security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

Auditor as example to use for hardware attestation

Browse Source
This commit is contained in:
Daniel Micay 2023-02-16 09:36:56 -05:00
parent 7ad211f93b
commit 9499523268
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
static/articles/attestation-compatibility-guide.html
View File

@ -74,6 +74,15 @@
with hardware attestation and fall back to the Play Integrity API or do both and with hardware attestation and fall back to the Play Integrity API or do both and
accept either passing as success.</p> accept either passing as success.</p>
<p>Our <a href="https://github.com/GrapheneOS/Auditor">MIT / Apache 2 licensed Auditor
app</a> can be used a reference implementation for verifying hardware-based
attestations. There are some subtleties in the verification process such as making
sure only the 2nd certificate in the chain (the one signing the certificate for the
key generated by your app) has an attestation extension to prevent making a fake
attestation by extending the chain. You can reuse our code and simply omit support for
an app generated attestation signing key (attest key) and the other pinning
support.</p>
<p>After verifying the signature of the attestation certificate chain and extracting <p>After verifying the signature of the attestation certificate chain and extracting
the attestation metadata, you can enforce that <code>verifiedBootState</code> is the attestation metadata, you can enforce that <code>verifiedBootState</code> is
either <code>Verified</code> or <code>SelfSigned</code>. For the either <code>Verified</code> or <code>SelfSigned</code>. For the