Add all ROM patches

patches/10/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch

@@ -0,0 +1,88 @@
+From 9dd88a70668da3d7b0581489d55d0d1a2ced2f5c Mon Sep 17 00:00:00 2001
+From: Danny Lin <danny@kdrag0n.dev>
+Date: Wed, 13 Jan 2021 02:05:05 -0800
+Subject: [PATCH] keystore: Block key attestation for Google Play Services
+
+In order to enforce SafetyNet security, Google Play Services is now
+using hardware attestation for ctsProfile validation in all cases, even
+when basic attestation is selected. The SafetyNet API response from GMS
+will report that basic attestation was used, but under the hood,
+hardware attestation is always used regardless of the reported state.
+This results in SafetyNet failing to pass due to TrustZone reporting an
+unlocked bootloader (and a partially invalidated root of trust) in the
+key attestation result.
+
+We can still take advantage of the fact that this usage of hardware
+attestation is opportunistic - that is, it falls back to basic
+attestation if key attestation fails to run - and prevent GMS from using
+key attestation at the framework level. This causes it to gracefully
+fall back to basic attestation and pass SafetyNet with an unlocked
+bootloader.
+
+Key attestation is still available for other apps, as there are valid
+uses for it that do not involve SafetyNet.
+
+The "not implemented" error code from keymaster is used to simulate the
+most realistic failure condition to evade detection, i.e. an old device
+that lacks support for key attestation.
+
+Change-Id: Iba5fe0791622839e1bad4730593a319ea03661f2
+---
+ keystore/key_store_service.cpp       | 9 +++++++--
+ keystore/keystore_attestation_id.cpp | 6 ++++++
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
+index b6b7295..40550a7 100644
+--- a/keystore/key_store_service.cpp
++++ b/keystore/key_store_service.cpp
+@@ -48,6 +48,7 @@
+ #include <keystore/keystore_return_types.h>
+ 
+ #include <hardware/hw_auth_token.h>
++#include <hardware/keymaster_defs.h>
+ 
+ namespace keystore {
+ 
+@@ -122,8 +123,12 @@ KeyStoreServiceReturnCode updateParamsForAttestation(uid_t callingUid, Authoriza
+ 
+     auto asn1_attestation_id_result = security::gather_attestation_application_id(callingUid);
+     if (!asn1_attestation_id_result.isOk()) {
+-        ALOGE("failed to gather attestation_id");
+-        return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING;
++        if (asn1_attestation_id_result.status() == KM_ERROR_UNIMPLEMENTED) {
++            return KeyStoreServiceReturnCode(KM_ERROR_UNIMPLEMENTED);
++        } else {
++            ALOGE("failed to gather attestation_id");
++            return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING;
++        }
+     }
+     std::vector<uint8_t>& asn1_attestation_id = asn1_attestation_id_result;
+ 
+diff --git a/keystore/keystore_attestation_id.cpp b/keystore/keystore_attestation_id.cpp
+index b48639f..1f1f79b 100644
+--- a/keystore/keystore_attestation_id.cpp
++++ b/keystore/keystore_attestation_id.cpp
+@@ -34,6 +34,8 @@
+ #include <keystore/KeyAttestationPackageInfo.h>
+ #include <keystore/Signature.h>
+ 
++#include <hardware/keymaster_defs.h>
++
+ #include <private/android_filesystem_config.h> /* for AID_SYSTEM */
+ 
+ #include <openssl/asn1t.h>
+@@ -209,6 +211,10 @@ build_attestation_application_id(const KeyAttestationApplicationId& key_attestat
+             return BAD_VALUE;
+         }
+         std::string package_name(String8(*pinfo->package_name()).string());
++        // Prevent Google Play Services from using key attestation for SafetyNet
++        if (package_name == "com.google.android.gms") {
++            return KM_ERROR_UNIMPLEMENTED;
++        }
+         std::unique_ptr<KM_ATTESTATION_PACKAGE_INFO> attestation_package_info;
+         auto rc = build_attestation_package_info(*pinfo, &attestation_package_info);
+         if (rc != NO_ERROR) {
+-- 
+2.29.2
+

patches/11/fwb/0001-KeyStore-Block-key-attestation-for-Google-Play-Servi.patch

@@ -0,0 +1,52 @@
+From 7f7a9b19c8293c09dfee12bec75ff17225c6710e Mon Sep 17 00:00:00 2001
+From: Danny Lin <danny@kdrag0n.dev>
+Date: Tue, 12 Jan 2021 22:25:13 -0800
+Subject: [PATCH] KeyStore: Block key attestation for Google Play Services
+
+In order to enforce SafetyNet security, Google Play Services is now
+using hardware attestation for ctsProfile validation in all cases, even
+when basic attestation is selected. The SafetyNet API response from GMS
+will report that basic attestation was used, but under the hood,
+hardware attestation is always used regardless of the reported state.
+This results in SafetyNet failing to pass due to TrustZone reporting an
+unlocked bootloader (and a partially invalidated root of trust) in the
+key attestation result.
+
+We can still take advantage of the fact that this usage of hardware
+attestation is opportunistic - that is, it falls back to basic
+attestation if key attestation fails to run - and prevent GMS from using
+key attestation at the framework level. This causes it to gracefully
+fall back to basic attestation and pass SafetyNet with an unlocked
+bootloader.
+
+Key attestation is still available for other apps, as there are valid
+uses for it that do not involve SafetyNet.
+
+The "not implemented" error code from keymaster is used to simulate the
+most realistic failure condition to evade detection, i.e. an old device
+that lacks support for key attestation.
+
+Change-Id: I7282ab22b933434bb11037743d46b8a20dad063a
+---
+ keystore/java/android/security/KeyStore.java | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java
+index 88b614dc7eef..0f766ef738bf 100644
+--- a/keystore/java/android/security/KeyStore.java
++++ b/keystore/java/android/security/KeyStore.java
+@@ -1124,6 +1124,11 @@ public class KeyStore {
+ 
+     public int attestKey(
+             String alias, KeymasterArguments params, KeymasterCertificateChain outChain) {
++        // Prevent Google Play Services from using key attestation for SafetyNet
++        if (mContext.getPackageName().equals("com.google.android.gms")) {
++            return KeymasterDefs.KM_ERROR_UNIMPLEMENTED;
++        }
++
+         CertificateChainPromise promise = new CertificateChainPromise();
+         try {
+             mBinder.asBinder().linkToDeath(promise, 0);
+-- 
+2.29.2
+

patches/8/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch

@@ -0,0 +1,89 @@
+From f106ca40883616561fe866daadc11011bbecb806 Mon Sep 17 00:00:00 2001
+From: Danny Lin <danny@kdrag0n.dev>
+Date: Wed, 13 Jan 2021 02:05:05 -0800
+Subject: [PATCH] keystore: Block key attestation for Google Play Services
+
+In order to enforce SafetyNet security, Google Play Services is now
+using hardware attestation for ctsProfile validation in all cases, even
+when basic attestation is selected. The SafetyNet API response from GMS
+will report that basic attestation was used, but under the hood,
+hardware attestation is always used regardless of the reported state.
+This results in SafetyNet failing to pass due to TrustZone reporting an
+unlocked bootloader (and a partially invalidated root of trust) in the
+key attestation result.
+
+We can still take advantage of the fact that this usage of hardware
+attestation is opportunistic - that is, it falls back to basic
+attestation if key attestation fails to run - and prevent GMS from using
+key attestation at the framework level. This causes it to gracefully
+fall back to basic attestation and pass SafetyNet with an unlocked
+bootloader.
+
+Key attestation is still available for other apps, as there are valid
+uses for it that do not involve SafetyNet.
+
+The "not implemented" error code from keymaster is used to simulate the
+most realistic failure condition to evade detection, i.e. an old device
+that lacks support for key attestation.
+
+Change-Id: Iba5fe0791622839e1bad4730593a319ea03661f2
+---
+ keystore/key_store_service.cpp       | 10 ++++++++--
+ keystore/keystore_attestation_id.cpp |  6 ++++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
+index 39341ef..2554432 100644
+--- a/keystore/key_store_service.cpp
++++ b/keystore/key_store_service.cpp
+@@ -39,6 +39,8 @@
+ #include "keystore_utils.h"
+ #include <keystore/keystore_hidl_support.h>
+ 
++#include <hardware/keymaster_defs.h>
++
+ namespace keystore {
+ 
+ using namespace android;
+@@ -103,8 +105,12 @@ KeyStoreServiceReturnCode updateParamsForAttestation(uid_t callingUid, Authoriza
+ 
+     auto asn1_attestation_id_result = security::gather_attestation_application_id(callingUid);
+     if (!asn1_attestation_id_result.isOk()) {
+-        ALOGE("failed to gather attestation_id");
+-        return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING;
++        if (asn1_attestation_id_result.status() == KM_ERROR_UNIMPLEMENTED) {
++            return KeyStoreServiceReturnCode(ErrorCode(KM_ERROR_UNIMPLEMENTED));
++        } else {
++            ALOGE("failed to gather attestation_id");
++            return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING;
++        }
+     }
+     std::vector<uint8_t>& asn1_attestation_id = asn1_attestation_id_result;
+ 
+diff --git a/keystore/keystore_attestation_id.cpp b/keystore/keystore_attestation_id.cpp
+index 830482b..362bbc5 100644
+--- a/keystore/keystore_attestation_id.cpp
++++ b/keystore/keystore_attestation_id.cpp
+@@ -34,6 +34,8 @@
+ #include <keystore/KeyAttestationPackageInfo.h>
+ #include <keystore/Signature.h>
+ 
++#include <hardware/keymaster_defs.h>
++
+ #include <openssl/asn1t.h>
+ #include <openssl/sha.h>
+ 
+@@ -165,6 +167,10 @@ build_attestation_application_id(const KeyAttestationApplicationId& key_attestat
+             return BAD_VALUE;
+         }
+         std::string package_name(String8(*pinfo->package_name()).string());
++        // Prevent Google Play Services from using key attestation for SafetyNet
++        if (package_name == "com.google.android.gms") {
++            return KM_ERROR_UNIMPLEMENTED;
++        }
+         std::unique_ptr<KM_ATTESTATION_PACKAGE_INFO> attestation_package_info;
+         auto rc = build_attestation_package_info(*pinfo, &attestation_package_info);
+         if (rc != NO_ERROR) {
+-- 
+2.29.2
+

patches/9/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch

@@ -0,0 +1,88 @@
+From 1e60fb921aa6cd03398acee1ce6ca758c0b39fd0 Mon Sep 17 00:00:00 2001
+From: Danny Lin <danny@kdrag0n.dev>
+Date: Wed, 13 Jan 2021 02:05:05 -0800
+Subject: [PATCH] keystore: Block key attestation for Google Play Services
+
+In order to enforce SafetyNet security, Google Play Services is now
+using hardware attestation for ctsProfile validation in all cases, even
+when basic attestation is selected. The SafetyNet API response from GMS
+will report that basic attestation was used, but under the hood,
+hardware attestation is always used regardless of the reported state.
+This results in SafetyNet failing to pass due to TrustZone reporting an
+unlocked bootloader (and a partially invalidated root of trust) in the
+key attestation result.
+
+We can still take advantage of the fact that this usage of hardware
+attestation is opportunistic - that is, it falls back to basic
+attestation if key attestation fails to run - and prevent GMS from using
+key attestation at the framework level. This causes it to gracefully
+fall back to basic attestation and pass SafetyNet with an unlocked
+bootloader.
+
+Key attestation is still available for other apps, as there are valid
+uses for it that do not involve SafetyNet.
+
+The "not implemented" error code from keymaster is used to simulate the
+most realistic failure condition to evade detection, i.e. an old device
+that lacks support for key attestation.
+
+Change-Id: Iba5fe0791622839e1bad4730593a319ea03661f2
+---
+ keystore/key_store_service.cpp       | 9 +++++++--
+ keystore/keystore_attestation_id.cpp | 6 ++++++
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
+index 6b26b57..352d708 100644
+--- a/keystore/key_store_service.cpp
++++ b/keystore/key_store_service.cpp
+@@ -45,6 +45,7 @@
+ #include <keystore/keystore_hidl_support.h>
+ 
+ #include <hardware/hw_auth_token.h>
++#include <hardware/keymaster_defs.h>
+ 
+ namespace keystore {
+ 
+@@ -121,8 +122,12 @@ KeyStoreServiceReturnCode updateParamsForAttestation(uid_t callingUid, Authoriza
+ 
+     auto asn1_attestation_id_result = security::gather_attestation_application_id(callingUid);
+     if (!asn1_attestation_id_result.isOk()) {
+-        ALOGE("failed to gather attestation_id");
+-        return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING;
++        if (asn1_attestation_id_result.status() == KM_ERROR_UNIMPLEMENTED) {
++            return KeyStoreServiceReturnCode(KM_ERROR_UNIMPLEMENTED);
++        } else {
++            ALOGE("failed to gather attestation_id");
++            return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING;
++        }
+     }
+     std::vector<uint8_t>& asn1_attestation_id = asn1_attestation_id_result;
+ 
+diff --git a/keystore/keystore_attestation_id.cpp b/keystore/keystore_attestation_id.cpp
+index 3d34ac5..16f3bf6 100644
+--- a/keystore/keystore_attestation_id.cpp
++++ b/keystore/keystore_attestation_id.cpp
+@@ -34,6 +34,8 @@
+ #include <keystore/KeyAttestationPackageInfo.h>
+ #include <keystore/Signature.h>
+ 
++#include <hardware/keymaster_defs.h>
++
+ #include <private/android_filesystem_config.h> /* for AID_SYSTEM */
+ 
+ #include <openssl/asn1t.h>
+@@ -181,6 +183,10 @@ build_attestation_application_id(const KeyAttestationApplicationId& key_attestat
+             return BAD_VALUE;
+         }
+         std::string package_name(String8(*pinfo->package_name()).string());
++        // Prevent Google Play Services from using key attestation for SafetyNet
++        if (package_name == "com.google.android.gms") {
++            return KM_ERROR_UNIMPLEMENTED;
++        }
+         std::unique_ptr<KM_ATTESTATION_PACKAGE_INFO> attestation_package_info;
+         auto rc = build_attestation_package_info(*pinfo, &attestation_package_info);
+         if (rc != NO_ERROR) {
+-- 
+2.29.2
+