86 lines
3.4 KiB
Diff
86 lines
3.4 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Danny Lin <danny@kdrag0n.dev>
|
|
Date: Wed, 7 Oct 2020 00:24:54 -0700
|
|
Subject: [PATCH] init: Set properties to make SafetyNet pass
|
|
|
|
Google's SafetyNet integrity checks will check the values of these
|
|
properties when performing basic attestation. Setting fake values helps
|
|
us pass basic SafetyNet with no Magisk Hide or kernel patches necessary.
|
|
|
|
Note that these properties need to be set very early, before parsing the
|
|
kernel command-line, as they are read-only properties that the bootloader
|
|
sets using androidboot kernel arguments. The bootloader's real values
|
|
cause SafetyNet to fail with an unlocked bootloader and/or custom
|
|
software because the verified boot chain is broken in that case.
|
|
|
|
Change-Id: I66d23fd91d82906b00d5eb020668f01ae83ec31f
|
|
|
|
fastboot: Revert to Android 11 method of checking lock status
|
|
|
|
Now that we're setting system-wide properties for SafetyNet, which
|
|
includes ro.boot.verifiedbootstate=green, fastbootd always detects the
|
|
bootloader as being locked. Revert to the Android 11 method of reading
|
|
directly from the kernel cmdline to work arround the issue.
|
|
|
|
- Also don't set these in recovery
|
|
|
|
Change-Id: I57f6d48acddb29748778053edf354d7bd8994bd7
|
|
---
|
|
fastboot/device/utility.cpp | 7 ++++++-
|
|
init/property_service.cpp | 17 +++++++++++++++++
|
|
2 files changed, 23 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/fastboot/device/utility.cpp b/fastboot/device/utility.cpp
|
|
index 2d9b71213..a14eea376 100644
|
|
--- a/fastboot/device/utility.cpp
|
|
+++ b/fastboot/device/utility.cpp
|
|
@@ -196,7 +196,12 @@ std::vector<std::string> ListPartitions(FastbootDevice* device) {
|
|
}
|
|
|
|
bool GetDeviceLockStatus() {
|
|
- return android::base::GetProperty("ro.boot.verifiedbootstate", "") == "green";
|
|
+ std::string cmdline;
|
|
+ // Return lock status true if unable to read kernel command line.
|
|
+ if (!android::base::ReadFileToString("/proc/cmdline", &cmdline)) {
|
|
+ return true;
|
|
+ }
|
|
+ return cmdline.find("androidboot.verifiedbootstate=orange") == std::string::npos;
|
|
}
|
|
|
|
bool UpdateAllPartitionMetadata(FastbootDevice* device, const std::string& super_name,
|
|
diff --git a/init/property_service.cpp b/init/property_service.cpp
|
|
index 7fd64b389..06709cb7c 100644
|
|
--- a/init/property_service.cpp
|
|
+++ b/init/property_service.cpp
|
|
@@ -1286,6 +1286,15 @@ static void ProcessBootconfig() {
|
|
});
|
|
}
|
|
|
|
+static void SetSafetyNetProps() {
|
|
+ InitPropertySet("ro.boot.flash.locked", "1");
|
|
+ InitPropertySet("ro.boot.verifiedbootstate", "green");
|
|
+ InitPropertySet("ro.boot.veritymode", "enforcing");
|
|
+ InitPropertySet("ro.boot.vbmeta.device_state", "locked");
|
|
+ InitPropertySet("ro.boot.warranty_bit", "0");
|
|
+ InitPropertySet("ro.warranty_bit", "0");
|
|
+}
|
|
+
|
|
void PropertyInit() {
|
|
selinux_callback cb;
|
|
cb.func_audit = PropertyAuditCallback;
|
|
@@ -1300,6 +1309,14 @@ void PropertyInit() {
|
|
LOG(FATAL) << "Failed to load serialized property info file";
|
|
}
|
|
|
|
+ // Report a valid verified boot chain to make Google SafetyNet integrity
|
|
+ // checks pass. This needs to be done before parsing the kernel cmdline as
|
|
+ // these properties are read-only and will be set to invalid values with
|
|
+ // androidboot cmdline arguments.
|
|
+ if (!IsRecoveryMode()) {
|
|
+ SetSafetyNetProps();
|
|
+ }
|
|
+
|
|
// If arguments are passed both on the command line and in DT,
|
|
// properties set in DT always have priority over the command-line ones.
|
|
ProcessKernelDt();
|