Skip to content

Commit

Permalink
drop support for obsolete deny new USB setting
Browse files Browse the repository at this point in the history 
This was replaced by our newer generation USB-C port and pogo pins. The
software USB enforcement was extended to USB gadget mode in addition to
USB peripherals and the feature is now mainly based on hardware level
enforcement for USB-C and pogo pins eliminating far more attack surface.

Checking the value of the new setting will require creating an SELinux
domain for Auditor to allow it to read the new property.
  • Loading branch information
@thestinger
thestinger committed Sep 27, 2024
1 parent 2deed10 commit e4bfe4e
Show file tree
Hide file tree
Showing 3 changed files with 149 additions and 41 deletions.
41 changes: 18 additions & 23 deletions src/main/java/app/attestation/server/AttestationProtocol.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ class AttestationProtocol {
private static final int OS_ENFORCED_FLAGS_ADB_ENABLED = 1 << 3;
private static final int OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED = 1 << 4;
private static final int OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS = 1 << 5;
private static final int OS_ENFORCED_FLAGS_DENY_NEW_USB = 1 << 6;
private static final int OS_ENFORCED_FLAGS_DENY_NEW_USB = 1 << 6; // obsolete since version 76
private static final int OS_ENFORCED_FLAGS_DEVICE_ADMIN_NON_SYSTEM = 1 << 7;
private static final int OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED = 1 << 8;
private static final int OS_ENFORCED_FLAGS_SYSTEM_USER = 1 << 9;
Expand Down Expand Up @@ -1261,7 +1261,7 @@ private static void verify(final byte[] fingerprint,
final boolean accessibility, final boolean deviceAdmin,
final boolean deviceAdminNonSystem, final boolean adbEnabled,
final boolean addUsersWhenLocked, final boolean enrolledBiometrics,
final boolean denyNewUsb, final boolean oemUnlockAllowed, final boolean systemUser)
final boolean oemUnlockAllowed, final boolean systemUser)
throws GeneralSecurityException, IOException, SQLiteException {
final String fingerprintHex = BaseEncoding.base16().encode(fingerprint);
final byte[] currentFingerprint = getFingerprint(attestationCertificates[0]);
Expand Down Expand Up @@ -1379,7 +1379,7 @@ private static void verify(final byte[] fingerprint,
pinnedOsPatchLevel = ?, pinnedVendorPatchLevel = ?,
pinnedBootPatchLevel = ?, pinnedAppVersion = ?, pinnedSecurityLevel = ?,
userProfileSecure = ?, enrolledBiometrics = ?, accessibility = ?,
deviceAdmin = ?, adbEnabled = ?, addUsersWhenLocked = ?, denyNewUsb = ?,
deviceAdmin = ?, adbEnabled = ?, addUsersWhenLocked = ?,
oemUnlockAllowed = ?, systemUser = ?, verifiedTimeLast = ?
WHERE fingerprint = ?""");
try {
Expand All @@ -1400,11 +1400,10 @@ private static void verify(final byte[] fingerprint,
update.bind(11, deviceAdmin ? (deviceAdminNonSystem ? 2 : 1) : 0);
update.bind(12, adbEnabled ? 1 : 0);
update.bind(13, addUsersWhenLocked ? 1 : 0);
update.bind(14, denyNewUsb ? 1 : 0);
update.bind(15, oemUnlockAllowed ? 1 : 0);
update.bind(16, systemUser ? 1 : 0);
update.bind(17, now);
update.bind(18, fingerprint);
update.bind(14, oemUnlockAllowed ? 1 : 0);
update.bind(15, systemUser ? 1 : 0);
update.bind(16, now);
update.bind(17, fingerprint);
update.step();
} finally {
update.dispose();
Expand All @@ -1418,9 +1417,9 @@ INSERT INTO Devices (fingerprint, pinnedCertificates, attestKey,
pinnedOsPatchLevel, pinnedVendorPatchLevel, pinnedBootPatchLevel,
pinnedAppVersion, pinnedAppVariant, pinnedSecurityLevel, userProfileSecure,
enrolledBiometrics, accessibility, deviceAdmin, adbEnabled,
addUsersWhenLocked, denyNewUsb, oemUnlockAllowed, systemUser,
addUsersWhenLocked, oemUnlockAllowed, systemUser,
verifiedTimeFirst, verifiedTimeLast, userId)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)""");
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)""");
try {
insert.bind(1, fingerprint);
insert.bind(2, encodeChain(DEFLATE_DICTIONARY_2, attestationCertificates));
Expand All @@ -1444,12 +1443,11 @@ INSERT INTO Devices (fingerprint, pinnedCertificates, attestKey,
insert.bind(16, deviceAdmin ? (deviceAdminNonSystem ? 2 : 1) : 0);
insert.bind(17, adbEnabled ? 1 : 0);
insert.bind(18, addUsersWhenLocked ? 1 : 0);
insert.bind(19, denyNewUsb ? 1 : 0);
insert.bind(20, oemUnlockAllowed ? 1 : 0);
insert.bind(21, systemUser ? 1 : 0);
insert.bind(19, oemUnlockAllowed ? 1 : 0);
insert.bind(20, systemUser ? 1 : 0);
insert.bind(21, now);
insert.bind(22, now);
insert.bind(23, now);
insert.bind(24, userId);
insert.bind(23, userId);
insert.step();
} finally {
insert.dispose();
Expand All @@ -1460,8 +1458,8 @@ INSERT INTO Devices (fingerprint, pinnedCertificates, attestKey,
INSERT INTO Attestations (fingerprint, time, strong, osVersion, osPatchLevel,
vendorPatchLevel, bootPatchLevel, verifiedBootHash, appVersion,
userProfileSecure, enrolledBiometrics, accessibility, deviceAdmin, adbEnabled,
addUsersWhenLocked, denyNewUsb, oemUnlockAllowed, systemUser)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)""");
addUsersWhenLocked, oemUnlockAllowed, systemUser)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)""");
try {
insert.bind(1, fingerprint);
insert.bind(2, now);
Expand All @@ -1482,9 +1480,8 @@ INSERT INTO Attestations (fingerprint, time, strong, osVersion, osPatchLevel,
insert.bind(13, deviceAdmin ? (deviceAdminNonSystem ? 2 : 1) : 0);
insert.bind(14, adbEnabled ? 1 : 0);
insert.bind(15, addUsersWhenLocked ? 1 : 0);
insert.bind(16, denyNewUsb ? 1 : 0);
insert.bind(17, oemUnlockAllowed ? 1 : 0);
insert.bind(18, systemUser ? 1 : 0);
insert.bind(16, oemUnlockAllowed ? 1 : 0);
insert.bind(17, systemUser ? 1 : 0);

insert.step();
} finally {
Expand Down Expand Up @@ -1582,7 +1579,6 @@ static void verifySerialized(final byte[] attestationResult,
final boolean adbEnabled = (osEnforcedFlags & OS_ENFORCED_FLAGS_ADB_ENABLED) != 0;
final boolean addUsersWhenLocked = (osEnforcedFlags & OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED) != 0;
final boolean enrolledBiometrics = (osEnforcedFlags & OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS) != 0;
final boolean denyNewUsb = (osEnforcedFlags & OS_ENFORCED_FLAGS_DENY_NEW_USB) != 0;
final boolean oemUnlockAllowed = (osEnforcedFlags & OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED) != 0;
final boolean systemUser = (osEnforcedFlags & OS_ENFORCED_FLAGS_SYSTEM_USER) != 0;

Expand All @@ -1599,7 +1595,6 @@ static void verifySerialized(final byte[] attestationResult,

verify(fingerprint, pendingChallenges, userId, paired, deserializer.asReadOnlyBuffer(), signature,
certificates, userProfileSecure, accessibility, deviceAdmin, deviceAdminNonSystem,
adbEnabled, addUsersWhenLocked, enrolledBiometrics, denyNewUsb, oemUnlockAllowed,
systemUser);
adbEnabled, addUsersWhenLocked, enrolledBiometrics, oemUnlockAllowed, systemUser);
}
}
147 changes: 131 additions & 16 deletions src/main/java/app/attestation/server/AttestationServer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,6 @@ accessibility INTEGER NOT NULL CHECK (accessibility in (0, 1)),
deviceAdmin INTEGER NOT NULL CHECK (deviceAdmin in (0, 1, 2)),
adbEnabled INTEGER NOT NULL CHECK (adbEnabled in (0, 1)),
addUsersWhenLocked INTEGER NOT NULL CHECK (addUsersWhenLocked in (0, 1)),
denyNewUsb INTEGER NOT NULL CHECK (denyNewUsb in (0, 1)),
oemUnlockAllowed INTEGER NOT NULL CHECK (oemUnlockAllowed in (0, 1)),
systemUser INTEGER NOT NULL CHECK (systemUser in (0, 1)),
verifiedTimeFirst INTEGER NOT NULL,
Expand Down Expand Up @@ -219,7 +218,6 @@ accessibility INTEGER NOT NULL CHECK (accessibility in (0, 1)),
deviceAdmin INTEGER NOT NULL CHECK (deviceAdmin in (0, 1, 2)),
adbEnabled INTEGER NOT NULL CHECK (adbEnabled in (0, 1)),
addUsersWhenLocked INTEGER NOT NULL CHECK (addUsersWhenLocked in (0, 1)),
denyNewUsb INTEGER NOT NULL CHECK (denyNewUsb in (0, 1)),
oemUnlockAllowed INTEGER NOT NULL CHECK (oemUnlockAllowed in (0, 1)),
systemUser INTEGER NOT NULL CHECK (systemUser in (0, 1))
) STRICT""");
Expand Down Expand Up @@ -312,7 +310,7 @@ public static void main(final String[] args) throws Exception {
final SQLiteStatement selectCreated = attestationConn.prepare(
"SELECT 1 FROM sqlite_master WHERE type='table' AND name='Configuration'");
if (!selectCreated.step()) {
attestationConn.exec("PRAGMA user_version = 11");
attestationConn.exec("PRAGMA user_version = 12");
}
selectCreated.dispose();

Expand All @@ -327,6 +325,125 @@ public static void main(final String[] args) throws Exception {
System.exit(1);
}

// add pinnedAppVariant column to Devices table with default 0 value
if (userVersion < 12) {
attestationConn.exec("PRAGMA foreign_keys = OFF");
attestationConn.exec("BEGIN IMMEDIATE TRANSACTION");

attestationConn.exec("ALTER TABLE Devices RENAME TO OldDevices");
attestationConn.exec("ALTER TABLE Attestations RENAME TO OldAttestations");

createAttestationTables(attestationConn);

attestationConn.exec("""
INSERT INTO Devices (
fingerprint,
pinnedCertificates,
attestKey,
pinnedVerifiedBootKey,
verifiedBootHash,
pinnedOsVersion,
pinnedOsPatchLevel,
pinnedVendorPatchLevel,
pinnedBootPatchLevel,
pinnedAppVersion,
pinnedAppVariant,
pinnedSecurityLevel,
userProfileSecure,
enrolledBiometrics,
accessibility,
deviceAdmin,
adbEnabled,
addUsersWhenLocked,
oemUnlockAllowed,
systemUser,
verifiedTimeFirst,
verifiedTimeLast,
expiredTimeLast,
failureTimeLast,
userId,
deletionTime)
SELECT
fingerprint,
pinnedCertificates,
attestKey,
pinnedVerifiedBootKey,
verifiedBootHash,
pinnedOsVersion,
pinnedOsPatchLevel,
pinnedVendorPatchLevel,
pinnedBootPatchLevel,
pinnedAppVersion,
pinnedAppVariant,
pinnedSecurityLevel,
userProfileSecure,
enrolledBiometrics,
accessibility,
deviceAdmin,
adbEnabled,
addUsersWhenLocked,
oemUnlockAllowed,
systemUser,
verifiedTimeFirst,
verifiedTimeLast,
expiredTimeLast,
failureTimeLast,
userId,
deletionTime
FROM OldDevices""");

attestationConn.exec("""
INSERT INTO Attestations (
id,
fingerprint,
time,
strong,
osVersion,
osPatchLevel,
vendorPatchLevel,
bootPatchLevel,
verifiedBootHash,
appVersion,
userProfileSecure,
enrolledBiometrics,
accessibility,
deviceAdmin,
adbEnabled,
addUsersWhenLocked,
oemUnlockAllowed,
systemUser
) SELECT
id,
fingerprint,
time,
strong,
osVersion,
osPatchLevel,
vendorPatchLevel,
bootPatchLevel,
verifiedBootHash,
appVersion,
userProfileSecure,
enrolledBiometrics,
accessibility,
deviceAdmin,
adbEnabled,
addUsersWhenLocked,
oemUnlockAllowed,
systemUser
FROM OldAttestations""");

attestationConn.exec("DROP TABLE OldDevices");
attestationConn.exec("DROP TABLE OldAttestations");

createAttestationIndices(attestationConn);
attestationConn.exec("PRAGMA user_version = 12");
attestationConn.exec("COMMIT TRANSACTION");
userVersion = 12;
attestationConn.exec("PRAGMA foreign_keys = ON");
logger.info("Migrated to schema version: " + userVersion);
}

logger.info("Finished database setup for " + ATTESTATION_DATABASE);
} finally {
attestationConn.dispose();
Expand Down Expand Up @@ -1079,7 +1196,7 @@ SELECT fingerprint, pinnedCertificates, attestKey, hex(pinnedVerifiedBootKey),
pinnedOsVersion, pinnedOsPatchLevel, pinnedVendorPatchLevel, pinnedBootPatchLevel,
pinnedAppVersion, pinnedAppVariant, pinnedSecurityLevel, userProfileSecure,
enrolledBiometrics, accessibility, deviceAdmin, adbEnabled, addUsersWhenLocked,
denyNewUsb, oemUnlockAllowed, systemUser, verifiedTimeFirst, verifiedTimeLast,
oemUnlockAllowed, systemUser, verifiedTimeFirst, verifiedTimeLast,
(SELECT min(id) FROM Attestations WHERE Attestations.fingerprint = Devices.fingerprint),
(SELECT max(id) FROM Attestations WHERE Attestations.fingerprint = Devices.fingerprint)
FROM Devices WHERE userId is ? AND deletionTime IS NULL
Expand Down Expand Up @@ -1144,13 +1261,12 @@ SELECT fingerprint, pinnedCertificates, attestKey, hex(pinnedVerifiedBootKey),
device.add("deviceAdmin", select.columnInt(15));
device.add("adbEnabled", select.columnInt(16));
device.add("addUsersWhenLocked", select.columnInt(17));
device.add("denyNewUsb", select.columnInt(18));
device.add("oemUnlockAllowed", select.columnInt(19));
device.add("systemUser", select.columnInt(20));
device.add("verifiedTimeFirst", select.columnLong(21));
device.add("verifiedTimeLast", select.columnLong(22));
device.add("minId", select.columnLong(23));
device.add("maxId", select.columnLong(24));
device.add("oemUnlockAllowed", select.columnInt(18));
device.add("systemUser", select.columnInt(19));
device.add("verifiedTimeFirst", select.columnLong(20));
device.add("verifiedTimeLast", select.columnLong(21));
device.add("minId", select.columnLong(22));
device.add("maxId", select.columnLong(23));
devices.add(device);
}
} finally {
Expand Down Expand Up @@ -1207,8 +1323,8 @@ private static void writeAttestationHistoryJson(final HttpExchange exchange, fin
vendorPatchLevel, bootPatchLevel, Attestations.verifiedBootHash, appVersion,
Attestations.userProfileSecure, Attestations.enrolledBiometrics,
Attestations.accessibility, Attestations.deviceAdmin, Attestations.adbEnabled,
Attestations.addUsersWhenLocked, Attestations.denyNewUsb,
Attestations.oemUnlockAllowed, Attestations.systemUser
Attestations.addUsersWhenLocked, Attestations.oemUnlockAllowed,
Attestations.systemUser
FROM Attestations INNER JOIN Devices ON
Attestations.fingerprint = Devices.fingerprint
WHERE Devices.fingerprint = ? AND userid = ?
Expand Down Expand Up @@ -1241,9 +1357,8 @@ private static void writeAttestationHistoryJson(final HttpExchange exchange, fin
attestation.add("deviceAdmin", history.columnInt(12));
attestation.add("adbEnabled", history.columnInt(13));
attestation.add("addUsersWhenLocked", history.columnInt(14));
attestation.add("denyNewUsb", history.columnInt(15));
attestation.add("oemUnlockAllowed", history.columnInt(16));
attestation.add("systemUser", history.columnInt(17));
attestation.add("oemUnlockAllowed", history.columnInt(15));
attestation.add("systemUser", history.columnInt(16));
attestations.add(attestation);
rowCount += 1;
}
Expand Down
2 changes: 0 additions & 2 deletions static/monitoring.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,6 @@ function fetchHistory(parent, nextOffset) {
appendLine(parent, "Device administrator(s) enabled: " + deviceAdminStrings.get(attestation.deviceAdmin));
appendLine(parent, "Android Debug Bridge enabled: " + toYesNoString(attestation.adbEnabled));
appendLine(parent, "Add users from lock screen: " + toYesNoString(attestation.addUsersWhenLocked));
appendLine(parent, "Disallow new USB peripherals when locked: " + toYesNoString(attestation.denyNewUsb));
appendLine(parent, "OEM unlocking allowed: " + toYesNoString(attestation.oemUnlockAllowed));
appendLine(parent, "Main user account: " + toYesNoString(attestation.systemUser));
}
Expand Down Expand Up @@ -300,7 +299,6 @@ function fetchDevices() {
appendLine(info, "Device administrator(s) enabled: " + deviceAdminStrings.get(device.deviceAdmin));
appendLine(info, "Android Debug Bridge enabled: " + toYesNoString(device.adbEnabled));
appendLine(info, "Add users from lock screen: " + toYesNoString(device.addUsersWhenLocked));
appendLine(info, "Disallow new USB peripherals when locked: " + toYesNoString(device.denyNewUsb));
appendLine(info, "OEM unlocking allowed: " + toYesNoString(device.oemUnlockAllowed));
appendLine(info, "Main user account: " + toYesNoString(device.systemUser));

Expand Down

0 comments on commit e4bfe4e

Please sign in to comment.