Add KM_TAG_KNOX_OBJECT_PROTECTION_REQUIRED tag

Deprecated since Android 12, when provided with this tag the KeyMaster TA will check for the current trustboot/warranty bit status and refuse any operation if one of these isn't valid (salvogiangri/KnoxPatch#26 (comment)).
Due to leftover code, we can apply this tag to bypass the KM_TAG_EXPORTABLE check in the TA. Note that EC and RSA generated keys aren't supported.

Signed-off-by: BlackMesa123 <[email protected]>

jni/core/skeymaster_defs.h

@@ -172,6 +172,7 @@ typedef enum keymaster_tag_t {
     KM_TAG_INTEGRITY_FLAGS = 0x300013a7,
     KM_TAG_EXPORTABLE = 0x7000025a,
     KM_TAG_ORIGIN_2 = 0x100002be,
+    KM_TAG_KNOX_OBJECT_PROTECTION_REQUIRED = 0x700007d0,    // KM_BOOL | 2000
     KM_TAG_USE_SECURE_PROCESSOR = 0x70000bb8                // KM_BOOL | 3000
 } keymaster_tag_t;
 

jni/core/skeymaster_key_params.c

@@ -842,6 +842,8 @@ char *get_tag_string(keymaster_tag_t tag)
             return "KM_TAG_EXPORTABLE";
         case KM_TAG_ORIGIN_2:
             return "KM_TAG_ORIGIN_2";
+        case KM_TAG_KNOX_OBJECT_PROTECTION_REQUIRED:
+            return "KM_TAG_KNOX_OBJECT_PROTECTION_REQUIRED";
         case KM_TAG_USE_SECURE_PROCESSOR:
             return "KM_TAG_USE_SECURE_PROCESSOR";
         default:

jni/core/skeymaster_utils.c

@@ -673,6 +673,11 @@ KM_Result init_key_request(
         goto cleanup;
     }
 
+    if (0 != req->is_exportable && 0 != add_bool_to_param_set(param_set, KM_TAG_KNOX_OBJECT_PROTECTION_REQUIRED)) {
+        LOGE("failed to add %s", "KM_TAG_KNOX_OBJECT_PROTECTION_REQUIRED");
+        goto cleanup;
+    }
+
     if (-1 != req->enc_ver && 0 != add_int_to_param_set(param_set, KM_TAG_EKEY_BLOB_ENC_VER, req->enc_ver)) {
         LOGE("failed to add %s", "KM_TAG_EKEY_BLOB_ENC_VER");
         goto cleanup;