Conversation

This is really awesome:

Quote Tweet

Ryan Hurst

@rmhrisk

Oct 28, 2021

Pixel now supports Binary Transparency! wired.com/story/google-p

Show this thread

Replying to

It is very cool, would love to see the details - especially how they protect against an attacker causing the device to display the expected hashes.

Replying to

Exactly what I was wondering also... maybe hashes are emitted by low-level ROM?

Replying to

and

It's extremely likely that it's based on the verifiedBootHash from key attestation. Key attestation also might be getting extended to cover firmware attestation better. Our Auditor app provides support for obtaining that both locally and via our attestation.app service.

attestation.app

Device integrity monitoring

Hardware-based remote attestation service for monitoring the security of Android devices using the Auditor app.

7:00 PM · Oct 29, 2021Twitter Web App

Replying to

and

See developer.android.com/training/artic for information about key attestation. It hasn't been updated for the latest revisions though. v3 already wasn't the latest. 5th generation Pixels launched with v4 attestation. So just bear in mind that already wasn't fully up-to-date/complete docs.

developer.android.com

Verifying hardware-backed key pairs with Key Attestation | Android Developers

A tool for verifying security properties of hardware-backed key pairs.

Replying to

and

Can see we have the verified boot hash in the local (Auditor) and remote (attestation.app) verification output for Auditor. If they've expanded the information from key attestation, we'll be able to provide more. The verified device information section is from hardware.

read image description

ALT

Remote Auditor verification output from https://attestation.app/. Includes verified device information with the verified boot hash.

read image description

ALT

Show replies