-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not hack certificate chain for Samsung certs #40
Conversation
Signed-off-by: Salvo Giangreco <[email protected]>
Can you elaborate it? Also maybe we can check for google public key? |
As part of the Knox suite, Samsung devices running One UI have additional keystore API's which allow attesting keys which are generated using Samsung's own certificate (SAK), this is mostly used on Samsung Knox powered apps and can be seen in action here: salvogiangri/SamsungKeyAttestation, vvb2060/KeyAttestation#15. |
Will that issue affect generating keypair mode? I am not sure how samsung api works actually. I think it won't generate a keypair for knox at all? Also, I think we can just check for google public key and only conitinue if match, to prevent similar issues on other oem. |
Considering I already have ALL apps added to target (for testing purposes mostly) on my S20 FE stock, what do we gain from not messing with Samsung apps certs? KnoxPatch allows the apps to open fine already? |
Samsung KeyStore userspace API's only differ from AOSP by the fact that they pass additional key tags to the KeyMaster/KeyMint TA (vvb2060/KeyAttestation#15 (comment)), which will then use the correct certificate/signing key accordingly or, if asked, add an additional extension for Knox-specific values such as warranty bit, trust boot, or PROCA.
I can check for the Google root public key instead, but it would be great for someone to confirm this won't affect devices with broken TEE. |
As I said earlier, Samsung apps will check if the certificate chain is valid and signed via SAK other than checking for ROT/Integrity Status. KnoxPatch only bypasses the ICD status verification in the TA (which blocks the key generation) by always forcing to add the integrity status extension in the generated key (hook code) |
I understand all this yet don't understand the use case for the commit. We need some sort of Samsung TV to see what it fixes in action? |
No description provided.