Skip to content

Commit

Permalink
hide sony bootloader unlock status in QSEE api call
Browse files Browse the repository at this point in the history
This patch forces bootloader unlock status returned from trust
zone in sony proprietary api to be always as "locked".
It does not fix kernel command line args that are set by verified
bootloader with unlock related options and thus does not interfere
with other android default verified boot policy.
Instead it only fixes handling in original sony drm blobs that
can be beneficial particularly if sony device (drm) key has been
restored after unlock.

Without this patch, following log can be observed:
  libdevice_security_static: get_rooting_status.cpp:80    rooting_status 2
With this patch, following is logged instead:
  libdevice_security_static: get_rooting_status.cpp:80    rooting_status 1

This patch has been tested in today's build of los 17.1 in both TA
partition states, i.e. lost and restored device key.

Please note also that the same api returns decrypted device key at
offset 0x20 (16 bytes) if it has been restored in 66667 TA unit.
If the device key has been lost and not restored, 16 zero bytes
are returned at offset 0x20 instead.
That means this way userspace proprietary libs may actually use
the device key without directly reading it from the TA unit, if the
still locked flag check is passed (just a theory without reverse
engineering proof).

Change-Id: I4cea5b666377d71fb63d985839d095aa4240fb44
  • Loading branch information
j4nn committed Sep 7, 2020
1 parent 0287a68 commit cae5d25
Showing 1 changed file with 31 additions and 0 deletions.
31 changes: 31 additions & 0 deletions drivers/misc/qseecom.c
Original file line number Diff line number Diff line change
Expand Up @@ -3398,6 +3398,8 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
void *cmd_buf = NULL;
size_t cmd_len;
struct sglist_info *table = data->sglistinfo_ptr;
uint32_t *sb = NULL;
uint32_t *rb = NULL;

reqd_len_sb_in = req->cmd_req_len + req->resp_len;
/* find app_id & img_name from list */
Expand Down Expand Up @@ -3425,6 +3427,19 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
return -ENOENT;
}

if (!memcmp(data->client.app_name, "tzxflattest", strlen("tzxflattest")))
{
sb = (void *)__qseecom_uvirt_to_kvirt(data,
(uintptr_t)req->cmd_req_buf);
rb = (void *)__qseecom_uvirt_to_kvirt(data,
(uintptr_t)req->resp_buf);
if (sb != NULL)
if (sb[0] != 0x07 || sb[1] != 0x04)
sb = NULL;
if (sb == NULL)
rb = NULL;
}

if (qseecom.qsee_version < QSEE_VERSION_40) {
send_data_req.app_id = data->client.app_id;
send_data_req.req_ptr = (uint32_t)(__qseecom_uvirt_to_kphys(
Expand Down Expand Up @@ -3525,6 +3540,22 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
pr_err("cache operation failed %d\n", ret2);
return ret2;
}

if (sb != NULL && rb != NULL) {
if (rb[0] == 0) {
if (strncmp((uint8_t *)rb + 0x31,
"HWC_Yoshino_Com_", 16) == 0)
{
((uint8_t *)rb)[0x30] = 1;
// 0=not_allowed, 1=locked, 2=unlocked,
// 3=allowed_when_sl_is_unlocked,
// 4=allowed_since_sl_is_unlocked,
// 5=unsupported_bl_status->generic error
// (no info in security test screen "none")
}
}
}

return ret;
}

Expand Down

0 comments on commit cae5d25

Please sign in to comment.