GrapheneOSMar 16

Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust.

Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control.

https://mastodon.social/@volla/116238706890314617

Show threadLinus KardellMar 23

@GrapheneOS

>Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints.

Wouldn't that require every app to separately whitelist every OS?

Show threadGrapheneOS
@LaggyKar No, it's entirely possible to distribute a signed list of trusted roots and verified boot keys from one or more organizations. The proper approach to implementing a third party certification system for devices and operating systems would be directly using the Android hardware attestation API and distributing signed data for use with it. This would enable using multiple sources of that data and not being locked into it. An organization doing certification should still be neutral.
Mar 23 at 7:12pmWeb
Show threadAndromxda πŸ‡ΊπŸ‡¦πŸ‡΅πŸ‡ΈπŸ‡ΉπŸ‡ΌMar 24

@GrapheneOS Why don't you build a small, non-exclusive library for supporting GrapheneOS via the approach described on https://grapheneos.org/articles/attestation-compatibility-guide

That way app developers wouldn't have to add new verified boot hashes every time support for a new device is added by GrapheneOS. They would simply have to update that one dependency.

GrapheneOS attestation compatibility guide

Guide on using remote attestation in a way that's compatible with GrapheneOS.

GrapheneOS