diff options
| -rw-r--r-- | init/property_service.cpp | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/init/property_service.cpp b/init/property_service.cpp index 3f71af71b..0765b3bc9 100644 --- a/init/property_service.cpp +++ b/init/property_service.cpp @@ -1336,6 +1336,7 @@ static void ProcessKernelDt() { } constexpr auto ANDROIDBOOT_PREFIX = "androidboot."sv; +constexpr auto ANDROIDBOOT_MODE = "androidboot.mode"sv; static void ProcessKernelCmdline() { ImportKernelCmdline([&](const std::string& key, const std::string& value) { @@ -1354,6 +1355,35 @@ static void ProcessBootconfig() { }); } +static void SetSafetyNetProps() { + // Check whether this is a normal boot, and whether the bootloader is actually locked + auto isNormalBoot = true; // no prop = normal boot + // This runs before keys are set as props, so we need to process them ourselves. + ImportKernelCmdline([&](const std::string& key, const std::string& value) { + if (key == ANDROIDBOOT_MODE && value != "normal") { + isNormalBoot = false; + } + }); + ImportBootconfig([&](const std::string& key, const std::string& value) { + if (key == ANDROIDBOOT_MODE && value != "normal") { + isNormalBoot = false; + } + }); + + // Bail out if this is recovery, fastbootd, or anything other than a normal boot. + // fastbootd, in particular, needs the real values so it can allow flashing on + // unlocked bootloaders. + if (!isNormalBoot) { + return; + } + + // Spoof properties + InitPropertySet("ro.boot.flash.locked", "1"); + InitPropertySet("ro.boot.verifiedbootstate", "green"); + InitPropertySet("ro.boot.veritymode", "enforcing"); + InitPropertySet("ro.boot.vbmeta.device_state", "locked"); +} + void PropertyInit() { selinux_callback cb; cb.func_audit = PropertyAuditCallback; @@ -1368,6 +1398,9 @@ void PropertyInit() { LOG(FATAL) << "Failed to load serialized property info file"; } + // Report valid verified boot chain to help pass Google SafetyNet integrity checks + SetSafetyNetProps(); + // If arguments are passed both on the command line and in DT, // properties set in DT always have priority over the command-line ones. ProcessKernelDt(); |