diff --git a/patches_platform/frameworks_base/0016-keystore-Block-key-attestation-for-SafetyNet.patch b/patches_platform/frameworks_base/0016-keystore-Block-key-attestation-for-SafetyNet.patch deleted file mode 100644 index c0ecee3..0000000 --- a/patches_platform/frameworks_base/0016-keystore-Block-key-attestation-for-SafetyNet.patch +++ /dev/null @@ -1,93 +0,0 @@ -From dc4bd0f140c6946e01e0a3c31bfc71c884138981 Mon Sep 17 00:00:00 2001 -From: Danny Lin -Date: Mon, 11 Oct 2021 20:00:44 -0700 -Subject: [PATCH 16/22] keystore: Block key attestation for SafetyNet - -SafetyNet (part of Google Play Services) opportunistically uses -hardware-backed key attestation via KeyStore as a strong integrity -check. This causes SafetyNet to fail on custom ROMs because the verified -boot key and bootloader unlock state can be detected from attestation -certificates. - -As a workaround, we can take advantage of the fact that SafetyNet's -usage of key attestation is opportunistic (i.e. falls back to basic -integrity checks if it fails) and prevent it from getting the -attestation certificate chain from KeyStore. This is done by checking -the stack for DroidGuard, which is the codename for SafetyNet, and -pretending that the device doesn't support key attestation. - -Key attestation has only been blocked for SafetyNet specifically, as -Google Play Services and other apps have many valid reasons to use it. -For example, it appears to be involved in Google's mobile security key -ferature. - -Change-Id: I5146439d47f42dc6231cb45c4dab9f61540056f6 ---- - .../internal/gmscompat/AttestationHooks.java | 15 +++++++++++++++ - .../security/keystore2/AndroidKeyStoreSpi.java | 3 +++ - 2 files changed, 18 insertions(+) - -diff --git a/core/java/com/android/internal/gmscompat/AttestationHooks.java b/core/java/com/android/internal/gmscompat/AttestationHooks.java -index 55db97dc28a1..f2c85c82821f 100644 ---- a/core/java/com/android/internal/gmscompat/AttestationHooks.java -+++ b/core/java/com/android/internal/gmscompat/AttestationHooks.java -@@ -22,12 +22,14 @@ import android.os.SystemProperties; - import android.util.Log; - - import java.lang.reflect.Field; -+import java.util.Arrays; - - /** @hide */ - public final class AttestationHooks { - private static final String TAG = "GmsCompat/Attestation"; - - private static final String PACKAGE_GMS = "com.google.android.gms"; -+ private static volatile boolean sIsGms = false; - - private AttestationHooks() { } - -@@ -54,7 +56,20 @@ public final class AttestationHooks { - - public static void initApplicationBeforeOnCreate(Application app) { - if (PACKAGE_GMS.equals(app.getPackageName())) { -+ sIsGms = true; - spoofBuildGms(); - } - } -+ -+ private static boolean isCallerSafetyNet() { -+ return Arrays.stream(Thread.currentThread().getStackTrace()) -+ .anyMatch(elem -> elem.getClassName().contains("DroidGuard")); -+ } -+ -+ public static void onEngineGetCertificateChain() { -+ // Check stack for SafetyNet -+ if (sIsGms && isCallerSafetyNet()) { -+ throw new UnsupportedOperationException(); -+ } -+ } - } -diff --git a/keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java b/keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java -index 33411e1ec5b9..133a4094d434 100644 ---- a/keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java -+++ b/keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java -@@ -42,6 +42,7 @@ import android.system.keystore2.ResponseCode; - import android.util.Log; - - import com.android.internal.annotations.VisibleForTesting; -+import com.android.internal.gmscompat.AttestationHooks; - - import java.io.ByteArrayInputStream; - import java.io.IOException; -@@ -164,6 +165,8 @@ public class AndroidKeyStoreSpi extends KeyStoreSpi { - - @Override - public Certificate[] engineGetCertificateChain(String alias) { -+ AttestationHooks.onEngineGetCertificateChain(); -+ - KeyEntryResponse response = getKeyMetadata(alias); - - if (response == null || response.metadata.certificate == null) { --- -2.34.1 -