From 4abd4bb24d0eae3945fbd8d8efc0419ad4644049 Mon Sep 17 00:00:00 2001
From: Danny Lin <danny@kdrag0n.dev>
Date: Wed, 7 Oct 2020 00:24:54 -0700
Subject: [PATCH] init: Set properties to make SafetyNet pass

Google's SafetyNet integrity checks will check the values of these
properties when performing basic attestation. Setting fake values helps
us pass basic SafetyNet with no Magisk Hide or kernel patches necessary.

Note that these properties need to be set very early, before parsing the
kernel command-line, as they are read-only properties that the bootloader
sets using androidboot kernel arguments. The bootloader's real values
cause SafetyNet to fail with an unlocked bootloader and/or custom
software because the verified boot chain is broken in that case.

Change-Id: I66d23fd91d82906b00d5eb020668f01ae83ec31f
---
 init/property_service.cpp | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/init/property_service.cpp b/init/property_service.cpp
index 65e9cda1cc..e47ba30a67 100644
--- a/init/property_service.cpp
+++ b/init/property_service.cpp
@@ -98,6 +98,7 @@ static int init_socket = -1;
 static PropertyInfoAreaFile property_info_area;
 
 void CreateSerializedPropertyInfo();
+static void SetSafetyNetProps();
 
 struct PropertyAuditData {
     const ucred* cr;
@@ -130,6 +131,12 @@ void property_init() {
     if (!property_info_area.LoadDefaultPath()) {
         LOG(FATAL) << "Failed to load serialized property info file";
     }
+
+    // Report a valid verified boot chain to make Google SafetyNet integrity
+    // checks pass. This needs to be done before parsing the kernel cmdline as
+    // these properties are read-only and will be set to invalid values with
+    // androidboot cmdline arguments.
+    SetSafetyNetProps();
 }
 
 bool CanReadProperty(const std::string& source_context, const std::string& name) {
@@ -544,6 +551,13 @@ uint32_t InitPropertySet(const std::string& name, const std::string& value) {
     return result;
 }
 
+static void SetSafetyNetProps() {
+    InitPropertySet("ro.boot.flash.locked", "1");
+    InitPropertySet("ro.boot.verifiedbootstate", "green");
+    InitPropertySet("ro.boot.veritymode", "enforcing");
+    InitPropertySet("ro.boot.vbmeta.device_state", "locked");
+}
+
 uint32_t (*property_set)(const std::string& name, const std::string& value) = InitPropertySet;
 
 static void handle_property_set_fd() {
-- 
GitLab