Daniel Micay on Twitter: "@johnregehr Information passed to the hardware-backed keystore, which is part of what Auditor uses via attestation: https://t.co/xkjJ3sHHuJ Verified boot state display, including the fingerprint: https://t.co/WQWHVxYoqj It sure would be nice to have a first party GrapheneOS device..." / Twitter

UBSan support in Qualcomm's EDK2-based UEFI bootloader: source.codeaurora.org/quic/la/abl/ti SafeStack: source.codeaurora.org/quic/la/abl/ti Amusing how the response to a stack overflow detected by SSP on the unsafe stack is to loop forever... but I guess a watchdog triggers a reboot.

@johnregehr

2

11

Daniel Micay

@DanielMicay

Information passed to the hardware-backed keystore, which is part of what Auditor uses via attestation: source.codeaurora.org/quic/la/abl/ti Verified boot state display, including the fingerprint: source.codeaurora.org/quic/la/abl/ti It sure would be nice to have a first party GrapheneOS device...

12:02 AM · Sep 28, 2019Twitter Web App

Replying to

and

Simply having the resources to produce a device based on the reference platform with minor tweaks would be great. This code would all be in scope for hardening, and the project would control the boot chain, TEE, SE, etc. GrapheneOS keys would be flashed to the fuses for the fw.

2

Replying to

and

I’ve done this for a non-cellular device - I would not want to deal with cellular cert / Technical Approvals though. Might be interesting to do XBLSEC + LinuxBoot rather than try to secure the rest of EDK2 though

1

Conversation