Add Android 11 patch files

2024-07-05 12:38:47 +00:00 · 2021-01-13 19:21:26 -08:00 · 2021-01-13 19:21:26 -08:00 · 279c1a918b
commit 279c1a918b
parent 4ba7ac5da3
3 changed files with 143 additions and 1 deletions
--- a/2
+++ b/2
@ -9,7 +9,7 @@ all: $(ZIP)
 zip: $(ZIP)

 %.zip: clean
-	zip -r9 $(ZIP) . -x $(MODNAME)-*.zip LICENSE .gitignore .gitattributes Makefile /.git* *.DS_Store* *placeholder
+	zip -r9 $(ZIP) . -x $(MODNAME)-*.zip LICENSE .gitignore .gitattributes Makefile /.git* *.DS_Store* *placeholder patches/ patches/*

 install: $(ZIP)
 	adb push $(ZIP) /sdcard/
--- a/patches/0001-KeyStore-Block-key-attestation-for-Google-Play-Servi.patch
+++ b/patches/0001-KeyStore-Block-key-attestation-for-Google-Play-Servi.patch
@ -0,0 +1,52 @@
+From 7f7a9b19c8293c09dfee12bec75ff17225c6710e Mon Sep 17 00:00:00 2001
+From: Danny Lin <danny@kdrag0n.dev>
+Date: Tue, 12 Jan 2021 22:25:13 -0800
+Subject: [PATCH] KeyStore: Block key attestation for Google Play Services
+
+In order to enforce SafetyNet security, Google Play Services is now
+using hardware attestation for ctsProfile validation in all cases, even
+when basic attestation is selected. The SafetyNet API response from GMS
+will report that basic attestation was used, but under the hood,
+hardware attestation is always used regardless of the reported state.
+This results in SafetyNet failing to pass due to TrustZone reporting an
+unlocked bootloader (and a partially invalidated root of trust) in the
+key attestation result.
+
+We can still take advantage of the fact that this usage of hardware
+attestation is opportunistic - that is, it falls back to basic
+attestation if key attestation fails to run - and prevent GMS from using
+key attestation at the framework level. This causes it to gracefully
+fall back to basic attestation and pass SafetyNet with an unlocked
+bootloader.
+
+Key attestation is still available for other apps, as there are valid
+uses for it that do not involve SafetyNet.
+
+The "not implemented" error code from keymaster is used to simulate the
+most realistic failure condition to evade detection, i.e. an old device
+that lacks support for key attestation.
+
+Change-Id: I7282ab22b933434bb11037743d46b8a20dad063a
+---
+ keystore/java/android/security/KeyStore.java | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java
+index 88b614dc7eef..0f766ef738bf 100644
+--- a/keystore/java/android/security/KeyStore.java
+++ b/keystore/java/android/security/KeyStore.java
+@@ -1124,6 +1124,11 @@ public class KeyStore {
+ 
+     public int attestKey(
+             String alias, KeymasterArguments params, KeymasterCertificateChain outChain) {
+        // Prevent Google Play Services from using key attestation for SafetyNet
+        if (mContext.getPackageName().equals("com.google.android.gms")) {
+            return KeymasterDefs.KM_ERROR_UNIMPLEMENTED;
+        }
+
+         CertificateChainPromise promise = new CertificateChainPromise();
+         try {
+             mBinder.asBinder().linkToDeath(promise, 0);
+-- 
+2.29.2
+
--- a/patches/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch
+++ b/patches/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch
@ -0,0 +1,90 @@
+From 15633a3d29bf727b83083f2c49d906c16527d389 Mon Sep 17 00:00:00 2001
+From: Danny Lin <danny@kdrag0n.dev>
+Date: Wed, 13 Jan 2021 02:05:05 -0800
+Subject: [PATCH] keystore: Block key attestation for Google Play Services
+
+In order to enforce SafetyNet security, Google Play Services is now
+using hardware attestation for ctsProfile validation in all cases, even
+when basic attestation is selected. The SafetyNet API response from GMS
+will report that basic attestation was used, but under the hood,
+hardware attestation is always used regardless of the reported state.
+This results in SafetyNet failing to pass due to TrustZone reporting an
+unlocked bootloader (and a partially invalidated root of trust) in the
+key attestation result.
+
+We can still take advantage of the fact that this usage of hardware
+attestation is opportunistic - that is, it falls back to basic
+attestation if key attestation fails to run - and prevent GMS from using
+key attestation at the framework level. This causes it to gracefully
+fall back to basic attestation and pass SafetyNet with an unlocked
+bootloader.
+
+Key attestation is still available for other apps, as there are valid
+uses for it that do not involve SafetyNet.
+
+The "not implemented" error code from keymaster is used to simulate the
+most realistic failure condition to evade detection, i.e. an old device
+that lacks support for key attestation.
+
+Change-Id: Iba5fe0791622839e1bad4730593a319ea03661f2
+---
+ keystore/key_store_service.cpp       | 11 ++++++++---
+ keystore/keystore_attestation_id.cpp |  6 ++++++
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
+index 1b38643..b1f1304 100644
+--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
+@@ -49,6 +49,7 @@
+ #include <keystore/keystore_return_types.h>
+ 
+ #include <hardware/hw_auth_token.h>
+#include <hardware/keymaster_defs.h>
+ 
+ namespace keystore {
+ 
+@@ -120,9 +121,13 @@ KeyStoreServiceReturnCode updateParamsForAttestation(uid_t callingUid, Authoriza
+ 
+     auto asn1_attestation_id_result = security::gather_attestation_application_id(callingUid);
+     if (!asn1_attestation_id_result.isOk()) {
+-        ALOGE("failed to gather attestation_id");
+-        // Couldn't get attestation ID; just use an empty one rather than failing.
+-        asn1_attestation_id_result = std::vector<uint8_t>();
+        if (asn1_attestation_id_result.status() == KM_ERROR_UNIMPLEMENTED) {
+            return KeyStoreServiceReturnCode(KM_ERROR_UNIMPLEMENTED);
+        } else {
+            ALOGE("failed to gather attestation_id");
+            // Couldn't get attestation ID; just use an empty one rather than failing.
+            asn1_attestation_id_result = std::vector<uint8_t>();
+        }
+     }
+     std::vector<uint8_t>& asn1_attestation_id = asn1_attestation_id_result;
+ 
+diff --git a/keystore/keystore_attestation_id.cpp b/keystore/keystore_attestation_id.cpp
+index 3d9e87e..448a909 100644
+--- a/keystore/keystore_attestation_id.cpp
+++ b/keystore/keystore_attestation_id.cpp
+@@ -35,6 +35,8 @@
+ #include <keystore/KeyAttestationPackageInfo.h>
+ #include <keystore/Signature.h>
+ 
+#include <hardware/keymaster_defs.h>
+
+ #include <private/android_filesystem_config.h> /* for AID_SYSTEM */
+ 
+ #include <openssl/asn1t.h>
+@@ -210,6 +212,10 @@ build_attestation_application_id(const KeyAttestationApplicationId& key_attestat
+             return BAD_VALUE;
+         }
+         std::string package_name(String8(*pinfo->package_name()).string());
+        // Prevent Google Play Services from using key attestation for SafetyNet
+        if (package_name == "com.google.android.gms") {
+            return KM_ERROR_UNIMPLEMENTED;
+        }
+         std::unique_ptr<KM_ATTESTATION_PACKAGE_INFO> attestation_package_info;
+         auto rc = build_attestation_package_info(*pinfo, &attestation_package_info);
+         if (rc != NO_ERROR) {
+-- 
+2.29.2
+