From 39a89da404eda2310fac980e3075158752ee97a8 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Fri, 27 Sep 2024 04:37:20 -0400 Subject: [PATCH] drop support for obsolete deny new USB setting This was replaced by our newer generation USB-C port and pogo pins. The software USB enforcement was extended to USB gadget mode in addition to USB peripherals and the feature is now mainly based on hardware level enforcement for USB-C and pogo pins eliminating far more attack surface. Checking the value of the new setting will require creating an SELinux domain for Auditor to allow it to read the new property. --- .../auditor/AttestationProtocol.java | 18 +++--------------- app/src/main/res/values/strings.xml | 1 - 2 files changed, 3 insertions(+), 16 deletions(-) diff --git a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java index 293e7d57..1753fc08 100644 --- a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java +++ b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java @@ -204,7 +204,7 @@ class AttestationProtocol { private static final int OS_ENFORCED_FLAGS_ADB_ENABLED = 1 << 3; private static final int OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED = 1 << 4; private static final int OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS = 1 << 5; - private static final int OS_ENFORCED_FLAGS_DENY_NEW_USB = 1 << 6; + private static final int OS_ENFORCED_FLAGS_DENY_NEW_USB = 1 << 6; // obsolete since version 86 private static final int OS_ENFORCED_FLAGS_DEVICE_ADMIN_NON_SYSTEM = 1 << 7; private static final int OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED = 1 << 8; private static final int OS_ENFORCED_FLAGS_SYSTEM_USER = 1 << 9; @@ -215,7 +215,6 @@ class AttestationProtocol { OS_ENFORCED_FLAGS_ADB_ENABLED | OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED | OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS | - OS_ENFORCED_FLAGS_DENY_NEW_USB | OS_ENFORCED_FLAGS_DEVICE_ADMIN_NON_SYSTEM | OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED | OS_ENFORCED_FLAGS_SYSTEM_USER; @@ -951,7 +950,7 @@ private static VerificationResult verify(final Context context, final byte[] fin final boolean accessibility, final boolean deviceAdmin, final boolean deviceAdminNonSystem, final boolean adbEnabled, final boolean addUsersWhenLocked, final boolean enrolledBiometrics, - final boolean denyNewUsb, final boolean oemUnlockAllowed, final boolean systemUser) + final boolean oemUnlockAllowed, final boolean systemUser) throws GeneralSecurityException, IOException { final String fingerprintHex = BaseEncoding.base16().encode(fingerprint); final byte[] currentFingerprint = getFingerprint(attestationCertificates[0]); @@ -1122,8 +1121,6 @@ private static VerificationResult verify(final Context context, final byte[] fin toYesNoString(context, adbEnabled))); osEnforced.append(context.getString(R.string.add_users_when_locked, toYesNoString(context, addUsersWhenLocked))); - osEnforced.append(context.getString(R.string.deny_new_usb, - toYesNoString(context, denyNewUsb))); osEnforced.append(context.getString(R.string.oem_unlock_allowed, toYesNoString(context, oemUnlockAllowed))); osEnforced.append(context.getString(R.string.system_user, @@ -1219,7 +1216,6 @@ static VerificationResult verifySerialized(final Context context, final byte[] a final boolean adbEnabled = (osEnforcedFlags & OS_ENFORCED_FLAGS_ADB_ENABLED) != 0; final boolean addUsersWhenLocked = (osEnforcedFlags & OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED) != 0; final boolean enrolledBiometrics = (osEnforcedFlags & OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS) != 0; - final boolean denyNewUsb = (osEnforcedFlags & OS_ENFORCED_FLAGS_DENY_NEW_USB) != 0; final boolean oemUnlockAllowed = (osEnforcedFlags & OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED) != 0; final boolean systemUser = (osEnforcedFlags & OS_ENFORCED_FLAGS_SYSTEM_USER) != 0; @@ -1237,8 +1233,7 @@ static VerificationResult verifySerialized(final Context context, final byte[] a final byte[] challenge = Arrays.copyOfRange(challengeMessage, 1 + RANDOM_TOKEN_LENGTH, 1 + RANDOM_TOKEN_LENGTH * 2); return verify(context, fingerprint, challenge, deserializer.asReadOnlyBuffer(), signature, certificates, userProfileSecure, accessibility, deviceAdmin, deviceAdminNonSystem, - adbEnabled, addUsersWhenLocked, enrolledBiometrics, denyNewUsb, oemUnlockAllowed, - systemUser); + adbEnabled, addUsersWhenLocked, enrolledBiometrics, oemUnlockAllowed, systemUser); } static class AttestationResult { @@ -1433,10 +1428,6 @@ static AttestationResult generateSerialized(final Context context, final byte[] final boolean addUsersWhenLocked = Settings.Global.getInt(context.getContentResolver(), ADD_USERS_WHEN_LOCKED, 0) != 0; - final String denyNewUsbValue = - SystemProperties.get("persist.security.deny_new_usb", "disabled"); - final boolean denyNewUsb = !denyNewUsbValue.equals("disabled"); - final String oemUnlockAllowedValue = SystemProperties.get("sys.oem_unlock_allowed", "0"); final boolean oemUnlockAllowed = oemUnlockAllowedValue.equals("1"); @@ -1487,9 +1478,6 @@ static AttestationResult generateSerialized(final Context context, final byte[] if (enrolledBiometrics) { osEnforcedFlags |= OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS; } - if (denyNewUsb) { - osEnforcedFlags |= OS_ENFORCED_FLAGS_DENY_NEW_USB; - } if (oemUnlockAllowed) { osEnforcedFlags |= OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED; } diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml index 9f6b2f49..a7aa8435 100644 --- a/app/src/main/res/values/strings.xml +++ b/app/src/main/res/values/strings.xml @@ -84,7 +84,6 @@ yes, with non-system apps Android Debug Bridge enabled: %s\n Add users from lock screen: %s\n - Deny new USB peripherals when locked: %s\n OEM unlocking allowed: %s\n Main user account: %s\n