestationHooks {
|
||||
|
||||
public static void initApplicationBeforeOnCreate(Application app) {
|
||||
if (PACKAGE_GMS.equals(app.getPackageName())) {
|
||||
+ sIsGms = true;
|
||||
spoofBuildGms();
|
||||
}
|
||||
}
|
||||
+
|
||||
+ private static boolean isCallerSafetyNet() {
|
||||
+ return Arrays.stream(Thread.currentThread().getStackTrace())
|
||||
+ .anyMatch(elem -> elem.getClassName().contains("DroidGuard"));
|
||||
+ }
|
||||
+
|
||||
+ public static void onEngineGetCertificateChain() {
|
||||
+ // Check stack for SafetyNet
|
||||
+ if (sIsGms && isCallerSafetyNet()) {
|
||||
+ throw new UnsupportedOperationException();
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
diff --git a/keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java b/keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java
|
||||
index 33411e1ec5b9..133a4094d434 100644
|
||||
--- a/keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java
|
||||
+++ b/keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java
|
||||
@@ -42,6 +42,7 @@ import android.system.keystore2.ResponseCode;
|
||||
import android.util.Log;
|
||||
|
||||
import com.android.internal.annotations.VisibleForTesting;
|
||||
+import com.android.internal.gmscompat.AttestationHooks;
|
||||
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.io.IOException;
|
||||
@@ -164,6 +165,8 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi {
|
||||
|
||||
@Override
|
||||
public Certificate[] engineGetCertificateChain(String alias) {
|
||||
+ AttestationHooks.onEngineGetCertificateChain();
|
||||
+
|
||||
KeyEntryResponse response = getKeyMetadata(alias);
|
||||
|
||||
if (response == null || response.metadata.certificate == null) {
|
||||
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Anirudh Gupta <anirudhgupta109@aosip.dev>
|
||||
Date: Wed, 4 Jan 2023 18:20:56 +0000
|
||||
Subject: [PATCH 3/8] AttestationHooks: Set shipping level to 32 for devices
|
||||
>=33
|
||||
|
||||
If ro.product.first_api_level is 33, it's forced to use HW attestation.
|
||||
Setting it to 32 allows for software attestation and passing CTS.
|
||||
|
||||
Change-Id: Ie47fd00b009c93580ec8c950d223c60ed63a0d2f
|
||||
---
|
||||
.../internal/gmscompat/AttestationHooks.java | 19 +++++++++++++++++++
|
||||
1 file changed, 19 insertions(+)
|
||||
|
||||
diff --git a/core/java/com/android/internal/gmscompat/AttestationHooks.java b/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
index fe12dfe02a9f..f512adc3985b 100644
|
||||
--- a/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
+++ b/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
@@ -49,9 +49,28 @@ public final class AttestationHooks {
|
||||
}
|
||||
}
|
||||
|
||||
+ private static void setVersionField(String key, Integer value) {
|
||||
+ try {
|
||||
+ // Unlock
|
||||
+ Field field = Build.VERSION.class.getDeclaredField(key);
|
||||
+ field.setAccessible(true);
|
||||
+
|
||||
+ // Edit
|
||||
+ field.set(null, value);
|
||||
+
|
||||
+ // Lock
|
||||
+ field.setAccessible(false);
|
||||
+ } catch (NoSuchFieldException | IllegalAccessException e) {
|
||||
+ Log.e(TAG, "Failed to spoof Build.VERSION." + key, e);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
private static void spoofBuildGms() {
|
||||
// Alter model name to avoid hardware attestation enforcement
|
||||
setBuildField("MODEL", Build.MODEL + " ");
|
||||
+ if (Build.VERSION.DEVICE_INITIAL_SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
|
||||
+ setVersionField("DEVICE_INITIAL_SDK_INT", Build.VERSION_CODES.S_V2);
|
||||
+ }
|
||||
}
|
||||
|
||||
public static void initApplicationBeforeOnCreate(Application app) {
|
||||
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Danny Lin <danny@kdrag0n.dev>
|
||||
Date: Mon, 1 Nov 2021 20:06:48 -0700
|
||||
Subject: [PATCH 4/8] Limit SafetyNet workarounds to unstable GMS process
|
||||
|
||||
The unstable process is where SafetyNet attestation actually runs, so
|
||||
we only need to spoof the model in that process. Leaving other processes
|
||||
fixes various issues caused by model detection and flag provisioning,
|
||||
including screen-off Voice Match in Google Assistant, broken At a Glance
|
||||
weather and settings on Android 12, and more.
|
||||
|
||||
Change-Id: Idcf663907a6c3d0408dbd45b1ac53c9eb4200df8
|
||||
---
|
||||
.../java/com/android/internal/gmscompat/AttestationHooks.java | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/core/java/com/android/internal/gmscompat/AttestationHooks.java b/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
index f512adc3985b..c1021dd2eb22 100644
|
||||
--- a/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
+++ b/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
@@ -28,6 +28,7 @@ import java.util.Arrays;
|
||||
public final class AttestationHooks {
|
||||
private static final String TAG = "GmsCompat/Attestation";
|
||||
private static final String PACKAGE_GMS = "com.google.android.gms";
|
||||
+ private static final String PROCESS_UNSTABLE = "com.google.android.gms.unstable";
|
||||
|
||||
private static volatile boolean sIsGms = false;
|
||||
|
||||
@@ -74,7 +75,8 @@ public final class AttestationHooks {
|
||||
}
|
||||
|
||||
public static void initApplicationBeforeOnCreate(Application app) {
|
||||
- if (PACKAGE_GMS.equals(app.getPackageName())) {
|
||||
+ if (PACKAGE_GMS.equals(app.getPackageName()) &&
|
||||
+ PROCESS_UNSTABLE.equals(Application.getProcessName())) {
|
||||
sIsGms = true;
|
||||
spoofBuildGms();
|
||||
}
|
||||
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Dyneteve <dyneteve@hentaios.com>
|
||||
Date: Tue, 23 Aug 2022 18:57:05 +0200
|
||||
Subject: [PATCH 5/8] gmscompat: Apply the SafetyNet workaround to Play Store
|
||||
aswell
|
||||
|
||||
Play Store is used for the new Play Integrity API, extend the hack
|
||||
to it aswell
|
||||
|
||||
Test: Device Integrity and Basic Integrity passes.
|
||||
|
||||
Change-Id: Id607cdff0b902f285a6c1b769c0a4ee4202842b1
|
||||
---
|
||||
.../android/internal/gmscompat/AttestationHooks.java | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/core/java/com/android/internal/gmscompat/AttestationHooks.java b/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
index c1021dd2eb22..6a4aab000fe0 100644
|
||||
--- a/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
+++ b/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
@@ -28,9 +28,11 @@ import java.util.Arrays;
|
||||
public final class AttestationHooks {
|
||||
private static final String TAG = "GmsCompat/Attestation";
|
||||
private static final String PACKAGE_GMS = "com.google.android.gms";
|
||||
+ private static final String PACKAGE_FINSKY = "com.android.vending";
|
||||
private static final String PROCESS_UNSTABLE = "com.google.android.gms.unstable";
|
||||
|
||||
private static volatile boolean sIsGms = false;
|
||||
+ private static volatile boolean sIsFinsky = false;
|
||||
|
||||
private AttestationHooks() { }
|
||||
|
||||
@@ -80,6 +82,11 @@ public final class AttestationHooks {
|
||||
sIsGms = true;
|
||||
spoofBuildGms();
|
||||
}
|
||||
+
|
||||
+ if (PACKAGE_FINSKY.equals(app.getPackageName())) {
|
||||
+ sIsFinsky = true;
|
||||
+ spoofBuildGms();
|
||||
+ }
|
||||
}
|
||||
|
||||
private static boolean isCallerSafetyNet() {
|
||||
@@ -92,5 +99,10 @@ public final class AttestationHooks {
|
||||
if (sIsGms && isCallerSafetyNet()) {
|
||||
throw new UnsupportedOperationException();
|
||||
}
|
||||
+
|
||||
+ // Check stack for PlayIntegrity
|
||||
+ if (sIsFinsky) {
|
||||
+ throw new UnsupportedOperationException();
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Dyneteve <dyneteve@hentaios.com>
|
||||
Date: Thu, 8 Sep 2022 14:39:52 +0200
|
||||
Subject: [PATCH 6/8] gmscompat: Use Nexus 6P fingerprint for CTS/Integrity
|
||||
|
||||
Google seems to have patched the KM block to Play Store in record time,
|
||||
but is still not enforced for anything under android N.
|
||||
|
||||
Since we moved to angler FP we don't need to spoof model to Play Store
|
||||
anymore, however the KM block is still needed.
|
||||
|
||||
Test: Run Play Intregrity Attestation
|
||||
|
||||
Change-Id: Ic2401a6e40ddfc4318a1d0faa87e42eb118ac3d1
|
||||
---
|
||||
.../java/com/android/internal/gmscompat/AttestationHooks.java | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/core/java/com/android/internal/gmscompat/AttestationHooks.java b/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
index 6a4aab000fe0..6bd12a1c1e03 100644
|
||||
--- a/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
+++ b/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
@@ -69,7 +69,8 @@ public final class AttestationHooks {
|
||||
}
|
||||
|
||||
private static void spoofBuildGms() {
|
||||
- // Alter model name to avoid hardware attestation enforcement
|
||||
+ // Alter model name and fingerprint to avoid hardware attestation enforcement
|
||||
+ setBuildField("FINGERPRINT", "google/angler/angler:6.0/MDB08L/2343525:user/release-keys");
|
||||
setBuildField("MODEL", Build.MODEL + " ");
|
||||
if (Build.VERSION.DEVICE_INITIAL_SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
|
||||
setVersionField("DEVICE_INITIAL_SDK_INT", Build.VERSION_CODES.S_V2);
|
||||
@@ -85,7 +86,6 @@ public final class AttestationHooks {
|
||||
|
||||
if (PACKAGE_FINSKY.equals(app.getPackageName())) {
|
||||
sIsFinsky = true;
|
||||
- spoofBuildGms();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Dyneteve <dyneteve@hentaios.com>
|
||||
Date: Wed, 8 Feb 2023 15:21:01 +0000
|
||||
Subject: [PATCH 7/8] gmscompat: Make CTS/Play Integrity pass again
|
||||
|
||||
The logic behind CTS and Play Integrity has been updated today it now
|
||||
checks the product and model names against the fingerprint and if
|
||||
they do not match the CTS profile will fail.
|
||||
|
||||
Also while we are at it use a newer FP from Pixel XL and add logging
|
||||
for key attestation blocking for debugging.
|
||||
|
||||
Test: Boot, check for CTS and Play Integrity
|
||||
|
||||
Change-Id: I089d5ef935bba40338e10c795ea7d181103ffd15
|
||||
---
|
||||
.../internal/gmscompat/AttestationHooks.java | 22 ++++++++-----------
|
||||
1 file changed, 9 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/core/java/com/android/internal/gmscompat/AttestationHooks.java b/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
index 6bd12a1c1e03..b10cb04cb4f3 100644
|
||||
--- a/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
+++ b/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
@@ -70,11 +70,11 @@ public final class AttestationHooks {
|
||||
|
||||
private static void spoofBuildGms() {
|
||||
// Alter model name and fingerprint to avoid hardware attestation enforcement
|
||||
- setBuildField("FINGERPRINT", "google/angler/angler:6.0/MDB08L/2343525:user/release-keys");
|
||||
- setBuildField("MODEL", Build.MODEL + " ");
|
||||
- if (Build.VERSION.DEVICE_INITIAL_SDK_INT >= Build.VERSION_CODES.TIRAMISU) {
|
||||
- setVersionField("DEVICE_INITIAL_SDK_INT", Build.VERSION_CODES.S_V2);
|
||||
- }
|
||||
+ setBuildField("FINGERPRINT", "google/marlin/marlin:7.1.2/NJH47F/4146041:user/release-keys");
|
||||
+ setBuildField("PRODUCT", "marlin");
|
||||
+ setBuildField("DEVICE", "marlin");
|
||||
+ setBuildField("MODEL", "Pixel XL");
|
||||
+ setVersionField("DEVICE_INITIAL_SDK_INT", Build.VERSION_CODES.N_MR1);
|
||||
}
|
||||
|
||||
public static void initApplicationBeforeOnCreate(Application app) {
|
||||
@@ -90,18 +90,14 @@ public final class AttestationHooks {
|
||||
}
|
||||
|
||||
private static boolean isCallerSafetyNet() {
|
||||
- return Arrays.stream(Thread.currentThread().getStackTrace())
|
||||
+ return sIsGms && Arrays.stream(Thread.currentThread().getStackTrace())
|
||||
.anyMatch(elem -> elem.getClassName().contains("DroidGuard"));
|
||||
}
|
||||
|
||||
public static void onEngineGetCertificateChain() {
|
||||
- // Check stack for SafetyNet
|
||||
- if (sIsGms && isCallerSafetyNet()) {
|
||||
- throw new UnsupportedOperationException();
|
||||
- }
|
||||
-
|
||||
- // Check stack for PlayIntegrity
|
||||
- if (sIsFinsky) {
|
||||
+ // Check stack for SafetyNet or Play Integrity
|
||||
+ if (isCallerSafetyNet() || sIsFinsky) {
|
||||
+ Log.i(TAG, "Blocked key attestation sIsGms=" + sIsGms + " sIsFinsky=" + sIsFinsky);
|
||||
throw new UnsupportedOperationException();
|
||||
}
|
||||
}
|
||||
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Davide Garberi <dade.garberi@gmail.com>
|
||||
Date: Wed, 8 Nov 2023 21:36:02 +0100
|
||||
Subject: [PATCH 8/8] gmscompat: Use new info
|
||||
|
||||
Change-Id: I3cb0c55d28249b73ecc53be83bed030304c782d9
|
||||
---
|
||||
.../android/internal/gmscompat/AttestationHooks.java | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/core/java/com/android/internal/gmscompat/AttestationHooks.java b/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
index b10cb04cb4f3..04a536d8073d 100644
|
||||
--- a/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
+++ b/core/java/com/android/internal/gmscompat/AttestationHooks.java
|
||||
@@ -70,11 +70,11 @@ public final class AttestationHooks {
|
||||
|
||||
private static void spoofBuildGms() {
|
||||
// Alter model name and fingerprint to avoid hardware attestation enforcement
|
||||
- setBuildField("FINGERPRINT", "google/marlin/marlin:7.1.2/NJH47F/4146041:user/release-keys");
|
||||
- setBuildField("PRODUCT", "marlin");
|
||||
- setBuildField("DEVICE", "marlin");
|
||||
- setBuildField("MODEL", "Pixel XL");
|
||||
- setVersionField("DEVICE_INITIAL_SDK_INT", Build.VERSION_CODES.N_MR1);
|
||||
+ setBuildField("DEVICE", "bullhead");
|
||||
+ setBuildField("FINGERPRINT", "google/bullhead/bullhead:8.0.0/OPR6.170623.013/4283548:user/release-keys");
|
||||
+ setBuildField("MODEL", "Nexus 5X");
|
||||
+ setBuildField("PRODUCT", "bullhead");
|
||||
+ setVersionField("DEVICE_INITIAL_SDK_INT", Build.VERSION_CODES.N);
|
||||
}
|
||||
|
||||
public static void initApplicationBeforeOnCreate(Application app) {
|
|
@ -1,185 +0,0 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Torsten Grote <t@grobox.de>
|
||||
Date: Thu, 18 Jun 2020 13:15:16 -0300
|
||||
Subject: [PATCH] Show privacy warning on in-call screen
|
||||
|
||||
Includes:
|
||||
Author: Chirayu Desai <chirayudesai1@gmail.com>
|
||||
Date: Tue Jul 28 02:23:37 2020 +0530
|
||||
|
||||
Move the incall warning back to the center
|
||||
|
||||
* Instead of left/started aligned.
|
||||
|
||||
Change-Id: Ic9b18c110481df7042ca1daa36182e0999fe948f
|
||||
---
|
||||
.../res/drawable/ic_baseline_warning.xml | 9 +++++
|
||||
.../dialer/theme/common/res/values/colors.xml | 1 +
|
||||
.../res/layout/fragment_incoming_call.xml | 7 +++-
|
||||
.../contactgrid/res/layout/incall_header.xml | 39 +++++++++++++++++++
|
||||
.../impl/res/layout/frag_incall_voice.xml | 7 ++++
|
||||
.../android/incallui/res/values/strings.xml | 3 ++
|
||||
.../incallui/theme/res/values/styles.xml | 4 +-
|
||||
7 files changed, 67 insertions(+), 3 deletions(-)
|
||||
create mode 100644 java/com/android/dialer/common/res/drawable/ic_baseline_warning.xml
|
||||
create mode 100644 java/com/android/incallui/contactgrid/res/layout/incall_header.xml
|
||||
|
||||
diff --git a/java/com/android/dialer/common/res/drawable/ic_baseline_warning.xml b/java/com/android/dialer/common/res/drawable/ic_baseline_warning.xml
|
||||
new file mode 100644
|
||||
index 000000000..c2baa9bdb
|
||||
--- /dev/null
|
||||
+++ b/java/com/android/dialer/common/res/drawable/ic_baseline_warning.xml
|
||||
@@ -0,0 +1,9 @@
|
||||
+<?xml version="1.0" encoding="utf-8"?>
|
||||
+<vector xmlns:android="http://schemas.android.com/apk/res/android"
|
||||
+ android:height="16dp"
|
||||
+ android:width="16dp"
|
||||
+ android:viewportWidth="24"
|
||||
+ android:viewportHeight="24">
|
||||
+ <path android:fillColor="?attr/colorControlNormal"
|
||||
+ android:pathData="M13,14H11V10H13M13,18H11V16H13M1,21H23L12,2L1,21Z"/>
|
||||
+</vector>
|
||||
\ No newline at end of file
|
||||
diff --git a/java/com/android/dialer/theme/common/res/values/colors.xml b/java/com/android/dialer/theme/common/res/values/colors.xml
|
||||
index 08255f32f..8995aa868 100644
|
||||
--- a/java/com/android/dialer/theme/common/res/values/colors.xml
|
||||
+++ b/java/com/android/dialer/theme/common/res/values/colors.xml
|
||||
@@ -22,6 +22,7 @@
|
||||
<color name="dialer_link_color">#2A56C6</color>
|
||||
<color name="dialer_snackbar_action_text_color">@*android:color/system_accent1_600</color>
|
||||
<color name="dialer_call_icon_color">@android:color/white</color>
|
||||
+ <color name="incall_header_background">#f3b514</color>
|
||||
|
||||
<!-- Colors for the notification actions -->
|
||||
<color name="notification_action_accept">#097138</color>
|
||||
diff --git a/java/com/android/incallui/answer/impl/res/layout/fragment_incoming_call.xml b/java/com/android/incallui/answer/impl/res/layout/fragment_incoming_call.xml
|
||||
index 0927b4d89..99a742225 100644
|
||||
--- a/java/com/android/incallui/answer/impl/res/layout/fragment_incoming_call.xml
|
||||
+++ b/java/com/android/incallui/answer/impl/res/layout/fragment_incoming_call.xml
|
||||
@@ -78,18 +78,23 @@
|
||||
android:id="@+id/incall_contact_grid"
|
||||
android:layout_width="match_parent"
|
||||
android:layout_height="match_parent"
|
||||
- android:layout_marginTop="24dp"
|
||||
android:clipChildren="false"
|
||||
android:clipToPadding="false"
|
||||
android:focusable="true"
|
||||
android:gravity="top|center_horizontal"
|
||||
android:orientation="vertical">
|
||||
|
||||
+ <include
|
||||
+ layout="@layout/incall_header"
|
||||
+ android:layout_width="match_parent"
|
||||
+ android:layout_height="wrap_content"/>
|
||||
+
|
||||
<include
|
||||
android:id="@id/contactgrid_top_row"
|
||||
layout="@layout/incall_contactgrid_top_row"
|
||||
android:layout_width="wrap_content"
|
||||
android:layout_height="wrap_content"
|
||||
+ android:layout_marginTop="24dp"
|
||||
android:layout_marginBottom="8dp"
|
||||
android:layout_marginStart="24dp"
|
||||
android:layout_marginEnd="24dp"/>
|
||||
diff --git a/java/com/android/incallui/contactgrid/res/layout/incall_header.xml b/java/com/android/incallui/contactgrid/res/layout/incall_header.xml
|
||||
new file mode 100644
|
||||
index 000000000..7e8e90e5d
|
||||
--- /dev/null
|
||||
+++ b/java/com/android/incallui/contactgrid/res/layout/incall_header.xml
|
||||
@@ -0,0 +1,39 @@
|
||||
+<?xml version="1.0" encoding="utf-8"?>
|
||||
+<!--
|
||||
+ ~ Copyright (C) 2020 The Calyx Institute
|
||||
+ ~
|
||||
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||
+ ~ you may not use this file except in compliance with the License.
|
||||
+ ~ You may obtain a copy of the License at
|
||||
+ ~
|
||||
+ ~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
+ ~
|
||||
+ ~ Unless required by applicable law or agreed to in writing, software
|
||||
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
+ ~ See the License for the specific language governing permissions and
|
||||
+ ~ limitations under the License
|
||||
+ -->
|
||||
+<LinearLayout
|
||||
+ xmlns:android="http://schemas.android.com/apk/res/android"
|
||||
+ android:layout_width="match_parent"
|
||||
+ android:layout_height="wrap_content"
|
||||
+ android:background="@color/incall_header_background"
|
||||
+ android:gravity="center"
|
||||
+ android:orientation="vertical"
|
||||
+ android:padding="8dp"
|
||||
+ android:fitsSystemWindows="true">
|
||||
+
|
||||
+ <TextView
|
||||
+ android:id="@+id/incall_privacy_title"
|
||||
+ android:layout_width="wrap_content"
|
||||
+ android:layout_height="wrap_content"
|
||||
+ android:textColor="?android:attr/textColorPrimaryInverse"
|
||||
+ android:drawableStart="@drawable/ic_baseline_warning"
|
||||
+ android:drawablePadding="8dp"
|
||||
+ android:drawableTint="?android:attr/textColorPrimaryInverse"
|
||||
+ android:gravity="center"
|
||||
+ android:padding="4dp"
|
||||
+ android:text="@string/incall_screen_privacy_data_collection"/>
|
||||
+
|
||||
+</LinearLayout>
|
||||
diff --git a/java/com/android/incallui/incall/impl/res/layout/frag_incall_voice.xml b/java/com/android/incallui/incall/impl/res/layout/frag_incall_voice.xml
|
||||
index 45870f307..b61f6be65 100644
|
||||
--- a/java/com/android/incallui/incall/impl/res/layout/frag_incall_voice.xml
|
||||
+++ b/java/com/android/incallui/incall/impl/res/layout/frag_incall_voice.xml
|
||||
@@ -29,11 +29,18 @@
|
||||
android:clipToPadding="false"
|
||||
android:fitsSystemWindows="true">
|
||||
|
||||
+ <include
|
||||
+ layout="@layout/incall_header"
|
||||
+ android:id="@+id/incall_header"
|
||||
+ android:layout_width="match_parent"
|
||||
+ android:layout_height="wrap_content"/>
|
||||
+
|
||||
<LinearLayout
|
||||
android:id="@id/incall_contact_grid"
|
||||
android:layout_width="match_parent"
|
||||
android:layout_height="wrap_content"
|
||||
android:layout_marginTop="12dp"
|
||||
+ android:layout_below="@+id/incall_header"
|
||||
android:gravity="center_horizontal"
|
||||
android:orientation="vertical">
|
||||
|
||||
diff --git a/java/com/android/incallui/res/values/strings.xml b/java/com/android/incallui/res/values/strings.xml
|
||||
index 687ae142b..c7e81b197 100644
|
||||
--- a/java/com/android/incallui/res/values/strings.xml
|
||||
+++ b/java/com/android/incallui/res/values/strings.xml
|
||||
@@ -174,4 +174,7 @@
|
||||
<!-- Text for button to accept RTT request. [CHAR LIMIT=20] -->
|
||||
<string name="rtt_button_accept_request">Join RTT</string>
|
||||
|
||||
+ <!-- Text for call not private banner. -->
|
||||
+ <string name="incall_screen_privacy_data_collection">The location and audio of this call are not private.</string>
|
||||
+
|
||||
</resources>
|
||||
diff --git a/java/com/android/incallui/theme/res/values/styles.xml b/java/com/android/incallui/theme/res/values/styles.xml
|
||||
index a0d5caf10..e2f789cd4 100644
|
||||
--- a/java/com/android/incallui/theme/res/values/styles.xml
|
||||
+++ b/java/com/android/incallui/theme/res/values/styles.xml
|
||||
@@ -19,7 +19,7 @@
|
||||
<style name="Theme.InCallScreen" parent="@style/Dialer.Dark.ThemeBase.NoActionBar">
|
||||
<item name="android:textColorPrimary">@android:color/white</item>
|
||||
<item name="android:textColorSecondary">#DDFFFFFF</item>
|
||||
- <item name="android:statusBarColor">@android:color/transparent</item>
|
||||
+ <item name="android:statusBarColor">@color/incall_header_background</item>
|
||||
<item name="android:navigationBarColor">@android:color/transparent</item>
|
||||
<item name="android:windowDrawsSystemBarBackgrounds">true</item>
|
||||
<item name="android:colorPrimaryDark">@color/dialer_theme_color_dark</item>
|
||||
@@ -59,7 +59,7 @@
|
||||
<item name="android:windowBackground">@android:color/transparent</item>
|
||||
<item name="android:windowActivityTransitions">false</item>
|
||||
|
||||
- <item name="android:statusBarColor">@android:color/transparent</item>
|
||||
+ <item name="android:statusBarColor">@color/incall_header_background</item>
|
||||
<item name="android:navigationBarColor">@android:color/transparent</item>
|
||||
<item name="android:windowDrawsSystemBarBackgrounds">true</item>
|
||||
|
|
@ -1,85 +0,0 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Danny Lin <danny@kdrag0n.dev>
|
||||
Date: Wed, 7 Oct 2020 00:24:54 -0700
|
||||
Subject: [PATCH] init: Set properties to make SafetyNet pass
|
||||
|
||||
Google's SafetyNet integrity checks will check the values of these
|
||||
properties when performing basic attestation. Setting fake values helps
|
||||
us pass basic SafetyNet with no Magisk Hide or kernel patches necessary.
|
||||
|
||||
Note that these properties need to be set very early, before parsing the
|
||||
kernel command-line, as they are read-only properties that the bootloader
|
||||
sets using androidboot kernel arguments. The bootloader's real values
|
||||
cause SafetyNet to fail with an unlocked bootloader and/or custom
|
||||
software because the verified boot chain is broken in that case.
|
||||
|
||||
Change-Id: I66d23fd91d82906b00d5eb020668f01ae83ec31f
|
||||
|
||||
fastboot: Revert to Android 11 method of checking lock status
|
||||
|
||||
Now that we're setting system-wide properties for SafetyNet, which
|
||||
includes ro.boot.verifiedbootstate=green, fastbootd always detects the
|
||||
bootloader as being locked. Revert to the Android 11 method of reading
|
||||
directly from the kernel cmdline to work arround the issue.
|
||||
|
||||
- Also don't set these in recovery
|
||||
|
||||
Change-Id: I57f6d48acddb29748778053edf354d7bd8994bd7
|
||||
---
|
||||
fastboot/device/utility.cpp | 7 ++++++-
|
||||
init/property_service.cpp | 17 +++++++++++++++++
|
||||
2 files changed, 23 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/fastboot/device/utility.cpp b/fastboot/device/utility.cpp
|
||||
index 2d9b71213..a14eea376 100644
|
||||
--- a/fastboot/device/utility.cpp
|
||||
+++ b/fastboot/device/utility.cpp
|
||||
@@ -196,7 +196,12 @@ std::vector<std::string> ListPartitions(FastbootDevice* device) {
|
||||
}
|
||||
|
||||
bool GetDeviceLockStatus() {
|
||||
- return android::base::GetProperty("ro.boot.verifiedbootstate", "") == "green";
|
||||
+ std::string cmdline;
|
||||
+ // Return lock status true if unable to read kernel command line.
|
||||
+ if (!android::base::ReadFileToString("/proc/cmdline", &cmdline)) {
|
||||
+ return true;
|
||||
+ }
|
||||
+ return cmdline.find("androidboot.verifiedbootstate=orange") == std::string::npos;
|
||||
}
|
||||
|
||||
bool UpdateAllPartitionMetadata(FastbootDevice* device, const std::string& super_name,
|
||||
diff --git a/init/property_service.cpp b/init/property_service.cpp
|
||||
index 7fd64b389..06709cb7c 100644
|
||||
--- a/init/property_service.cpp
|
||||
+++ b/init/property_service.cpp
|
||||
@@ -1286,6 +1286,15 @@ static void ProcessBootconfig() {
|
||||
});
|
||||
}
|
||||
|
||||
+static void SetSafetyNetProps() {
|
||||
+ InitPropertySet("ro.boot.flash.locked", "1");
|
||||
+ InitPropertySet("ro.boot.verifiedbootstate", "green");
|
||||
+ InitPropertySet("ro.boot.veritymode", "enforcing");
|
||||
+ InitPropertySet("ro.boot.vbmeta.device_state", "locked");
|
||||
+ InitPropertySet("ro.boot.warranty_bit", "0");
|
||||
+ InitPropertySet("ro.warranty_bit", "0");
|
||||
+}
|
||||
+
|
||||
void PropertyInit() {
|
||||
selinux_callback cb;
|
||||
cb.func_audit = PropertyAuditCallback;
|
||||
@@ -1300,6 +1309,14 @@ void PropertyInit() {
|
||||
LOG(FATAL) << "Failed to load serialized property info file";
|
||||
}
|
||||
|
||||
+ // Report a valid verified boot chain to make Google SafetyNet integrity
|
||||
+ // checks pass. This needs to be done before parsing the kernel cmdline as
|
||||
+ // these properties are read-only and will be set to invalid values with
|
||||
+ // androidboot cmdline arguments.
|
||||
+ if (!IsRecoveryMode()) {
|
||||
+ SetSafetyNetProps();
|
||||
+ }
|
||||
+
|
||||
// If arguments are passed both on the command line and in DT,
|
||||
// properties set in DT always have priority over the command-line ones.
|
||||
ProcessKernelDt();
|
Loading…
Add table
Add a link
Reference in a new issue