From 44b7b14b23cd9e5ab07bd2310133d4d1b07b6060 Mon Sep 17 00:00:00 2001
From: Jonathan Klee <jonathan.klee@e.email>
Date: Wed, 5 Jan 2022 09:58:10 +0000
Subject: [PATCH 1/2] Update .gitlab-ci.yml file

---
 .gitlab-ci.yml | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .gitlab-ci.yml

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000000..a2711862ab
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,7 @@
+stages:
+  - update-from-upstream
+
+include:
+  - project: 'e/templates'
+    ref: master
+    file: '/gitlab-ci/.gitlab-ci-import-updates-from-upstream.yml'
\ No newline at end of file
-- 
GitLab


From be6edd257d417f8a1c542457d90b01f557bd560e Mon Sep 17 00:00:00 2001
From: Danny Lin <danny@kdrag0n.dev>
Date: Wed, 7 Oct 2020 00:24:54 -0700
Subject: [PATCH 2/2] init: Set properties to make SafetyNet pass

Google's SafetyNet integrity checks will check the values of these
properties when performing basic attestation. Setting fake values helps
us pass basic SafetyNet with no Magisk Hide or kernel patches necessary.

Note that these properties need to be set very early, before parsing the
kernel command-line, as they are read-only properties that the bootloader
sets using androidboot kernel arguments. The bootloader's real values
cause SafetyNet to fail with an unlocked bootloader and/or custom
software because the verified boot chain is broken in that case.

Change-Id: I66d23fd91d82906b00d5eb020668f01ae83ec31f
---
 init/property_service.cpp | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/init/property_service.cpp b/init/property_service.cpp
index 5a8fc54182..db5f5893ab 100644
--- a/init/property_service.cpp
+++ b/init/property_service.cpp
@@ -1251,6 +1251,13 @@ static void ProcessBootconfig() {
     });
 }
 
+static void SetSafetyNetProps() {
+    InitPropertySet("ro.boot.flash.locked", "1");
+    InitPropertySet("ro.boot.verifiedbootstate", "green");
+    InitPropertySet("ro.boot.veritymode", "enforcing");
+    InitPropertySet("ro.boot.vbmeta.device_state", "locked");
+}
+
 void PropertyInit() {
     selinux_callback cb;
     cb.func_audit = PropertyAuditCallback;
@@ -1265,6 +1272,12 @@ void PropertyInit() {
         LOG(FATAL) << "Failed to load serialized property info file";
     }
 
+    // Report a valid verified boot chain to make Google SafetyNet integrity
+    // checks pass. This needs to be done before parsing the kernel cmdline as
+    // these properties are read-only and will be set to invalid values with
+    // androidboot cmdline arguments.
+    SetSafetyNetProps();
+
     // If arguments are passed both on the command line and in DT,
     // properties set in DT always have priority over the command-line ones.
     ProcessKernelDt();
-- 
GitLab