document verified boot improvements
This commit is contained in:
parent
cdb0c5bc45
commit
b082f589ad
@ -384,12 +384,25 @@
|
||||
<ul>
|
||||
<li>Enhanced <a href="https://source.android.com/docs/security/features/verifiedboot">verified boot</a>
|
||||
with better security properties and reduced attack surface</li>
|
||||
<li>GrapheneOS finishes the incomplete implementation of verified boot
|
||||
for out-of-band updates to packages (APKs) in the OS. We enforce this
|
||||
by requiring fs-verity metadata signed with a trusted key for system
|
||||
app updates both at install time and boot time. This provides
|
||||
continuous verification where every read from an out-of-band APK
|
||||
update is verified similarly to every read from a firmware, OS image
|
||||
or APEX update being verified. The signing key and version are
|
||||
enforced to prevent downgrades or other attacks such as replacing a
|
||||
package with a variant of the same one from a different GrapheneOS
|
||||
supported device. We disable the persistent package parsing cache to
|
||||
prevent bypassing the metadata checks through this otherwise highly
|
||||
persistent state, which only has a very small negative impact on boot
|
||||
time from the data not being available from previous boots (typically
|
||||
less than 1 second).</li>
|
||||
<li>GrapheneOS closes a loophole where app-based system components
|
||||
built as part of the OS can be downgraded to an older version due to
|
||||
versionCode not being incremented when system components get updated
|
||||
as part of changes to the OS. We prevent this for both package updates
|
||||
and as part of detecting whether to use out-of-band updates to system
|
||||
apps at boot.</li>
|
||||
as part of changes to the OS. We enforce this both at package install
|
||||
time and boot time.</li>
|
||||
<li>Enhanced hardware-based attestation with more precise version information</li>
|
||||
<li>Hardware-based security verification and monitoring via our
|
||||
<a href="#auditor">Auditor app and attestation service</a></li>
|
||||
|
Loading…
x
Reference in New Issue
Block a user