Snapdragon Galaxy Note 10 and Note 10+ are the first non-Pixel devices supported by Auditor with a StrongBox keystore. Samples from the Auditor hardware survey which were used to add support ('Submit sample data' option in menu):
github.com/GrapheneOS/Att
github.com/GrapheneOS/Att
Conversation
It's an HSM-based keystore with far better security than the traditional TEE keystore. On Pixels (3, 3 XL, 3a, 3a XL, 4, 4 XL), the StrongBox keystore is one of the features provided by the Titan M. I assume it's provided via the Snapdragon 855 SPU on the Snapdragon Note 10/10+.
1
1
2
Other Titan M features:
* Weaver, which enforces an exponentially increasing delay for decryption attempts
* Protects state for bootloader lock mode, OS verified boot key / rollback index, factory reset protection
* Insider attack protection (firmware updates require owner auth)
Replying to
Devices using the Snapdragon SPU for the StrongBox keymaster could provide similar other features, but they'll probably be missing the neat approach to insider attack protection. Titan M firmware updates can only be done after the owner account is successfully unlocked on boot.
1
2
Relevant:
Quote Tweet
opensource.googleblog.com/2019/11/openti
I'm curious if this will include an implementation of the Titan M for Pixel phones. It would be awesome if that became a fully open hardware component rather than just open firmware, so it could be added into a future custom GrapheneOS smartphone too.
Show this thread
2