Daniel Micay on Twitter: "@Aissn The server code putting them in the database is here: https://t.co/aI4cx8dp25 Extract script takes them out of the database and arranges them in the format at https://t.co/5azjWGiNbF with the certificate chains in separate files. The filter_props.sh script in there is used too." / Twitter

A great way to contribute to the GrapheneOS projects is installing Auditor on a device that's not already supported (see attestation.app/about#device-s) and submitting sample data from it. See attestation.app/tutorial for instructions on installing the app and expanding device support.

attestation.app

Auditor tutorial

Tutorial on using the Auditor Android app and associated service.

1

5

Daniel Micay

@DanielMicay

May 27, 2019

Once a valid sample is submitting from a device running the stock OS with a locked bootloader, it quickly becomes supported by Auditor and AttestationServer. The samples are also useful as a basic device survey for other purposes like determining potential targets for GrapheneOS.

1

2

Daniel Micay

@DanielMicay

May 27, 2019

A subset of the sample data which has passed verification is published at github.com/GrapheneOS/Att. It includes the public key certificate chain for both sample TEE and StrongBox keys (which have passed verification and are with stock OS + locked bootloader) and some system props.

github.com

GitHub - GrapheneOS/AttestationSamples: A small subset of the submitted sample data from https://...

A small subset of the submitted sample data from https://github.com/GrapheneOS/Auditor. It has a sample attestation certificate chain per device model (ro.product.model) along with a subset of the ...

1

2

Replying to

I submitted one for a new device, how long does it take to appear? Is it done manually on your side ?

1

Replying to

Yes, I run a script to download and extract the latest samples and verify each. Once that's done, I need to manually integrate support into Auditor and then AttestationServer followed by testing it. You can see a typical example from the most recent case: github.com/GrapheneOS/Aud.

github.com

add OnePlus 7 Pro GM1913 · GrapheneOS/Auditor@51a9f6a

1

Replying to

and

Devices with a StrongBox Keymaster also get an entry in the StrongBox table: github.com/GrapheneOS/Aud. The need for separate tables could potentially go away, but it's a nice way of organizing it since there are sometimes differences between the TEE and StrongBox-based keystores.

1

Replying to

Very interesting, thanks. Is this script part of the source distribution ?

1

Daniel Micay

@DanielMicay

Replying to

@Aissn

The server code putting them in the database is here: github.com/GrapheneOS/Att Extract script takes them out of the database and arranges them in the format at github.com/GrapheneOS/Att with the certificate chains in separate files. The filter_props.sh script in there is used too.

11:49 PM · May 27, 2019Twitter Web Client

Replying to

and

I could automate it way more than I currently do. At the moment, I just copy the certificate chains into a special local branch of Auditor and run that to output the relevant data and then test that it works properly. Need to do it for both the TEE and StrongBox certificates.

1

Replying to

and

I think that GM1913 sample was the most recent valid sample submitted. There was also a Mi MIX 2S submission claiming to have a green boot state but the attestation information says that the bootloader isn't locked, so it's either broken or has some kind of rootkit on it.

1

Show replies

Conversation