Skip to content

Commit

Permalink
drop support for obsolete deny new USB setting
Browse files Browse the repository at this point in the history
This was replaced by our newer generation USB-C port and pogo pins. The
software USB enforcement was extended to USB gadget mode in addition to
USB peripherals and the feature is now mainly based on hardware level
enforcement for USB-C and pogo pins eliminating far more attack surface.

Checking the value of the new setting will require creating an SELinux
domain for Auditor to allow it to read the new property.
  • Loading branch information
thestinger committed Sep 27, 2024
1 parent 4d62bb9 commit 39a89da
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 16 deletions.
18 changes: 3 additions & 15 deletions app/src/main/java/app/attestation/auditor/AttestationProtocol.java
Original file line number Diff line number Diff line change
Expand Up @@ -204,7 +204,7 @@ class AttestationProtocol {
private static final int OS_ENFORCED_FLAGS_ADB_ENABLED = 1 << 3;
private static final int OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED = 1 << 4;
private static final int OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS = 1 << 5;
private static final int OS_ENFORCED_FLAGS_DENY_NEW_USB = 1 << 6;
private static final int OS_ENFORCED_FLAGS_DENY_NEW_USB = 1 << 6; // obsolete since version 86
private static final int OS_ENFORCED_FLAGS_DEVICE_ADMIN_NON_SYSTEM = 1 << 7;
private static final int OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED = 1 << 8;
private static final int OS_ENFORCED_FLAGS_SYSTEM_USER = 1 << 9;
Expand All @@ -215,7 +215,6 @@ class AttestationProtocol {
OS_ENFORCED_FLAGS_ADB_ENABLED |
OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED |
OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS |
OS_ENFORCED_FLAGS_DENY_NEW_USB |
OS_ENFORCED_FLAGS_DEVICE_ADMIN_NON_SYSTEM |
OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED |
OS_ENFORCED_FLAGS_SYSTEM_USER;
Expand Down Expand Up @@ -951,7 +950,7 @@ private static VerificationResult verify(final Context context, final byte[] fin
final boolean accessibility, final boolean deviceAdmin,
final boolean deviceAdminNonSystem, final boolean adbEnabled,
final boolean addUsersWhenLocked, final boolean enrolledBiometrics,
final boolean denyNewUsb, final boolean oemUnlockAllowed, final boolean systemUser)
final boolean oemUnlockAllowed, final boolean systemUser)
throws GeneralSecurityException, IOException {
final String fingerprintHex = BaseEncoding.base16().encode(fingerprint);
final byte[] currentFingerprint = getFingerprint(attestationCertificates[0]);
Expand Down Expand Up @@ -1122,8 +1121,6 @@ private static VerificationResult verify(final Context context, final byte[] fin
toYesNoString(context, adbEnabled)));
osEnforced.append(context.getString(R.string.add_users_when_locked,
toYesNoString(context, addUsersWhenLocked)));
osEnforced.append(context.getString(R.string.deny_new_usb,
toYesNoString(context, denyNewUsb)));
osEnforced.append(context.getString(R.string.oem_unlock_allowed,
toYesNoString(context, oemUnlockAllowed)));
osEnforced.append(context.getString(R.string.system_user,
Expand Down Expand Up @@ -1219,7 +1216,6 @@ static VerificationResult verifySerialized(final Context context, final byte[] a
final boolean adbEnabled = (osEnforcedFlags & OS_ENFORCED_FLAGS_ADB_ENABLED) != 0;
final boolean addUsersWhenLocked = (osEnforcedFlags & OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED) != 0;
final boolean enrolledBiometrics = (osEnforcedFlags & OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS) != 0;
final boolean denyNewUsb = (osEnforcedFlags & OS_ENFORCED_FLAGS_DENY_NEW_USB) != 0;
final boolean oemUnlockAllowed = (osEnforcedFlags & OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED) != 0;
final boolean systemUser = (osEnforcedFlags & OS_ENFORCED_FLAGS_SYSTEM_USER) != 0;

Expand All @@ -1237,8 +1233,7 @@ static VerificationResult verifySerialized(final Context context, final byte[] a
final byte[] challenge = Arrays.copyOfRange(challengeMessage, 1 + RANDOM_TOKEN_LENGTH, 1 + RANDOM_TOKEN_LENGTH * 2);
return verify(context, fingerprint, challenge, deserializer.asReadOnlyBuffer(), signature,
certificates, userProfileSecure, accessibility, deviceAdmin, deviceAdminNonSystem,
adbEnabled, addUsersWhenLocked, enrolledBiometrics, denyNewUsb, oemUnlockAllowed,
systemUser);
adbEnabled, addUsersWhenLocked, enrolledBiometrics, oemUnlockAllowed, systemUser);
}

static class AttestationResult {
Expand Down Expand Up @@ -1433,10 +1428,6 @@ static AttestationResult generateSerialized(final Context context, final byte[]
final boolean addUsersWhenLocked = Settings.Global.getInt(context.getContentResolver(),
ADD_USERS_WHEN_LOCKED, 0) != 0;

final String denyNewUsbValue =
SystemProperties.get("persist.security.deny_new_usb", "disabled");
final boolean denyNewUsb = !denyNewUsbValue.equals("disabled");

final String oemUnlockAllowedValue = SystemProperties.get("sys.oem_unlock_allowed", "0");
final boolean oemUnlockAllowed = oemUnlockAllowedValue.equals("1");

Expand Down Expand Up @@ -1487,9 +1478,6 @@ static AttestationResult generateSerialized(final Context context, final byte[]
if (enrolledBiometrics) {
osEnforcedFlags |= OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS;
}
if (denyNewUsb) {
osEnforcedFlags |= OS_ENFORCED_FLAGS_DENY_NEW_USB;
}
if (oemUnlockAllowed) {
osEnforcedFlags |= OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED;
}
Expand Down
1 change: 0 additions & 1 deletion app/src/main/res/values/strings.xml
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,6 @@
<string name="device_admin_non_system">yes, with non-system apps</string>
<string name="adb_enabled">Android Debug Bridge enabled: %s\n</string>
<string name="add_users_when_locked">Add users from lock screen: %s\n</string>
<string name="deny_new_usb">Deny new USB peripherals when locked: %s\n</string>
<string name="oem_unlock_allowed">OEM unlocking allowed: %s\n</string>
<string name="system_user">Main user account: %s\n</string>

Expand Down

0 comments on commit 39a89da

Please sign in to comment.