drop support for obsolete deny new USB setting

This was replaced by our newer generation USB-C port and pogo pins. The
software USB enforcement was extended to USB gadget mode in addition to
USB peripherals and the feature is now mainly based on hardware level
enforcement for USB-C and pogo pins eliminating far more attack surface.

Checking the value of the new setting will require creating an SELinux
domain for Auditor to allow it to read the new property.

app/src/main/java/app/attestation/auditor/AttestationProtocol.java

@@ -204,7 +204,7 @@ class AttestationProtocol {
     private static final int OS_ENFORCED_FLAGS_ADB_ENABLED = 1 << 3;
     private static final int OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED = 1 << 4;
     private static final int OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS = 1 << 5;
-    private static final int OS_ENFORCED_FLAGS_DENY_NEW_USB = 1 << 6;
+    private static final int OS_ENFORCED_FLAGS_DENY_NEW_USB = 1 << 6; // obsolete
     private static final int OS_ENFORCED_FLAGS_DEVICE_ADMIN_NON_SYSTEM = 1 << 7;
     private static final int OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED = 1 << 8;
     private static final int OS_ENFORCED_FLAGS_SYSTEM_USER = 1 << 9;
@@ -215,7 +215,6 @@ class AttestationProtocol {
             OS_ENFORCED_FLAGS_ADB_ENABLED |
             OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED |
             OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS |
-            OS_ENFORCED_FLAGS_DENY_NEW_USB |
             OS_ENFORCED_FLAGS_DEVICE_ADMIN_NON_SYSTEM |
             OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED |
             OS_ENFORCED_FLAGS_SYSTEM_USER;
@@ -951,7 +950,7 @@ private static VerificationResult verify(final Context context, final byte[] fin
             final boolean accessibility, final boolean deviceAdmin,
             final boolean deviceAdminNonSystem, final boolean adbEnabled,
             final boolean addUsersWhenLocked, final boolean enrolledBiometrics,
-            final boolean denyNewUsb, final boolean oemUnlockAllowed, final boolean systemUser)
+            final boolean oemUnlockAllowed, final boolean systemUser)
             throws GeneralSecurityException, IOException {
         final String fingerprintHex = BaseEncoding.base16().encode(fingerprint);
         final byte[] currentFingerprint = getFingerprint(attestationCertificates[0]);
@@ -1122,8 +1121,6 @@ private static VerificationResult verify(final Context context, final byte[] fin
                 toYesNoString(context, adbEnabled)));
         osEnforced.append(context.getString(R.string.add_users_when_locked,
                 toYesNoString(context, addUsersWhenLocked)));
-        osEnforced.append(context.getString(R.string.deny_new_usb,
-                toYesNoString(context, denyNewUsb)));
         osEnforced.append(context.getString(R.string.oem_unlock_allowed,
                 toYesNoString(context, oemUnlockAllowed)));
         osEnforced.append(context.getString(R.string.system_user,
@@ -1219,7 +1216,6 @@ static VerificationResult verifySerialized(final Context context, final byte[] a
         final boolean adbEnabled = (osEnforcedFlags & OS_ENFORCED_FLAGS_ADB_ENABLED) != 0;
         final boolean addUsersWhenLocked = (osEnforcedFlags & OS_ENFORCED_FLAGS_ADD_USERS_WHEN_LOCKED) != 0;
         final boolean enrolledBiometrics = (osEnforcedFlags & OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS) != 0;
-        final boolean denyNewUsb = (osEnforcedFlags & OS_ENFORCED_FLAGS_DENY_NEW_USB) != 0;
         final boolean oemUnlockAllowed = (osEnforcedFlags & OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED) != 0;
         final boolean systemUser = (osEnforcedFlags & OS_ENFORCED_FLAGS_SYSTEM_USER) != 0;
 
@@ -1237,8 +1233,7 @@ static VerificationResult verifySerialized(final Context context, final byte[] a
         final byte[] challenge = Arrays.copyOfRange(challengeMessage, 1 + RANDOM_TOKEN_LENGTH, 1 + RANDOM_TOKEN_LENGTH * 2);
         return verify(context, fingerprint, challenge, deserializer.asReadOnlyBuffer(), signature,
                 certificates, userProfileSecure, accessibility, deviceAdmin, deviceAdminNonSystem,
-                adbEnabled, addUsersWhenLocked, enrolledBiometrics, denyNewUsb, oemUnlockAllowed,
-                systemUser);
+                adbEnabled, addUsersWhenLocked, enrolledBiometrics, oemUnlockAllowed, systemUser);
     }
 
     static class AttestationResult {
@@ -1433,10 +1428,6 @@ static AttestationResult generateSerialized(final Context context, final byte[]
             final boolean addUsersWhenLocked = Settings.Global.getInt(context.getContentResolver(),
                     ADD_USERS_WHEN_LOCKED, 0) != 0;
 
-            final String denyNewUsbValue =
-                    SystemProperties.get("persist.security.deny_new_usb", "disabled");
-            final boolean denyNewUsb = !denyNewUsbValue.equals("disabled");
-
             final String oemUnlockAllowedValue = SystemProperties.get("sys.oem_unlock_allowed", "0");
             final boolean oemUnlockAllowed = oemUnlockAllowedValue.equals("1");
 
@@ -1487,9 +1478,6 @@ static AttestationResult generateSerialized(final Context context, final byte[]
             if (enrolledBiometrics) {
                 osEnforcedFlags |= OS_ENFORCED_FLAGS_ENROLLED_BIOMETRICS;
             }
-            if (denyNewUsb) {
-                osEnforcedFlags |= OS_ENFORCED_FLAGS_DENY_NEW_USB;
-            }
             if (oemUnlockAllowed) {
                 osEnforcedFlags |= OS_ENFORCED_FLAGS_OEM_UNLOCK_ALLOWED;
             }

app/src/main/res/values/strings.xml

@@ -84,7 +84,6 @@
     <string name="device_admin_non_system">yes, with non-system apps</string>
     <string name="adb_enabled">Android Debug Bridge enabled: %s\n</string>
     <string name="add_users_when_locked">Add users from lock screen: %s\n</string>
-    <string name="deny_new_usb">Deny new USB peripherals when locked: %s\n</string>
     <string name="oem_unlock_allowed">OEM unlocking allowed: %s\n</string>
     <string name="system_user">Main user account: %s\n</string>