document verified boot improvements

This commit is contained in:
Daniel Micay 2023-02-03 10:33:04 -05:00
parent cdb0c5bc45
commit b082f589ad

View File

@ -384,12 +384,25 @@
<ul>
<li>Enhanced <a href="https://source.android.com/docs/security/features/verifiedboot">verified boot</a>
with better security properties and reduced attack surface</li>
<li>GrapheneOS finishes the incomplete implementation of verified boot
for out-of-band updates to packages (APKs) in the OS. We enforce this
by requiring fs-verity metadata signed with a trusted key for system
app updates both at install time and boot time. This provides
continuous verification where every read from an out-of-band APK
update is verified similarly to every read from a firmware, OS image
or APEX update being verified. The signing key and version are
enforced to prevent downgrades or other attacks such as replacing a
package with a variant of the same one from a different GrapheneOS
supported device. We disable the persistent package parsing cache to
prevent bypassing the metadata checks through this otherwise highly
persistent state, which only has a very small negative impact on boot
time from the data not being available from previous boots (typically
less than 1 second).</li>
<li>GrapheneOS closes a loophole where app-based system components
built as part of the OS can be downgraded to an older version due to
versionCode not being incremented when system components get updated
as part of changes to the OS. We prevent this for both package updates
and as part of detecting whether to use out-of-band updates to system
apps at boot.</li>
as part of changes to the OS. We enforce this both at package install
time and boot time.</li>
<li>Enhanced hardware-based attestation with more precise version information</li>
<li>Hardware-based security verification and monitoring via our
<a href="#auditor">Auditor app and attestation service</a></li>