document verified boot improvements

2023-02-03 10:33:04 -05:00 · 2023-02-03 10:33:04 -05:00 · b082f589ad
commit b082f589ad
parent cdb0c5bc45
1 changed files with 16 additions and 3 deletions
--- a/static/features.html
+++ b/static/features.html
@ -384,12 +384,25 @@
                        <ul>
                            <li>Enhanced <a href="https://source.android.com/docs/security/features/verifiedboot">verified boot</a>
                            with better security properties and reduced attack surface</li>
+                            <li>GrapheneOS finishes the incomplete implementation of verified boot
+                            for out-of-band updates to packages (APKs) in the OS. We enforce this
+                            by requiring fs-verity metadata signed with a trusted key for system
+                            app updates both at install time and boot time. This provides
+                            continuous verification where every read from an out-of-band APK
+                            update is verified similarly to every read from a firmware, OS image
+                            or APEX update being verified. The signing key and version are
+                            enforced to prevent downgrades or other attacks such as replacing a
+                            package with a variant of the same one from a different GrapheneOS
+                            supported device. We disable the persistent package parsing cache to
+                            prevent bypassing the metadata checks through this otherwise highly
+                            persistent state, which only has a very small negative impact on boot
+                            time from the data not being available from previous boots (typically
+                            less than 1 second).</li>
                            <li>GrapheneOS closes a loophole where app-based system components
                            built as part of the OS can be downgraded to an older version due to
                            versionCode not being incremented when system components get updated
-                            as part of changes to the OS. We prevent this for both package updates
-                            and as part of detecting whether to use out-of-band updates to system
-                            apps at boot.</li>
+                            as part of changes to the OS. We enforce this both at package install
+                            time and boot time.</li>
                            <li>Enhanced hardware-based attestation with more precise version information</li>
                            <li>Hardware-based security verification and monitoring via our
                            <a href="#auditor">Auditor app and attestation service</a></li>