mirror of
https://github.com/kdrag0n/safetynet-fix.git
synced 2024-10-06 06:39:49 +00:00
patches: Remove frameworks/base patch
This will cause trouble on Windows due to case-insensitive filesystems.
This commit is contained in:
parent
502d10f8fe
commit
ff67d50b38
@ -1,52 +0,0 @@
|
|||||||
From 7f7a9b19c8293c09dfee12bec75ff17225c6710e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Danny Lin <danny@kdrag0n.dev>
|
|
||||||
Date: Tue, 12 Jan 2021 22:25:13 -0800
|
|
||||||
Subject: [PATCH] KeyStore: Block key attestation for Google Play Services
|
|
||||||
|
|
||||||
In order to enforce SafetyNet security, Google Play Services is now
|
|
||||||
using hardware attestation for ctsProfile validation in all cases, even
|
|
||||||
when basic attestation is selected. The SafetyNet API response from GMS
|
|
||||||
will report that basic attestation was used, but under the hood,
|
|
||||||
hardware attestation is always used regardless of the reported state.
|
|
||||||
This results in SafetyNet failing to pass due to TrustZone reporting an
|
|
||||||
unlocked bootloader (and a partially invalidated root of trust) in the
|
|
||||||
key attestation result.
|
|
||||||
|
|
||||||
We can still take advantage of the fact that this usage of hardware
|
|
||||||
attestation is opportunistic - that is, it falls back to basic
|
|
||||||
attestation if key attestation fails to run - and prevent GMS from using
|
|
||||||
key attestation at the framework level. This causes it to gracefully
|
|
||||||
fall back to basic attestation and pass SafetyNet with an unlocked
|
|
||||||
bootloader.
|
|
||||||
|
|
||||||
Key attestation is still available for other apps, as there are valid
|
|
||||||
uses for it that do not involve SafetyNet.
|
|
||||||
|
|
||||||
The "not implemented" error code from keymaster is used to simulate the
|
|
||||||
most realistic failure condition to evade detection, i.e. an old device
|
|
||||||
that lacks support for key attestation.
|
|
||||||
|
|
||||||
Change-Id: I7282ab22b933434bb11037743d46b8a20dad063a
|
|
||||||
---
|
|
||||||
keystore/java/android/security/KeyStore.java | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java
|
|
||||||
index 88b614dc7eef..0f766ef738bf 100644
|
|
||||||
--- a/keystore/java/android/security/KeyStore.java
|
|
||||||
+++ b/keystore/java/android/security/KeyStore.java
|
|
||||||
@@ -1124,6 +1124,11 @@ public class KeyStore {
|
|
||||||
|
|
||||||
public int attestKey(
|
|
||||||
String alias, KeymasterArguments params, KeymasterCertificateChain outChain) {
|
|
||||||
+ // Prevent Google Play Services from using key attestation for SafetyNet
|
|
||||||
+ if (mContext.getPackageName().equals("com.google.android.gms")) {
|
|
||||||
+ return KeymasterDefs.KM_ERROR_UNIMPLEMENTED;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
CertificateChainPromise promise = new CertificateChainPromise();
|
|
||||||
try {
|
|
||||||
mBinder.asBinder().linkToDeath(promise, 0);
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user