Android key attestation v3 has a few nice additions:
* vendorPatchLevel and bootPatchLevel: since Treble lets them be updated independently
* verifiedBootHash: digest of all data protected by Verified Boot, which is android.googlesource.com/platform/exter for AVB
* fields for 9.0 keystore APIs
Conversation
It's still not perfect for the use case in my Auditor app due to the lack of a good way to support strong pairing. Need a way to properly chain trust from an initial key and attestation to fresh ones. There are a few ways it could be supported and it's unclear what would be best.