Evolution-X-Tensor/device_google_caimito
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Disable MTE on certain system processes that have it enabled by default

Browse source 
A bunch of stuff in build/make/target/product/memtag-common.mk is specified has having MTE by default, in order to ensure that OEMs that have MTE-capable devices get a default level of MTE on security sensitive processes.

For now, on these devices, ensure that devices that enable MTE through the developer toggle (or the bootloader cmdline) only have the zygote with MTE.

Bug: 327060622
Change-Id: Ibb6d4fba7915c8556ebe9a303d38f7c642ad8fe9
Test: I do not have a device to test with - but follow the instructions at b/327060622
This commit is contained in:
Mitch Phillips 2024-02-27 09:29:46 +00:00
parent e4c0d822f3
commit e3f2c1238c
2 changed files with 23 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
device-ripcurrent24.mk
View file

@ -241,3 +241,14 @@ PRODUCT_VENDOR_PROPERTIES += \
# PKVM Memory Reclaim # PKVM Memory Reclaim
PRODUCT_VENDOR_PROPERTIES += \ PRODUCT_VENDOR_PROPERTIES += \
hypervisor.memory_reclaim.supported=1 hypervisor.memory_reclaim.supported=1
# Indicate that the bootloader supports the MTE developer option switch
# (MISC_MEMTAG_MODE_MEMTAG_ONCE), with the exception of _fullmte products that
# force enable MTE.
ifeq (,$(filter %_fullmte,$(TARGET_PRODUCT)))
PRODUCT_PRODUCT_PROPERTIES += ro.arm64.memtag.bootctl_supported=1
PRODUCT_PRODUCT_PROPERTIES += persist.arm64.memtag.app.com.android.se=off
PRODUCT_PRODUCT_PROPERTIES += persist.arm64.memtag.app.com.google.android.bluetooth=off
PRODUCT_PRODUCT_PROPERTIES += persist.arm64.memtag.app.com.android.nfc=off
PRODUCT_PRODUCT_PROPERTIES += persist.arm64.memtag.system_server=off
endif

12
device-ripcurrentpro.mk
View file

@ -241,3 +241,15 @@ PRODUCT_VENDOR_PROPERTIES += \
# PKVM Memory Reclaim # PKVM Memory Reclaim
PRODUCT_VENDOR_PROPERTIES += \ PRODUCT_VENDOR_PROPERTIES += \
hypervisor.memory_reclaim.supported=1 hypervisor.memory_reclaim.supported=1
# Indicate that the bootloader supports the MTE developer option switch
# (MISC_MEMTAG_MODE_MEMTAG_ONCE), with the exception of _fullmte products that
# force enable MTE.
ifeq (,$(filter %_fullmte,$(TARGET_PRODUCT)))
PRODUCT_PRODUCT_PROPERTIES += ro.arm64.memtag.bootctl_supported=1
PRODUCT_PRODUCT_PROPERTIES += persist.arm64.memtag.app.com.android.se=off
PRODUCT_PRODUCT_PROPERTIES += persist.arm64.memtag.app.com.google.android.bluetooth=off
PRODUCT_PRODUCT_PROPERTIES += persist.arm64.memtag.app.com.android.nfc=off
PRODUCT_PRODUCT_PROPERTIES += persist.arm64.memtag.system_server=off
endif