Display global security state extensions from new protocol fields

GrapheneOS · Jan 7, 2025 · 6f4087d · 6f4087d
1 parent 21fbd9e
commit 6f4087d
Show file tree

Hide file tree

Showing 2 changed files with 121 additions and 0 deletions.
diff --git a/app/src/main/java/app/attestation/auditor/AttestationProtocol.java b/app/src/main/java/app/attestation/auditor/AttestationProtocol.java
@@ -54,6 +54,7 @@
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.security.spec.ECGenParameterSpec;
+import java.time.Duration;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Date;
@@ -1136,6 +1137,104 @@ private static VerificationResult verify(final Context context, final byte[] fin
         osEnforced.append(context.getString(R.string.system_user,
                 toYesNoString(context, systemUser)));
 
+        final boolean appliesToPogoPins = verified.device() == R.string.device_pixel_tablet;
+        final int usbcPortSecurityModePrefix;
+        if (appliesToPogoPins) {
+            usbcPortSecurityModePrefix = R.string.usbc_port_and_pogo_pins;
+        } else {
+            usbcPortSecurityModePrefix = R.string.usbc_port_security_mode;
+        }
+
+        final int usbcPortSecurityModeOffRes;
+        if (appliesToPogoPins) {
+            usbcPortSecurityModeOffRes = R.string.usbc_port_and_pogo_pins_off_title;
+        } else {
+            usbcPortSecurityModeOffRes = R.string.usbc_port_security_mode_off;
+        }
+
+        final byte usbcPortSecurityMode = securityStateExt.portSecurityMode();
+        final int usbcPortSecurityModeValueRes;
+        if (usbcPortSecurityMode == SecurityStateExt.UNKNOWN_VALUE) {
+            usbcPortSecurityModeValueRes = R.string.unknown_value;
+        } else if (usbcPortSecurityMode == SecurityStateExt.INVALID_VALUE) {
+            usbcPortSecurityModeValueRes = R.string.invalid_value;
+        } else {
+            usbcPortSecurityModeValueRes = switch (usbcPortSecurityMode) {
+                case 0 -> usbcPortSecurityModeOffRes;
+                case 1 -> R.string.usbc_port_security_mode_charging_only;
+                case 2 -> R.string.usbc_port_security_mode_charging_only_when_locked;
+                case 3 -> R.string.usbc_port_security_mode_charging_only_when_locked_afu;
+                case 4 -> R.string.usbc_port_security_mode_on;
+                default -> throw new IllegalArgumentException();
+            };
+        }
+        osEnforced.append(context.getString(usbcPortSecurityModePrefix,
+                context.getString(usbcPortSecurityModeValueRes)));
+
+        final int autoRebootSeconds = securityStateExt.autoRebootSeconds();
+        final String autoRebootValueString;
+        if (autoRebootSeconds == SecurityStateExt.UNKNOWN_VALUE) {
+            autoRebootValueString = context.getString(R.string.unknown_value);
+        } else if (autoRebootSeconds == SecurityStateExt.INVALID_VALUE) {
+            autoRebootValueString = context.getString(R.string.invalid_value);
+        } else {
+            final Duration duration = Duration.ofSeconds(autoRebootSeconds);
+            StringBuilder autoRebootValueStrBuilder = new StringBuilder();
+
+            long hoursDuration = duration.toHours();
+            if (hoursDuration > 1) {
+                autoRebootValueStrBuilder.append(
+                        context.getString(R.string.auto_reboot_hours_plural_value, hoursDuration));
+            } else if (hoursDuration == 1) {
+                autoRebootValueStrBuilder.append(
+                        context.getString(R.string.auto_reboot_hours_singular_value));
+            }
+
+            int minutesPart = duration.toMinutesPart();
+            if (minutesPart > 1) {
+                if (autoRebootValueStrBuilder.length() != 0) {
+                    autoRebootValueStrBuilder.append(", ");
+                }
+                autoRebootValueStrBuilder.append(
+                        context.getString(R.string.auto_reboot_minutes_plural_value, minutesPart));
+            } else if (minutesPart == 1) {
+                if (autoRebootValueStrBuilder.length() != 0) {
+                    autoRebootValueStrBuilder.append(", ");
+                }
+                autoRebootValueStrBuilder.append(
+                        context.getString(R.string.auto_reboot_minutes_singular_value));
+            }
+
+            int secondsPart = duration.toSecondsPart();
+            if (secondsPart > 1) {
+                if (autoRebootValueStrBuilder.length() != 0) {
+                    autoRebootValueStrBuilder.append(", ");
+                }
+                autoRebootValueStrBuilder.append(
+                        context.getString(R.string.auto_reboot_seconds_plural_value, secondsPart));
+            } else if (secondsPart == 1) {
+                if (autoRebootValueStrBuilder.length() != 0) {
+                    autoRebootValueStrBuilder.append(", ");
+                }
+                autoRebootValueStrBuilder.append(
+                        context.getString(R.string.auto_reboot_seconds_singular_value));
+            }
+
+            autoRebootValueString = autoRebootValueStrBuilder.toString();
+        }
+        osEnforced.append(context.getString(R.string.auto_reboot_timeout, autoRebootValueString));
+
+        final byte userCount = securityStateExt.userCount();
+        final String userCountValueString;
+        if (userCount == SecurityStateExt.UNKNOWN_VALUE) {
+            userCountValueString = context.getString(R.string.unknown_value);
+        } else if (userCount == SecurityStateExt.INVALID_VALUE) {
+            userCountValueString = context.getString(R.string.invalid_value);
+        } else {
+            userCountValueString = String.valueOf(securityStateExt.userCount());
+        }
+        osEnforced.append(context.getString(R.string.user_count, userCountValueString));
+
         return new VerificationResult(hasPersistentKey, teeEnforced.toString(), osEnforced.toString(), history.toString());
     }
 

diff --git a/app/src/main/res/values/strings.xml b/app/src/main/res/values/strings.xml
@@ -86,6 +86,28 @@
     <string name="add_users_when_locked">Add users from lock screen: %s\n</string>
     <string name="oem_unlock_allowed">OEM unlocking allowed: %s\n</string>
     <string name="system_user">Main user account: %s\n</string>
+    <string name="auto_reboot_timeout">Auto reboot timeout: %s\n</string>
+    <string name="auto_reboot_seconds_plural_value">%d seconds</string>
+    <string name="auto_reboot_minutes_plural_value">%d minutes</string>
+    <string name="auto_reboot_hours_plural_value">%d hours</string>
+    <string name="auto_reboot_seconds_singular_value">1 second</string>
+    <string name="auto_reboot_minutes_singular_value">1 minute</string>
+    <string name="auto_reboot_hours_singular_value">1 hour</string>
+
+    <string name="usbc_port_security_mode">USB-C port: %s\n</string>
+    <string name="usbc_port_and_pogo_pins">USB-C port and pogo pins: %s\n</string>
+
+    <string name="usbc_port_security_mode_off">Off</string>
+    <string name="usbc_port_and_pogo_pins_off_title">USB-C port off, pogo pins used only for charging</string>
+    <string name="usbc_port_security_mode_charging_only">Charging-only</string>
+    <string name="usbc_port_security_mode_charging_only_when_locked">Charging-only when locked</string>
+    <string name="usbc_port_security_mode_charging_only_when_locked_afu">Charging-only when locked, except before first unlock</string>
+    <string name="usbc_port_security_mode_on">On</string>
+
+    <string name="user_count">User count: %s\n</string>
+
+    <string name="unknown_value">Unknown</string>
+    <string name="invalid_value">Invalid</string>
 
     <string name="history">\n<b>Attestation history:</b>\n\n</string>
     <string name="first_verified">First verified: %s\n</string>