Snapdragon Galaxy Note 10 and Note 10+ are the first non-Pixel devices supported by Auditor with a StrongBox keystore. Samples from the Auditor hardware survey which were used to add support ('Submit sample data' option in menu):
github.com/GrapheneOS/Att
github.com/GrapheneOS/Att
Conversation
It's an HSM-based keystore with far better security than the traditional TEE keystore. On Pixels (3, 3 XL, 3a, 3a XL, 4, 4 XL), the StrongBox keystore is one of the features provided by the Titan M. I assume it's provided via the Snapdragon 855 SPU on the Snapdragon Note 10/10+.
1
1
2
Other Titan M features:
* Weaver, which enforces an exponentially increasing delay for decryption attempts
* Protects state for bootloader lock mode, OS verified boot key / rollback index, factory reset protection
* Insider attack protection (firmware updates require owner auth)
1
2
Devices using the Snapdragon SPU for the StrongBox keymaster could provide similar other features, but they'll probably be missing the neat approach to insider attack protection. Titan M firmware updates can only be done after the owner account is successfully unlocked on boot.
Replying to
Relevant:
Quote Tweet
opensource.googleblog.com/2019/11/openti
I'm curious if this will include an implementation of the Titan M for Pixel phones. It would be awesome if that became a fully open hardware component rather than just open firmware, so it could be added into a future custom GrapheneOS smartphone too.
Show this thread
2