Conversation

Daniel Micay

@DanielMicay

·

Dec 2, 2021

Detailed thread about a substantial improvement for pinning-based hardware attestation in Android 12: https://twitter.com/GrapheneOS/status/1466444996224106499… This will make the hardware-based attestation used by the GrapheneOS Auditor app substantially more secure due to per-instance attestation signing keys.

Quote Tweet

GrapheneOS

@GrapheneOS

·

Dec 2, 2021

It will otherwise work the same way as before. Each Auditee will still make a persistent hardware-backed key for each Auditor and then a temporary fresh key for each subsequent verification. Hardware attestation information will be far better secured via per-instance pinning.

Show this thread

1

1

4

Daniel Micay

@DanielMicay

Android's hardware attestation was originally designed around verification via the attestation root of trust. Each TEE and secure element has batch keys chaining to root of trust. Now you'll be able to generate your own attest keys chaining to the batch key to improve pinning.

4:47 PM · Dec 2, 2021·Twitter Web App

2

Likes