60 lines
2.3 KiB
Diff
60 lines
2.3 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Danny Lin <danny@kdrag0n.dev>
|
|
Date: Wed, 7 Oct 2020 00:24:54 -0700
|
|
Subject: [PATCH] init: Set properties to make SafetyNet pass
|
|
|
|
Google's SafetyNet integrity checks will check the values of these
|
|
properties when performing basic attestation. Setting fake values helps
|
|
us pass basic SafetyNet with no Magisk Hide or kernel patches necessary.
|
|
|
|
Note that these properties need to be set very early, before parsing the
|
|
kernel command-line, as they are read-only properties that the bootloader
|
|
sets using androidboot kernel arguments. The bootloader's real values
|
|
cause SafetyNet to fail with an unlocked bootloader and/or custom
|
|
software because the verified boot chain is broken in that case.
|
|
|
|
Change-Id: I66d23fd91d82906b00d5eb020668f01ae83ec31f
|
|
|
|
- Also don't set these in recovery
|
|
|
|
Change-Id: I57f6d48acddb29748778053edf354d7bd8994bd7
|
|
---
|
|
init/property_service.cpp | 17 +++++++++++++++++
|
|
1 file changed, 17 insertions(+)
|
|
|
|
diff --git a/init/property_service.cpp b/init/property_service.cpp
|
|
index f47c93596..6c404de62 100644
|
|
--- a/init/property_service.cpp
|
|
+++ b/init/property_service.cpp
|
|
@@ -101,6 +101,15 @@ struct PropertyAuditData {
|
|
const char* name;
|
|
};
|
|
|
|
+static void SetSafetyNetProps() {
|
|
+ InitPropertySet("ro.boot.flash.locked", "1");
|
|
+ InitPropertySet("ro.boot.verifiedbootstate", "green");
|
|
+ InitPropertySet("ro.boot.veritymode", "enforcing");
|
|
+ InitPropertySet("ro.boot.vbmeta.device_state", "locked");
|
|
+ InitPropertySet("ro.boot.warranty_bit", "0");
|
|
+ InitPropertySet("ro.warranty_bit", "0");
|
|
+}
|
|
+
|
|
void property_init() {
|
|
mkdir("/dev/__properties__", S_IRWXU | S_IXGRP | S_IXOTH);
|
|
CreateSerializedPropertyInfo();
|
|
@@ -110,6 +119,14 @@ void property_init() {
|
|
if (!property_info_area.LoadDefaultPath()) {
|
|
LOG(FATAL) << "Failed to load serialized property info file";
|
|
}
|
|
+
|
|
+ // Report a valid verified boot chain to make Google SafetyNet integrity
|
|
+ // checks pass. This needs to be done before parsing the kernel cmdline as
|
|
+ // these properties are read-only and will be set to invalid values with
|
|
+ // androidboot cmdline arguments.
|
|
+ if (!IsRecoveryMode()) {
|
|
+ SetSafetyNetProps();
|
|
+ }
|
|
}
|
|
static bool CheckMacPerms(const std::string& name, const char* target_context,
|
|
const char* source_context, const ucred& cr) {
|