From e3f2c1238c79a7d7ac3d98f42006cfa386b566f6 Mon Sep 17 00:00:00 2001
From: Mitch Phillips <mitchp@google.com>
Date: Tue, 27 Feb 2024 09:29:46 +0000
Subject: [PATCH] Disable MTE on certain system processes that have it enabled
 by default

A bunch of stuff in build/make/target/product/memtag-common.mk is specified has having MTE by default, in order to ensure that OEMs that have MTE-capable devices get a default level of MTE on security sensitive processes.

For now, on these devices, ensure that devices that enable MTE through the developer toggle (or the bootloader cmdline) only have the zygote with MTE.

Bug: 327060622
Change-Id: Ibb6d4fba7915c8556ebe9a303d38f7c642ad8fe9
Test: I do not have a device to test with - but follow the instructions at b/327060622
---
 device-ripcurrent24.mk  | 11 +++++++++++
 device-ripcurrentpro.mk | 12 ++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/device-ripcurrent24.mk b/device-ripcurrent24.mk
index 37d67c53..f6970e68 100644
--- a/device-ripcurrent24.mk
+++ b/device-ripcurrent24.mk
@@ -241,3 +241,14 @@ PRODUCT_VENDOR_PROPERTIES += \
 # PKVM Memory Reclaim
 PRODUCT_VENDOR_PROPERTIES += \
     hypervisor.memory_reclaim.supported=1
+
+# Indicate that the bootloader supports the MTE developer option switch
+# (MISC_MEMTAG_MODE_MEMTAG_ONCE), with the exception of _fullmte products that
+# force enable MTE.
+ifeq (,$(filter %_fullmte,$(TARGET_PRODUCT)))
+PRODUCT_PRODUCT_PROPERTIES += ro.arm64.memtag.bootctl_supported=1
+PRODUCT_PRODUCT_PROPERTIES += persist.arm64.memtag.app.com.android.se=off
+PRODUCT_PRODUCT_PROPERTIES += persist.arm64.memtag.app.com.google.android.bluetooth=off
+PRODUCT_PRODUCT_PROPERTIES += persist.arm64.memtag.app.com.android.nfc=off
+PRODUCT_PRODUCT_PROPERTIES += persist.arm64.memtag.system_server=off
+endif
diff --git a/device-ripcurrentpro.mk b/device-ripcurrentpro.mk
index 26a9120d..4c927241 100644
--- a/device-ripcurrentpro.mk
+++ b/device-ripcurrentpro.mk
@@ -241,3 +241,15 @@ PRODUCT_VENDOR_PROPERTIES += \
 # PKVM Memory Reclaim
 PRODUCT_VENDOR_PROPERTIES += \
     hypervisor.memory_reclaim.supported=1
+
+# Indicate that the bootloader supports the MTE developer option switch
+# (MISC_MEMTAG_MODE_MEMTAG_ONCE), with the exception of _fullmte products that
+# force enable MTE.
+ifeq (,$(filter %_fullmte,$(TARGET_PRODUCT)))
+PRODUCT_PRODUCT_PROPERTIES += ro.arm64.memtag.bootctl_supported=1
+PRODUCT_PRODUCT_PROPERTIES += persist.arm64.memtag.app.com.android.se=off
+PRODUCT_PRODUCT_PROPERTIES += persist.arm64.memtag.app.com.google.android.bluetooth=off
+PRODUCT_PRODUCT_PROPERTIES += persist.arm64.memtag.app.com.android.nfc=off
+PRODUCT_PRODUCT_PROPERTIES += persist.arm64.memtag.system_server=off
+endif
+