From 9e80da9fe1738e7d28d79d3368f0cbf409bb4caa Mon Sep 17 00:00:00 2001 From: Danny Lin Date: Wed, 13 Jan 2021 20:27:20 -0800 Subject: [PATCH] Add all ROM patches --- ...ey-attestation-for-Google-Play-Servi.patch | 88 ++++++++++++++++++ ...ey-attestation-for-Google-Play-Servi.patch | 52 +++++++++++ ...ey-attestation-for-Google-Play-Servi.patch | 0 ...ey-attestation-for-Google-Play-Servi.patch | 89 +++++++++++++++++++ ...ey-attestation-for-Google-Play-Servi.patch | 88 ++++++++++++++++++ 5 files changed, 317 insertions(+) create mode 100644 patches/10/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch create mode 100644 patches/11/fwb/0001-KeyStore-Block-key-attestation-for-Google-Play-Servi.patch rename patches/{ => 11/sys}/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch (100%) create mode 100644 patches/8/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch create mode 100644 patches/9/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch diff --git a/patches/10/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch b/patches/10/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch new file mode 100644 index 0000000..a954539 --- /dev/null +++ b/patches/10/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch @@ -0,0 +1,88 @@ +From 9dd88a70668da3d7b0581489d55d0d1a2ced2f5c Mon Sep 17 00:00:00 2001 +From: Danny Lin +Date: Wed, 13 Jan 2021 02:05:05 -0800 +Subject: [PATCH] keystore: Block key attestation for Google Play Services + +In order to enforce SafetyNet security, Google Play Services is now +using hardware attestation for ctsProfile validation in all cases, even +when basic attestation is selected. The SafetyNet API response from GMS +will report that basic attestation was used, but under the hood, +hardware attestation is always used regardless of the reported state. +This results in SafetyNet failing to pass due to TrustZone reporting an +unlocked bootloader (and a partially invalidated root of trust) in the +key attestation result. + +We can still take advantage of the fact that this usage of hardware +attestation is opportunistic - that is, it falls back to basic +attestation if key attestation fails to run - and prevent GMS from using +key attestation at the framework level. This causes it to gracefully +fall back to basic attestation and pass SafetyNet with an unlocked +bootloader. + +Key attestation is still available for other apps, as there are valid +uses for it that do not involve SafetyNet. + +The "not implemented" error code from keymaster is used to simulate the +most realistic failure condition to evade detection, i.e. an old device +that lacks support for key attestation. + +Change-Id: Iba5fe0791622839e1bad4730593a319ea03661f2 +--- + keystore/key_store_service.cpp | 9 +++++++-- + keystore/keystore_attestation_id.cpp | 6 ++++++ + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp +index b6b7295..40550a7 100644 +--- a/keystore/key_store_service.cpp ++++ b/keystore/key_store_service.cpp +@@ -48,6 +48,7 @@ + #include + + #include ++#include + + namespace keystore { + +@@ -122,8 +123,12 @@ KeyStoreServiceReturnCode updateParamsForAttestation(uid_t callingUid, Authoriza + + auto asn1_attestation_id_result = security::gather_attestation_application_id(callingUid); + if (!asn1_attestation_id_result.isOk()) { +- ALOGE("failed to gather attestation_id"); +- return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING; ++ if (asn1_attestation_id_result.status() == KM_ERROR_UNIMPLEMENTED) { ++ return KeyStoreServiceReturnCode(KM_ERROR_UNIMPLEMENTED); ++ } else { ++ ALOGE("failed to gather attestation_id"); ++ return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING; ++ } + } + std::vector& asn1_attestation_id = asn1_attestation_id_result; + +diff --git a/keystore/keystore_attestation_id.cpp b/keystore/keystore_attestation_id.cpp +index b48639f..1f1f79b 100644 +--- a/keystore/keystore_attestation_id.cpp ++++ b/keystore/keystore_attestation_id.cpp +@@ -34,6 +34,8 @@ + #include + #include + ++#include ++ + #include /* for AID_SYSTEM */ + + #include +@@ -209,6 +211,10 @@ build_attestation_application_id(const KeyAttestationApplicationId& key_attestat + return BAD_VALUE; + } + std::string package_name(String8(*pinfo->package_name()).string()); ++ // Prevent Google Play Services from using key attestation for SafetyNet ++ if (package_name == "com.google.android.gms") { ++ return KM_ERROR_UNIMPLEMENTED; ++ } + std::unique_ptr attestation_package_info; + auto rc = build_attestation_package_info(*pinfo, &attestation_package_info); + if (rc != NO_ERROR) { +-- +2.29.2 + diff --git a/patches/11/fwb/0001-KeyStore-Block-key-attestation-for-Google-Play-Servi.patch b/patches/11/fwb/0001-KeyStore-Block-key-attestation-for-Google-Play-Servi.patch new file mode 100644 index 0000000..787ea5a --- /dev/null +++ b/patches/11/fwb/0001-KeyStore-Block-key-attestation-for-Google-Play-Servi.patch @@ -0,0 +1,52 @@ +From 7f7a9b19c8293c09dfee12bec75ff17225c6710e Mon Sep 17 00:00:00 2001 +From: Danny Lin +Date: Tue, 12 Jan 2021 22:25:13 -0800 +Subject: [PATCH] KeyStore: Block key attestation for Google Play Services + +In order to enforce SafetyNet security, Google Play Services is now +using hardware attestation for ctsProfile validation in all cases, even +when basic attestation is selected. The SafetyNet API response from GMS +will report that basic attestation was used, but under the hood, +hardware attestation is always used regardless of the reported state. +This results in SafetyNet failing to pass due to TrustZone reporting an +unlocked bootloader (and a partially invalidated root of trust) in the +key attestation result. + +We can still take advantage of the fact that this usage of hardware +attestation is opportunistic - that is, it falls back to basic +attestation if key attestation fails to run - and prevent GMS from using +key attestation at the framework level. This causes it to gracefully +fall back to basic attestation and pass SafetyNet with an unlocked +bootloader. + +Key attestation is still available for other apps, as there are valid +uses for it that do not involve SafetyNet. + +The "not implemented" error code from keymaster is used to simulate the +most realistic failure condition to evade detection, i.e. an old device +that lacks support for key attestation. + +Change-Id: I7282ab22b933434bb11037743d46b8a20dad063a +--- + keystore/java/android/security/KeyStore.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java +index 88b614dc7eef..0f766ef738bf 100644 +--- a/keystore/java/android/security/KeyStore.java ++++ b/keystore/java/android/security/KeyStore.java +@@ -1124,6 +1124,11 @@ public class KeyStore { + + public int attestKey( + String alias, KeymasterArguments params, KeymasterCertificateChain outChain) { ++ // Prevent Google Play Services from using key attestation for SafetyNet ++ if (mContext.getPackageName().equals("com.google.android.gms")) { ++ return KeymasterDefs.KM_ERROR_UNIMPLEMENTED; ++ } ++ + CertificateChainPromise promise = new CertificateChainPromise(); + try { + mBinder.asBinder().linkToDeath(promise, 0); +-- +2.29.2 + diff --git a/patches/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch b/patches/11/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch similarity index 100% rename from patches/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch rename to patches/11/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch diff --git a/patches/8/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch b/patches/8/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch new file mode 100644 index 0000000..7796e05 --- /dev/null +++ b/patches/8/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch @@ -0,0 +1,89 @@ +From f106ca40883616561fe866daadc11011bbecb806 Mon Sep 17 00:00:00 2001 +From: Danny Lin +Date: Wed, 13 Jan 2021 02:05:05 -0800 +Subject: [PATCH] keystore: Block key attestation for Google Play Services + +In order to enforce SafetyNet security, Google Play Services is now +using hardware attestation for ctsProfile validation in all cases, even +when basic attestation is selected. The SafetyNet API response from GMS +will report that basic attestation was used, but under the hood, +hardware attestation is always used regardless of the reported state. +This results in SafetyNet failing to pass due to TrustZone reporting an +unlocked bootloader (and a partially invalidated root of trust) in the +key attestation result. + +We can still take advantage of the fact that this usage of hardware +attestation is opportunistic - that is, it falls back to basic +attestation if key attestation fails to run - and prevent GMS from using +key attestation at the framework level. This causes it to gracefully +fall back to basic attestation and pass SafetyNet with an unlocked +bootloader. + +Key attestation is still available for other apps, as there are valid +uses for it that do not involve SafetyNet. + +The "not implemented" error code from keymaster is used to simulate the +most realistic failure condition to evade detection, i.e. an old device +that lacks support for key attestation. + +Change-Id: Iba5fe0791622839e1bad4730593a319ea03661f2 +--- + keystore/key_store_service.cpp | 10 ++++++++-- + keystore/keystore_attestation_id.cpp | 6 ++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp +index 39341ef..2554432 100644 +--- a/keystore/key_store_service.cpp ++++ b/keystore/key_store_service.cpp +@@ -39,6 +39,8 @@ + #include "keystore_utils.h" + #include + ++#include ++ + namespace keystore { + + using namespace android; +@@ -103,8 +105,12 @@ KeyStoreServiceReturnCode updateParamsForAttestation(uid_t callingUid, Authoriza + + auto asn1_attestation_id_result = security::gather_attestation_application_id(callingUid); + if (!asn1_attestation_id_result.isOk()) { +- ALOGE("failed to gather attestation_id"); +- return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING; ++ if (asn1_attestation_id_result.status() == KM_ERROR_UNIMPLEMENTED) { ++ return KeyStoreServiceReturnCode(ErrorCode(KM_ERROR_UNIMPLEMENTED)); ++ } else { ++ ALOGE("failed to gather attestation_id"); ++ return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING; ++ } + } + std::vector& asn1_attestation_id = asn1_attestation_id_result; + +diff --git a/keystore/keystore_attestation_id.cpp b/keystore/keystore_attestation_id.cpp +index 830482b..362bbc5 100644 +--- a/keystore/keystore_attestation_id.cpp ++++ b/keystore/keystore_attestation_id.cpp +@@ -34,6 +34,8 @@ + #include + #include + ++#include ++ + #include + #include + +@@ -165,6 +167,10 @@ build_attestation_application_id(const KeyAttestationApplicationId& key_attestat + return BAD_VALUE; + } + std::string package_name(String8(*pinfo->package_name()).string()); ++ // Prevent Google Play Services from using key attestation for SafetyNet ++ if (package_name == "com.google.android.gms") { ++ return KM_ERROR_UNIMPLEMENTED; ++ } + std::unique_ptr attestation_package_info; + auto rc = build_attestation_package_info(*pinfo, &attestation_package_info); + if (rc != NO_ERROR) { +-- +2.29.2 + diff --git a/patches/9/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch b/patches/9/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch new file mode 100644 index 0000000..5115939 --- /dev/null +++ b/patches/9/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch @@ -0,0 +1,88 @@ +From 1e60fb921aa6cd03398acee1ce6ca758c0b39fd0 Mon Sep 17 00:00:00 2001 +From: Danny Lin +Date: Wed, 13 Jan 2021 02:05:05 -0800 +Subject: [PATCH] keystore: Block key attestation for Google Play Services + +In order to enforce SafetyNet security, Google Play Services is now +using hardware attestation for ctsProfile validation in all cases, even +when basic attestation is selected. The SafetyNet API response from GMS +will report that basic attestation was used, but under the hood, +hardware attestation is always used regardless of the reported state. +This results in SafetyNet failing to pass due to TrustZone reporting an +unlocked bootloader (and a partially invalidated root of trust) in the +key attestation result. + +We can still take advantage of the fact that this usage of hardware +attestation is opportunistic - that is, it falls back to basic +attestation if key attestation fails to run - and prevent GMS from using +key attestation at the framework level. This causes it to gracefully +fall back to basic attestation and pass SafetyNet with an unlocked +bootloader. + +Key attestation is still available for other apps, as there are valid +uses for it that do not involve SafetyNet. + +The "not implemented" error code from keymaster is used to simulate the +most realistic failure condition to evade detection, i.e. an old device +that lacks support for key attestation. + +Change-Id: Iba5fe0791622839e1bad4730593a319ea03661f2 +--- + keystore/key_store_service.cpp | 9 +++++++-- + keystore/keystore_attestation_id.cpp | 6 ++++++ + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp +index 6b26b57..352d708 100644 +--- a/keystore/key_store_service.cpp ++++ b/keystore/key_store_service.cpp +@@ -45,6 +45,7 @@ + #include + + #include ++#include + + namespace keystore { + +@@ -121,8 +122,12 @@ KeyStoreServiceReturnCode updateParamsForAttestation(uid_t callingUid, Authoriza + + auto asn1_attestation_id_result = security::gather_attestation_application_id(callingUid); + if (!asn1_attestation_id_result.isOk()) { +- ALOGE("failed to gather attestation_id"); +- return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING; ++ if (asn1_attestation_id_result.status() == KM_ERROR_UNIMPLEMENTED) { ++ return KeyStoreServiceReturnCode(KM_ERROR_UNIMPLEMENTED); ++ } else { ++ ALOGE("failed to gather attestation_id"); ++ return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING; ++ } + } + std::vector& asn1_attestation_id = asn1_attestation_id_result; + +diff --git a/keystore/keystore_attestation_id.cpp b/keystore/keystore_attestation_id.cpp +index 3d34ac5..16f3bf6 100644 +--- a/keystore/keystore_attestation_id.cpp ++++ b/keystore/keystore_attestation_id.cpp +@@ -34,6 +34,8 @@ + #include + #include + ++#include ++ + #include /* for AID_SYSTEM */ + + #include +@@ -181,6 +183,10 @@ build_attestation_application_id(const KeyAttestationApplicationId& key_attestat + return BAD_VALUE; + } + std::string package_name(String8(*pinfo->package_name()).string()); ++ // Prevent Google Play Services from using key attestation for SafetyNet ++ if (package_name == "com.google.android.gms") { ++ return KM_ERROR_UNIMPLEMENTED; ++ } + std::unique_ptr attestation_package_info; + auto rc = build_attestation_package_info(*pinfo, &attestation_package_info); + if (rc != NO_ERROR) { +-- +2.29.2 +