From 1f355c5620b7dee92754373e6b15fe6f465c7168 Mon Sep 17 00:00:00 2001 From: BlackMesa123 Date: Sat, 25 May 2024 23:13:03 +0200 Subject: [PATCH] Add KM_TAG_KNOX_OBJECT_PROTECTION_REQUIRED tag Deprecated since Android 12, when provided with this tag the KeyMaster TA will check for the current trustboot/warranty bit status and refuse any operation if one of these isn't valid (https://github.com/XDABlackMesa123/KnoxPatch/issues/26#issuecomment-1552117599). Due to leftover code, we can apply this tag to bypass the KM_TAG_EXPORTABLE check in the TA. Note that EC and RSA generated keys aren't supported. Signed-off-by: BlackMesa123 --- jni/core/skeymaster_defs.h | 1 + jni/core/skeymaster_key_params.c | 2 ++ jni/core/skeymaster_utils.c | 5 +++++ 3 files changed, 8 insertions(+) diff --git a/jni/core/skeymaster_defs.h b/jni/core/skeymaster_defs.h index 93967f3..c69abd9 100755 --- a/jni/core/skeymaster_defs.h +++ b/jni/core/skeymaster_defs.h @@ -172,6 +172,7 @@ typedef enum keymaster_tag_t { KM_TAG_INTEGRITY_FLAGS = 0x300013a7, KM_TAG_EXPORTABLE = 0x7000025a, KM_TAG_ORIGIN_2 = 0x100002be, + KM_TAG_KNOX_OBJECT_PROTECTION_REQUIRED = 0x700007d0, // KM_BOOL | 2000 KM_TAG_USE_SECURE_PROCESSOR = 0x70000bb8 // KM_BOOL | 3000 } keymaster_tag_t; diff --git a/jni/core/skeymaster_key_params.c b/jni/core/skeymaster_key_params.c index 3ee5a7d..4a28e3a 100755 --- a/jni/core/skeymaster_key_params.c +++ b/jni/core/skeymaster_key_params.c @@ -842,6 +842,8 @@ char *get_tag_string(keymaster_tag_t tag) return "KM_TAG_EXPORTABLE"; case KM_TAG_ORIGIN_2: return "KM_TAG_ORIGIN_2"; + case KM_TAG_KNOX_OBJECT_PROTECTION_REQUIRED: + return "KM_TAG_KNOX_OBJECT_PROTECTION_REQUIRED"; case KM_TAG_USE_SECURE_PROCESSOR: return "KM_TAG_USE_SECURE_PROCESSOR"; default: diff --git a/jni/core/skeymaster_utils.c b/jni/core/skeymaster_utils.c index 9856e06..8f22ed8 100755 --- a/jni/core/skeymaster_utils.c +++ b/jni/core/skeymaster_utils.c @@ -673,6 +673,11 @@ KM_Result init_key_request( goto cleanup; } + if (0 != req->is_exportable && 0 != add_bool_to_param_set(param_set, KM_TAG_KNOX_OBJECT_PROTECTION_REQUIRED)) { + LOGE("failed to add %s", "KM_TAG_KNOX_OBJECT_PROTECTION_REQUIRED"); + goto cleanup; + } + if (-1 != req->enc_ver && 0 != add_int_to_param_set(param_set, KM_TAG_EKEY_BLOB_ENC_VER, req->enc_ver)) { LOGE("failed to add %s", "KM_TAG_EKEY_BLOB_ENC_VER"); goto cleanup;