diff --git a/patches/0001-KeyStore-Block-key-attestation-for-Google-Play-Servi.patch b/patches/0001-KeyStore-Block-key-attestation-for-Google-Play-Servi.patch deleted file mode 100644 index 787ea5a..0000000 --- a/patches/0001-KeyStore-Block-key-attestation-for-Google-Play-Servi.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 7f7a9b19c8293c09dfee12bec75ff17225c6710e Mon Sep 17 00:00:00 2001 -From: Danny Lin -Date: Tue, 12 Jan 2021 22:25:13 -0800 -Subject: [PATCH] KeyStore: Block key attestation for Google Play Services - -In order to enforce SafetyNet security, Google Play Services is now -using hardware attestation for ctsProfile validation in all cases, even -when basic attestation is selected. The SafetyNet API response from GMS -will report that basic attestation was used, but under the hood, -hardware attestation is always used regardless of the reported state. -This results in SafetyNet failing to pass due to TrustZone reporting an -unlocked bootloader (and a partially invalidated root of trust) in the -key attestation result. - -We can still take advantage of the fact that this usage of hardware -attestation is opportunistic - that is, it falls back to basic -attestation if key attestation fails to run - and prevent GMS from using -key attestation at the framework level. This causes it to gracefully -fall back to basic attestation and pass SafetyNet with an unlocked -bootloader. - -Key attestation is still available for other apps, as there are valid -uses for it that do not involve SafetyNet. - -The "not implemented" error code from keymaster is used to simulate the -most realistic failure condition to evade detection, i.e. an old device -that lacks support for key attestation. - -Change-Id: I7282ab22b933434bb11037743d46b8a20dad063a ---- - keystore/java/android/security/KeyStore.java | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java -index 88b614dc7eef..0f766ef738bf 100644 ---- a/keystore/java/android/security/KeyStore.java -+++ b/keystore/java/android/security/KeyStore.java -@@ -1124,6 +1124,11 @@ public class KeyStore { - - public int attestKey( - String alias, KeymasterArguments params, KeymasterCertificateChain outChain) { -+ // Prevent Google Play Services from using key attestation for SafetyNet -+ if (mContext.getPackageName().equals("com.google.android.gms")) { -+ return KeymasterDefs.KM_ERROR_UNIMPLEMENTED; -+ } -+ - CertificateChainPromise promise = new CertificateChainPromise(); - try { - mBinder.asBinder().linkToDeath(promise, 0); --- -2.29.2 -