init: Check for fastbootd before spoofing safetynet props

The real prop values must be retained in recovery/fastbootd in order for fastbootd to allow/deny flashing correctly based on the bootloader lock state. This is accomplished by checking androidboot keys in the kernel cmdline and bootconfig (necessary on Pixel 6), and not spoofing anything if the boot isn't a normal full-blown Android boot. @jhenrique09 - Adapt to PE Change-Id: I8795b16a90eea4e5a03f64a7a56478f01144256b Signed-off-by: Dmitrii <bankersenator@gmail.com>
2020-10-07 00:24:54 -07:00 · 2020-10-07 00:24:54 -07:00 · c82d044828
commit c82d044828
parent 9e3b852283
1 changed files with 32 additions and 6 deletions
--- a/init/property_service.cpp
+++ b/init/property_service.cpp
@ -875,6 +875,8 @@ static void load_override_properties() {
    }
 }

+constexpr auto ANDROIDBOOT_MODE = "androidboot.mode"sv;
+
 static const char *snet_prop_key[] = {
    "ro.boot.vbmeta.device_state",
    "ro.boot.verifiedbootstate",
@ -930,17 +932,41 @@ static const char *snet_prop_value[] = {
 static void workaround_snet_properties() {
    std::string build_type = android::base::GetProperty("ro.build.type", "");

+    // Check whether this is a normal boot, and whether the bootloader is actually locked
+    auto isNormalBoot = true; // no prop = normal boot
+    // This runs before keys are set as props, so we need to process them ourselves.
+    ImportKernelCmdline([&](const std::string& key, const std::string& value) {
+        if (key == ANDROIDBOOT_MODE && value != "normal") {
+            isNormalBoot = false;
+        }
+    });
+    ImportBootconfig([&](const std::string& key, const std::string& value) {
+        if (key == ANDROIDBOOT_MODE && value != "normal") {
+            isNormalBoot = false;
+        }
+    });
+
+    // Bail out if this is recovery, fastbootd, or anything other than a normal boot.
+    // fastbootd, in particular, needs the real values so it can allow flashing on
+    // unlocked bootloaders.
+    if (!isNormalBoot) {
+        return;
+    }
+
+    // Exit if eng build
+    if (build_type == "eng") {
+        return;
+    }
+
    // Weaken property override security to set safetynet props
    weaken_prop_override_security = true;

    std::string error;

-    // Hide all sensitive props if not eng build
-    if (build_type != "eng") {
-        LOG(INFO) << "snet: Hiding sensitive props";
-        for (int i = 0; snet_prop_key[i]; ++i) {
-            PropertySetNoSocket(snet_prop_key[i], snet_prop_value[i], &error);
-        }
+    // Hide all sensitive props 
+    LOG(INFO) << "snet: Hiding sensitive props";
+    for (int i = 0; snet_prop_key[i]; ++i) {
+        PropertySetNoSocket(snet_prop_key[i], snet_prop_value[i], &error);
    }

    // Extra pops