zlacker

[parent] [thread] 2 comments
1. fabric+(OP)[view] [source] 2023-07-21 18:54:22
No, it's similar to attestation APIs like android SafetyNet (now called Play Integrity API) that are used to check that "your ROM is valid according to Google".

Secure boot can protect you eg. against malware gaining write access and modifying your system. I see it as user protection, as long as you can sign the trust chain. This is what GrapheneOS is doing as far as I know.

replies(1): >>wzdd+xh
2. wzdd+xh[view] [source] 2023-07-21 20:11:51
>>fabric+(OP)
A trust chain beginning at the bootloader is what will ultimately enable this API, though, because that's what SafetyNet/Play Integrity API relies on. If you don't have a locked bootloader, or you're not running stock Android, you won't pass SafetyNet/Play Integrity (at least the higher tiers of it).

To take your GrapheneOS example, apps wishing to support it must add GrapheneOS keys: https://grapheneos.org/articles/attestation-compatibility-gu...

If this proposal goes ahead, it's unlikely that you'll be able to convince site owners and/or ad networks to add the keys of your open source OS.

replies(1): >>fabric+oR
◧◩
3. fabric+oR[view] [source] [discussion] 2023-07-21 23:10:16
>>wzdd+xh
I don't disagree with you, but let's not throw away secure boot because Google found a way to ruin it!
[go to top]