From e5f09807d872bc261225a3470a7dd38d2b5cfc30 Mon Sep 17 00:00:00 2001 From: Danny Lin Date: Tue, 12 Oct 2021 11:57:50 +0530 Subject: [PATCH] Revert "proc: cmdline: Patch SafetyNet flags" On Android 12, userspace enforces vbmeta signature verification based on the bootloader lock state, which is read from verifiedbootstate. This means that spoofing verifiedbootstate=green causes init to bail out during early boot if vbmeta doesn't pass verification: [ 9.229305] init: [libfs_avb]ERROR_VERIFICATION / PUBLIC_KEY_REJECTED isn't allowed [ 9.237357] init: Failed to open AvbHandle: No such file or directory [ 9.244103] init: Failed to setup verity for '/system': No such file or directory [ 9.252018] init: Failed to mount /system: No such file or directory [ 9.258648] init: Failed to mount required partitions early ... [ 9.264738] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00 Given that this workaround is no longer sufficient for passing SafetyNet anyway due to the opportunistic use of hardware-backed attestation, revert it to fix issues booting on Android 12. Stock + custom kernel: FAIL due to hardware attestation Stock + root: PASS with Universal SafetyNet Fix + MagiskHide (which sets the same props) Custom ROM with SafetyNet workarounds: PASS without custom kernel This workaround alone doesn't really help anyone pass. Signed-off-by: Danny Lin Signed-off-by: K A R T H I K --- fs/proc/cmdline.c | 37 +------------------------------------ 1 file changed, 1 insertion(+), 36 deletions(-) diff --git a/fs/proc/cmdline.c b/fs/proc/cmdline.c index f272eeea1efb..403cbb12a6e9 100644 --- a/fs/proc/cmdline.c +++ b/fs/proc/cmdline.c @@ -3,14 +3,10 @@ #include #include #include -#include - -static char new_command_line[COMMAND_LINE_SIZE]; static int cmdline_proc_show(struct seq_file *m, void *v) { - seq_puts(m, new_command_line); - seq_putc(m, '\n'); + seq_printf(m, "%s\n", saved_command_line); return 0; } @@ -26,39 +22,8 @@ static const struct file_operations cmdline_proc_fops = { .release = single_release, }; -static void patch_flag(char *cmd, const char *flag, const char *val) -{ - size_t flag_len, val_len; - char *start, *end; - - start = strstr(cmd, flag); - if (!start) - return; - - flag_len = strlen(flag); - val_len = strlen(val); - end = start + flag_len + strcspn(start + flag_len, " "); - memmove(start + flag_len + val_len, end, strlen(end) + 1); - memcpy(start + flag_len, val, val_len); -} - -static void patch_safetynet_flags(char *cmd) -{ - patch_flag(cmd, "androidboot.verifiedbootstate=", "green"); - patch_flag(cmd, "androidboot.veritymode=", "enforcing"); - patch_flag(cmd, "androidboot.vbmeta.device_state=", "locked"); -} - static int __init proc_cmdline_init(void) { - strcpy(new_command_line, saved_command_line); - - /* - * Patch various flags from command line seen by userspace in order to - * pass SafetyNet checks. - */ - patch_safetynet_flags(new_command_line); - proc_create("cmdline", 0, NULL, &cmdline_proc_fops); return 0; }