A great way to contribute to the GrapheneOS projects is installing Auditor on a device that's not already supported (see attestation.app/about#device-s) and submitting sample data from it. See attestation.app/tutorial for instructions on installing the app and expanding device support.
Conversation
Once a valid sample is submitting from a device running the stock OS with a locked bootloader, it quickly becomes supported by Auditor and AttestationServer. The samples are also useful as a basic device survey for other purposes like determining potential targets for GrapheneOS.
1
2
A subset of the sample data which has passed verification is published at github.com/GrapheneOS/Att. It includes the public key certificate chain for both sample TEE and StrongBox keys (which have passed verification and are with stock OS + locked bootloader) and some system props.
1
2
Replying to
I submitted one for a new device, how long does it take to appear? Is it done manually on your side ?
1
Replying to
Yes, I run a script to download and extract the latest samples and verify each. Once that's done, I need to manually integrate support into Auditor and then AttestationServer followed by testing it. You can see a typical example from the most recent case: github.com/GrapheneOS/Aud.
1
1
Devices with a StrongBox Keymaster also get an entry in the StrongBox table: github.com/GrapheneOS/Aud. The need for separate tables could potentially go away, but it's a nice way of organizing it since there are sometimes differences between the TEE and StrongBox-based keystores.
Replying to
The server code putting them in the database is here:
github.com/GrapheneOS/Att
Extract script takes them out of the database and arranges them in the format at github.com/GrapheneOS/Att with the certificate chains in separate files. The filter_props.sh script in there is used too.
1
Show replies