My new blog -- Microsoft is collaborating with AMD, Intel, and Qualcomm to bring the Microsoft Pluton security processor to all future Windows PCs
Conversation
Snapdragon provides an on-die secure element these days too: Qualcomm SPU. Compared to the Titan M, I think it's missing a secure timer (for Weaver) and likely also support for insider attack protection (requiring owner account login to upgrade firmware without wiping first).
2
2
For Qualcomm devices, I'd guess that what they would be doing is making TPM firmware for the SPU, similar to how Qualcomm has firmware providing StrongBox and other APIs used by Android. I would be nice if they added those 2 missing features that the Titan M provides though.
1
1
Weaver is part of the disk encryption implementation. Each user profile uses a weaver slot. OS derives a token from the lock method, sends it to the security chip (Titan M on Pixels) and receives back a token needed for key encryption key derivation alongside lock method, etc.
That's where the secure timer fits into it: it provides exponentially increasing throttling for decryption attempts.
Owner profile also uses a separate API to authenticate with the security chip which needs to happen before it will accept a firmware upgrade without wiping first.
1
Most of what the Titan M provides is the StrongBox keymaster implementation which is an HSM implementation of Android's traditional keystore API. Qualcomm SPU has a full implementation of that too. Apps simply need to use supported algorithms and call setIsStrongBoxBacked(true).
1
Show replies