diff options
Diffstat (limited to 'init/property_service.cpp')
| -rw-r--r-- | init/property_service.cpp | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/init/property_service.cpp b/init/property_service.cpp index b3e7bc97e..392d35c5b 100644 --- a/init/property_service.cpp +++ b/init/property_service.cpp @@ -73,6 +73,7 @@ #include "subcontext.h" #include "system/core/init/property_service.pb.h" #include "util.h" +#include "vendor_init.h" using namespace std::literals; @@ -1235,6 +1236,9 @@ void PropertyLoadBootDefaults() { } } + // Update with vendor-specific property runtime overrides + vendor_load_properties(); + property_initialize_ro_product_props(); property_initialize_build_id(); property_derive_build_props(); @@ -1367,6 +1371,7 @@ static void ProcessKernelDt() { } constexpr auto ANDROIDBOOT_PREFIX = "androidboot."sv; +constexpr auto ANDROIDBOOT_MODE = "androidboot.mode"sv; static void ProcessKernelCmdline() { ImportKernelCmdline([&](const std::string& key, const std::string& value) { @@ -1385,6 +1390,35 @@ static void ProcessBootconfig() { }); } +static void SetSafetyNetProps() { + // Check whether this is a normal boot, and whether the bootloader is actually locked + auto isNormalBoot = true; // no prop = normal boot + // This runs before keys are set as props, so we need to process them ourselves. + ImportKernelCmdline([&](const std::string& key, const std::string& value) { + if (key == ANDROIDBOOT_MODE && value != "normal") { + isNormalBoot = false; + } + }); + ImportBootconfig([&](const std::string& key, const std::string& value) { + if (key == ANDROIDBOOT_MODE && value != "normal") { + isNormalBoot = false; + } + }); + + // Bail out if this is recovery, fastbootd, or anything other than a normal boot. + // fastbootd, in particular, needs the real values so it can allow flashing on + // unlocked bootloaders. + if (!isNormalBoot) { + return; + } + + // Spoof properties + InitPropertySet("ro.boot.flash.locked", "1"); + InitPropertySet("ro.boot.verifiedbootstate", "green"); + InitPropertySet("ro.boot.veritymode", "enforcing"); + InitPropertySet("ro.boot.vbmeta.device_state", "locked"); +} + void PropertyInit() { selinux_callback cb; cb.func_audit = PropertyAuditCallback; @@ -1399,6 +1433,9 @@ void PropertyInit() { LOG(FATAL) << "Failed to load serialized property info file"; } + // Report valid verified boot chain to help pass Google SafetyNet integrity checks + SetSafetyNetProps(); + // If arguments are passed both on the command line and in DT, // properties set in DT always have priority over the command-line ones. ProcessKernelDt(); |