From ac78d7f24008b7c4cd3acea3a67b54a8b45522eb Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Fri, 27 Sep 2024 04:37:20 -0400 Subject: [PATCH] drop support for obsolete deny new USB setting This was replaced by our newer generation USB-C port and pogo pins. The software USB enforcement was extended to USB gadget mode in addition to USB peripherals and the feature is now mainly based on hardware level enforcement for USB-C and pogo pins eliminating far more attack surface. Checking the value of the new setting will require creating an SELinux policy for Auditor to allow it to read the new property. --- .../auditor/AttestationProtocol.java | 18 +++--------------- app/src/main/res/values/strings.xml | 1 - 2 files changed, 3 insertions(+), 16 deletions(-) diff --git a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java index 293e7d57..0a62079d 100644 --- a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java +++ b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java @@ -204,7 +204,7 @@ class AttestationProtocol { private static final int OS_ENFORCED_FLAGS_ADB_ENABLED = 1 << 3; private static final int OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED = 1 << 4; private static final int OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS = 1 << 5; - private static final int OS_ENFORCED_FLAGS_DENY_NEW_USB = 1 << 6; + private static final int OS_ENFORCED_FLAGS_DENY_NEW_USB = 1 << 6; // obsolete private static final int OS_ENFORCED_FLAGS_DEVICE_ADMIN_NON_SYSTEM = 1 << 7; private static final int OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED = 1 << 8; private static final int OS_ENFORCED_FLAGS_SYSTEM_USER = 1 << 9; @@ -215,7 +215,6 @@ class AttestationProtocol { OS_ENFORCED_FLAGS_ADB_ENABLED | OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED | OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS | - OS_ENFORCED_FLAGS_DENY_NEW_USB | OS_ENFORCED_FLAGS_DEVICE_ADMIN_NON_SYSTEM | OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED | OS_ENFORCED_FLAGS_SYSTEM_USER; @@ -951,7 +950,7 @@ private static VerificationResult verify(final Context context, final byte[] fin final boolean accessibility, final boolean deviceAdmin, final boolean deviceAdminNonSystem, final boolean adbEnabled, final boolean addUsersWhenLocked, final boolean enrolledBiometrics, - final boolean denyNewUsb, final boolean oemUnlockAllowed, final boolean systemUser) + final boolean oemUnlockAllowed, final boolean systemUser) throws GeneralSecurityException, IOException { final String fingerprintHex = BaseEncoding.base16().encode(fingerprint); final byte[] currentFingerprint = getFingerprint(attestationCertificates[0]); @@ -1122,8 +1121,6 @@ private static VerificationResult verify(final Context context, final byte[] fin toYesNoString(context, adbEnabled))); osEnforced.append(context.getString(R.string.add_users_when_locked, toYesNoString(context, addUsersWhenLocked))); - osEnforced.append(context.getString(R.string.deny_new_usb, - toYesNoString(context, denyNewUsb))); osEnforced.append(context.getString(R.string.oem_unlock_allowed, toYesNoString(context, oemUnlockAllowed))); osEnforced.append(context.getString(R.string.system_user, @@ -1219,7 +1216,6 @@ static VerificationResult verifySerialized(final Context context, final byte[] a final boolean adbEnabled = (osEnforcedFlags & OS_ENFORCED_FLAGS_ADB_ENABLED) != 0; final boolean addUsersWhenLocked = (osEnforcedFlags & OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED) != 0; final boolean enrolledBiometrics = (osEnforcedFlags & OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS) != 0; - final boolean denyNewUsb = (osEnforcedFlags & OS_ENFORCED_FLAGS_DENY_NEW_USB) != 0; final boolean oemUnlockAllowed = (osEnforcedFlags & OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED) != 0; final boolean systemUser = (osEnforcedFlags & OS_ENFORCED_FLAGS_SYSTEM_USER) != 0; @@ -1237,8 +1233,7 @@ static VerificationResult verifySerialized(final Context context, final byte[] a final byte[] challenge = Arrays.copyOfRange(challengeMessage, 1 + RANDOM_TOKEN_LENGTH, 1 + RANDOM_TOKEN_LENGTH * 2); return verify(context, fingerprint, challenge, deserializer.asReadOnlyBuffer(), signature, certificates, userProfileSecure, accessibility, deviceAdmin, deviceAdminNonSystem, - adbEnabled, addUsersWhenLocked, enrolledBiometrics, denyNewUsb, oemUnlockAllowed, - systemUser); + adbEnabled, addUsersWhenLocked, enrolledBiometrics, oemUnlockAllowed, systemUser); } static class AttestationResult { @@ -1433,10 +1428,6 @@ static AttestationResult generateSerialized(final Context context, final byte[] final boolean addUsersWhenLocked = Settings.Global.getInt(context.getContentResolver(), ADD_USERS_WHEN_LOCKED, 0) != 0; - final String denyNewUsbValue = - SystemProperties.get("persist.security.deny_new_usb", "disabled"); - final boolean denyNewUsb = !denyNewUsbValue.equals("disabled"); - final String oemUnlockAllowedValue = SystemProperties.get("sys.oem_unlock_allowed", "0"); final boolean oemUnlockAllowed = oemUnlockAllowedValue.equals("1"); @@ -1487,9 +1478,6 @@ static AttestationResult generateSerialized(final Context context, final byte[] if (enrolledBiometrics) { osEnforcedFlags |= OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS; } - if (denyNewUsb) { - osEnforcedFlags |= OS_ENFORCED_FLAGS_DENY_NEW_USB; - } if (oemUnlockAllowed) { osEnforcedFlags |= OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED; } diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml index 9f6b2f49..a7aa8435 100644 --- a/app/src/main/res/values/strings.xml +++ b/app/src/main/res/values/strings.xml @@ -84,7 +84,6 @@ yes, with non-system apps Android Debug Bridge enabled: %s\n Add users from lock screen: %s\n - Deny new USB peripherals when locked: %s\n OEM unlocking allowed: %s\n Main user account: %s\n