Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for added security state downstream #455

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Support for added security state downstream #455

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
449bae8
Refactor brace placements for empty record classes in AttestationProt…
quh4gko8 Jan 7, 2025
32dadbc
Method to check for having pogo pins in record classes with device name
quh4gko8 Jan 7, 2025
339fe4e
Store auto reboot timeout field in seconds for attestation protocol v6+
quh4gko8 Jan 6, 2025
66a2fc3
Record class for extended security state for attestation protocol v6+
quh4gko8 Jan 7, 2025
46cd504
Deserialize downstream extra security state from protocol v6+
quh4gko8 Jan 7, 2025
0735aad
Update database to include attestation protocol v6+ field changes
quh4gko8 Jan 7, 2025
1255885
Save added protocol v6 fields for extended security state in database
quh4gko8 Jan 7, 2025
81eac20
Migrate database to new version with protocol v6+ fields
quh4gko8 Jan 7, 2025
8e4303b
Display extended security state extensions from attestation protocol v6+
quh4gko8 Jan 7, 2025
1ec9b9c
Increment protocol version
quh4gko8 Jan 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 57 additions & 16 deletions src/main/java/app/attestation/server/AttestationProtocol.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,15 +78,15 @@ class AttestationProtocol {
// byte[] compressedChain { [short encodedCertificateLength, byte[] encodedCertificate] }
// byte[] fingerprint (length: FINGERPRINT_LENGTH)
// int osEnforcedFlags
// short autoRebootMinutes (-1 for unknown)
// int autoRebootSeconds (-1 for unknown)
// byte portSecurityMode (-1 for unknown)
// byte userCount (-1 for unknown)
// }
// byte[] signature (rest of message)
//
// Protocol version changes:
//
// 6: autoRebootMinutes added
// 6: autoRebootSeconds added
// 6: portSecurityMode added
// 6: userCount added
//
Expand Down Expand Up @@ -128,7 +128,7 @@ class AttestationProtocol {
// the outer signature and the rest of the chain for pinning the expected chain. It enforces
// downgrade protection for the OS version/patch (bootloader/TEE enforced) and app version (OS
// enforced) by keeping them updated.
static final byte PROTOCOL_VERSION = 5;
static final byte PROTOCOL_VERSION = 6;
private static final byte PROTOCOL_VERSION_MINIMUM = 5;
// can become longer in the future, but this is the minimum length
private static final byte CHALLENGE_MESSAGE_LENGTH = 1 + RANDOM_TOKEN_LENGTH * 2;
Expand Down Expand Up @@ -219,7 +219,12 @@ class AttestationProtocol {
public record DeviceInfo(String name, int attestationVersion, int keymasterVersion,
// API for detecting this was replaced in keymaster v3 but the new one isn't used yet
boolean rollbackResistant,
boolean enforceStrongBox, String osName) {}
boolean enforceStrongBox, String osName) {

boolean hasPogoPins() {
return DEVICE_PIXEL_TABLET.equals(name);
}
}

private static final ImmutableSet<String> extraPatchLevelMissing = ImmutableSet.of(
DEVICE_SM_G970F,
Expand Down Expand Up @@ -474,7 +479,12 @@ private static byte[] getFingerprint(final Certificate certificate)

private record Verified(String device, String verifiedBootKey, byte[] verifiedBootHash,
String osName, int osVersion, int osPatchLevel, int vendorPatchLevel, int bootPatchLevel,
int appVersion, int appVariant, int securityLevel, boolean attestKey) {}
int appVersion, int appVariant, int securityLevel, boolean attestKey) {

boolean hasPogoPins() {
return DEVICE_PIXEL_TABLET.equals(device);
}
}

private static X509Certificate generateCertificate(final InputStream in)
throws CertificateException {
Expand Down Expand Up @@ -807,14 +817,22 @@ private static String toYesNoString(final boolean value) {
return value ? "yes" : "no";
}

record SecurityStateExt(int autoRebootSeconds, byte portSecurityMode, byte userCount) {
static int UNKNOWN_VALUE = -1;
static int INVALID_VALUE = -2;
static SecurityStateExt UNKNOWN = new SecurityStateExt(
(short) UNKNOWN_VALUE, (byte) UNKNOWN_VALUE, (byte) UNKNOWN_VALUE);
}

private static void verify(final byte[] fingerprint,
final Cache<ByteBuffer, Boolean> pendingChallenges, final long userId,
final boolean paired, final ByteBuffer signedMessage, final byte[] signature,
final Certificate[] attestationCertificates, final boolean userProfileSecure,
final boolean accessibility, final boolean deviceAdmin,
final boolean deviceAdminNonSystem, final boolean adbEnabled,
final boolean addUsersWhenLocked, final boolean enrolledBiometrics,
final boolean oemUnlockAllowed, final boolean systemUser)
final boolean oemUnlockAllowed, final boolean systemUser,
final SecurityStateExt securityStateExt)
throws GeneralSecurityException, IOException, SQLiteException {
final String fingerprintHex = BaseEncoding.base16().encode(fingerprint);
final byte[] currentFingerprint = getFingerprint(attestationCertificates[0]);
Expand Down Expand Up @@ -952,6 +970,9 @@ private static void verify(final byte[] fingerprint,
addUsersWhenLocked = ?,
oemUnlockAllowed = ?,
systemUser = ?,
autoRebootSeconds = ?,
portSecurityMode = ?,
userCount = ?,
verifiedTimeLast = ?
WHERE fingerprint = ?""");
try {
Expand All @@ -974,8 +995,11 @@ private static void verify(final byte[] fingerprint,
update.bind(13, addUsersWhenLocked ? 1 : 0);
update.bind(14, oemUnlockAllowed ? 1 : 0);
update.bind(15, systemUser ? 1 : 0);
update.bind(16, now);
update.bind(17, fingerprint);
update.bind(16, securityStateExt.autoRebootSeconds);
update.bind(17, securityStateExt.portSecurityMode);
update.bind(18, securityStateExt.userCount);
update.bind(19, now);
update.bind(20, fingerprint);
update.step();
} finally {
update.dispose();
Expand Down Expand Up @@ -1005,10 +1029,13 @@ INSERT INTO Devices (
addUsersWhenLocked,
oemUnlockAllowed,
systemUser,
autoRebootSeconds,
portSecurityMode,
userCount,
verifiedTimeFirst,
verifiedTimeLast,
userId
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)""");
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)""");
try {
insert.bind(1, fingerprint);
insert.bind(2, encodeChain(DEFLATE_DICTIONARY_4, attestationCertificates));
Expand All @@ -1034,9 +1061,12 @@ INSERT INTO Devices (
insert.bind(18, addUsersWhenLocked ? 1 : 0);
insert.bind(19, oemUnlockAllowed ? 1 : 0);
insert.bind(20, systemUser ? 1 : 0);
insert.bind(21, now);
insert.bind(22, now);
insert.bind(23, userId);
insert.bind(21, securityStateExt.autoRebootSeconds);
insert.bind(22, securityStateExt.portSecurityMode);
insert.bind(23, securityStateExt.userCount);
insert.bind(24, now);
insert.bind(25, now);
insert.bind(26, userId);
insert.step();
} finally {
insert.dispose();
Expand All @@ -1061,8 +1091,11 @@ INSERT INTO Attestations (
adbEnabled,
addUsersWhenLocked,
oemUnlockAllowed,
systemUser
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)""");
systemUser,
autoRebootSeconds,
portSecurityMode,
userCount
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)""");
try {
insert.bind(1, fingerprint);
insert.bind(2, now);
Expand All @@ -1085,6 +1118,9 @@ INSERT INTO Attestations (
insert.bind(15, addUsersWhenLocked ? 1 : 0);
insert.bind(16, oemUnlockAllowed ? 1 : 0);
insert.bind(17, systemUser ? 1 : 0);
insert.bind(18, securityStateExt.autoRebootSeconds);
insert.bind(19, securityStateExt.portSecurityMode);
insert.bind(20, securityStateExt.userCount);

insert.step();
} finally {
Expand Down Expand Up @@ -1189,10 +1225,14 @@ static void verifySerialized(final byte[] attestationResult,
throw new GeneralSecurityException("invalid device administrator state");
}

SecurityStateExt securityStateExt;
if (version >= 6) {
final short autoRebootMinutes = deserializer.getShort();
final int autoRebootSeconds = deserializer.getInt();
final byte portSecurityMode = deserializer.get();
final byte userCount = deserializer.get();
securityStateExt = new SecurityStateExt(autoRebootSeconds, portSecurityMode, userCount);
} else {
securityStateExt = SecurityStateExt.UNKNOWN;
}

final int signatureLength = deserializer.remaining();
Expand All @@ -1204,6 +1244,7 @@ static void verifySerialized(final byte[] attestationResult,

verify(fingerprint, pendingChallenges, userId, paired, deserializer.asReadOnlyBuffer(), signature,
certificates, userProfileSecure, accessibility, deviceAdmin, deviceAdminNonSystem,
adbEnabled, addUsersWhenLocked, enrolledBiometrics, oemUnlockAllowed, systemUser);
adbEnabled, addUsersWhenLocked, enrolledBiometrics, oemUnlockAllowed, systemUser,
securityStateExt);
}
}
165 changes: 159 additions & 6 deletions src/main/java/app/attestation/server/AttestationServer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,9 @@ adbEnabled INTEGER NOT NULL CHECK (adbEnabled in (0, 1)),
addUsersWhenLocked INTEGER NOT NULL CHECK (addUsersWhenLocked in (0, 1)),
oemUnlockAllowed INTEGER NOT NULL CHECK (oemUnlockAllowed in (0, 1)),
systemUser INTEGER NOT NULL CHECK (systemUser in (0, 1)),
autoRebootSeconds INTEGER NOT NULL CHECK (autoRebootSeconds in (-2, -1) OR autoRebootSeconds >= 0),
portSecurityMode INTEGER NOT NULL CHECK (portSecurityMode in (-2, -1) OR portSecurityMode >= 0),
userCount INTEGER NOT NULL CHECK (userCount in (-2, -1) OR userCount >= 1),
verifiedTimeFirst INTEGER NOT NULL,
verifiedTimeLast INTEGER NOT NULL,
expiredTimeLast INTEGER,
Expand Down Expand Up @@ -261,7 +264,10 @@ deviceAdmin INTEGER NOT NULL CHECK (deviceAdmin in (0, 1, 2)),
adbEnabled INTEGER NOT NULL CHECK (adbEnabled in (0, 1)),
addUsersWhenLocked INTEGER NOT NULL CHECK (addUsersWhenLocked in (0, 1)),
oemUnlockAllowed INTEGER NOT NULL CHECK (oemUnlockAllowed in (0, 1)),
systemUser INTEGER NOT NULL CHECK (systemUser in (0, 1))
systemUser INTEGER NOT NULL CHECK (systemUser in (0, 1)),
autoRebootSeconds INTEGER NOT NULL CHECK (autoRebootSeconds in (-2, -1) OR autoRebootSeconds >= 0),
portSecurityMode INTEGER NOT NULL CHECK (portSecurityMode in (-2, -1) OR portSecurityMode >= 0),
userCount INTEGER NOT NULL CHECK (userCount in (-2, -1) OR userCount >= 1)
) STRICT""";

private static final String CREATE_ATTESTATION_INDICES = """
Expand Down Expand Up @@ -575,6 +581,140 @@ INSERT INTO Attestations (
logger.info("Migrated to schema version: " + userVersion);
}

// add failureAlertTime column to Devices
targetUserVersion = 15;
if (userVersion < targetUserVersion) {
conn.exec("PRAGMA foreign_keys = OFF");
conn.exec("BEGIN IMMEDIATE TRANSACTION");

conn.exec("ALTER TABLE Devices RENAME TO OldDevices");
conn.exec("ALTER TABLE Attestations RENAME TO OldAttestations");

conn.exec(CREATE_ATTESTATION_TABLES);

conn.exec("""
INSERT INTO Devices (
fingerprint,
pinnedCertificates,
attestKey,
pinnedVerifiedBootKey,
verifiedBootHash,
pinnedOsVersion,
pinnedOsPatchLevel,
pinnedVendorPatchLevel,
pinnedBootPatchLevel,
pinnedAppVersion,
pinnedAppVariant,
pinnedSecurityLevel,
userProfileSecure,
enrolledBiometrics,
accessibility,
deviceAdmin,
adbEnabled,
addUsersWhenLocked,
oemUnlockAllowed,
systemUser,
autoRebootSeconds,
portSecurityMode,
userCount,
verifiedTimeFirst,
verifiedTimeLast,
expiredTimeLast,
failureTimeLast,
failureAlertTime,
userId,
deletionTime)
SELECT
fingerprint,
pinnedCertificates,
attestKey,
pinnedVerifiedBootKey,
verifiedBootHash,
pinnedOsVersion,
pinnedOsPatchLevel,
pinnedVendorPatchLevel,
pinnedBootPatchLevel,
pinnedAppVersion,
pinnedAppVariant,
pinnedSecurityLevel,
userProfileSecure,
enrolledBiometrics,
accessibility,
deviceAdmin,
adbEnabled,
addUsersWhenLocked,
oemUnlockAllowed,
systemUser,
-1,
-1,
-1,
verifiedTimeFirst,
verifiedTimeLast,
expiredTimeLast,
failureTimeLast,
failureAlertTime,
userId,
deletionTime
FROM OldDevices""");

conn.exec("""
INSERT INTO Attestations (
id,
fingerprint,
time,
strong,
osVersion,
osPatchLevel,
vendorPatchLevel,
bootPatchLevel,
verifiedBootHash,
appVersion,
userProfileSecure,
enrolledBiometrics,
accessibility,
deviceAdmin,
adbEnabled,
addUsersWhenLocked,
oemUnlockAllowed,
systemUser,
autoRebootSeconds,
portSecurityMode,
userCount
) SELECT
id,
fingerprint,
time,
strong,
osVersion,
osPatchLevel,
vendorPatchLevel,
bootPatchLevel,
verifiedBootHash,
appVersion,
userProfileSecure,
enrolledBiometrics,
accessibility,
deviceAdmin,
adbEnabled,
addUsersWhenLocked,
oemUnlockAllowed,
systemUser,
-1,
-1,
-1
FROM OldAttestations""");

conn.exec("DROP TABLE OldDevices");
conn.exec("DROP TABLE OldAttestations");

conn.exec(CREATE_ATTESTATION_INDICES);
conn.exec("PRAGMA user_version = " + targetUserVersion);
conn.exec("COMMIT TRANSACTION");
userVersion = targetUserVersion;
conn.exec("PRAGMA foreign_keys = ON");
logger.info("Migrated to schema version: " + userVersion);
}

logger.info("Finished database setup for " + ATTESTATION_DATABASE);
} finally {
conn.dispose();
Expand Down Expand Up @@ -1392,6 +1532,9 @@ private static void writeDevicesJson(final HttpExchange exchange, final long use
addUsersWhenLocked,
oemUnlockAllowed,
systemUser,
autoRebootSeconds,
portSecurityMode,
userCount,
verifiedTimeFirst,
verifiedTimeLast,
(SELECT min(id) FROM Attestations WHERE Attestations.fingerprint = Devices.fingerprint),
Expand Down Expand Up @@ -1460,10 +1603,14 @@ private static void writeDevicesJson(final HttpExchange exchange, final long use
device.add("addUsersWhenLocked", select.columnInt(17));
device.add("oemUnlockAllowed", select.columnInt(18));
device.add("systemUser", select.columnInt(19));
device.add("verifiedTimeFirst", select.columnLong(20));
device.add("verifiedTimeLast", select.columnLong(21));
device.add("minId", select.columnLong(22));
device.add("maxId", select.columnLong(23));
device.add("autoRebootSeconds", select.columnInt(20));
device.add("portSecurityMode", select.columnInt(21));
device.add("userCount", select.columnInt(22));
device.add("verifiedTimeFirst", select.columnLong(23));
device.add("verifiedTimeLast", select.columnLong(24));
device.add("minId", select.columnLong(25));
device.add("maxId", select.columnLong(26));
device.add("hasPogoPins", info.hasPogoPins() ? 1 : 0);
devices.add(device);
}
} finally {
Expand Down Expand Up @@ -1533,7 +1680,10 @@ private static void writeAttestationHistoryJson(final HttpExchange exchange, fin
Attestations.adbEnabled,
Attestations.addUsersWhenLocked,
Attestations.oemUnlockAllowed,
Attestations.systemUser
Attestations.systemUser,
Attestations.autoRebootSeconds,
Attestations.portSecurityMode,
Attestations.userCount
FROM Attestations INNER JOIN Devices ON
Attestations.fingerprint = Devices.fingerprint
WHERE Devices.fingerprint = ? AND userid = ?
Expand Down Expand Up @@ -1568,6 +1718,9 @@ private static void writeAttestationHistoryJson(final HttpExchange exchange, fin
attestation.add("addUsersWhenLocked", history.columnInt(14));
attestation.add("oemUnlockAllowed", history.columnInt(15));
attestation.add("systemUser", history.columnInt(16));
attestation.add("autoRebootSeconds", history.columnInt(17));
attestation.add("portSecurityMode", history.columnInt(18));
attestation.add("userCount", history.columnInt(19));
attestations.add(attestation);
rowCount += 1;
}
Expand Down
Loading
Loading