From c8ae322f05338f46a9ddbfbb375cd3a45e48df49 Mon Sep 17 00:00:00 2001 From: althafvly Date: Wed, 12 Jun 2024 21:03:16 +0530 Subject: [PATCH] ih8sn: Remove security patch --- ...ey-attestation-for-Google-Play-Servi.patch | 61 ------------------- patches/patch.sh | 1 - 2 files changed, 62 deletions(-) delete mode 100644 patches/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch diff --git a/patches/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch b/patches/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch deleted file mode 100644 index 07547e3..0000000 --- a/patches/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 3c82d84a311d2046f4cf755c8051efc91e039832 Mon Sep 17 00:00:00 2001 -From: althafvly -Date: Fri, 14 Apr 2023 23:30:40 +0530 -Subject: [PATCH] keystore: Block key attestation for Google Play Services - -In order to enforce SafetyNet security, Google Play Services is now -using hardware attestation for ctsProfile validation in all cases, even -when basic attestation is selected. The SafetyNet API response from GMS -will report that basic attestation was used, but under the hood, -hardware attestation is always used regardless of the reported state. -This results in SafetyNet failing to pass due to TrustZone reporting an -unlocked bootloader (and a partially invalidated root of trust) in the -key attestation result. - -We can still take advantage of the fact that this usage of hardware -attestation is opportunistic - that is, it falls back to basic -attestation if key attestation fails to run - and prevent GMS from using -key attestation at the framework level. This causes it to gracefully -fall back to basic attestation and pass SafetyNet with an unlocked -bootloader. - -Key attestation is still available for other apps, as there are valid -uses for it that do not involve SafetyNet. - -The "not implemented" error code from keymaster is used to simulate the -most realistic failure condition to evade detection, i.e. an old device -that lacks support for key attestation. - -Co-authored-by: Danny Lin -Change-Id: I0dc569a109f229454271d760e70f9e5618afc481 ---- - keystore/keystore_attestation_id.cpp | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/keystore/keystore_attestation_id.cpp b/keystore/keystore_attestation_id.cpp -index ccd3808..6fe0d75 100644 ---- a/keystore/keystore_attestation_id.cpp -+++ b/keystore/keystore_attestation_id.cpp -@@ -35,6 +35,8 @@ - #include - #include - -+#include -+ - #include /* for AID_SYSTEM */ - - #include -@@ -210,6 +212,10 @@ build_attestation_application_id(const KeyAttestationApplicationId& key_attestat - return BAD_VALUE; - } - std::string package_name(String8(*pinfo->package_name()).string()); -+ // Prevent Google Play Services from using key attestation for SafetyNet -+ if (package_name == "com.google.android.gms") { -+ return KM_ERROR_UNIMPLEMENTED; -+ } - std::unique_ptr attestation_package_info; - auto rc = build_attestation_package_info(*pinfo, &attestation_package_info); - if (rc != NO_ERROR) { --- -2.34.1 - diff --git a/patches/patch.sh b/patches/patch.sh index 28f8ca6..50d1062 100755 --- a/patches/patch.sh +++ b/patches/patch.sh @@ -38,6 +38,5 @@ apply_patch() { echo -e "${GREEN}.................${NOCOLOR}" } -apply_patch system/security 0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch apply_patch frameworks/base 0001-base-Block-key-attestation-for-SafetyNet.patch