From e348b93ec27167cfda5761da095cd73d7317260c Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Tue, 10 Jan 2023 15:34:54 -0500 Subject: [PATCH] explain attestation key provisioning --- static/faq.html | 40 +++++++++++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/static/faq.html b/static/faq.html index 5be8aac5..a11723c2 100644 --- a/static/faq.html +++ b/static/faq.html @@ -928,17 +928,43 @@ on internet access until it becomes available.

  • -

    Connections are made to a server to provision attestation - certificates for hardware-based attestation. GrapheneOS uses - https://remoteprovisioning.grapheneos.org/ by default which is a - reverse proxy to the https://remoteprovisioning.googleapis.com/ - service. Their service splits up the implementation of provisioning to - preserve privacy, and our reverse proxy adds to that since it's unable - to decrypt the provisioned keys.

    +

    Android devices launched with Android 8 or later provide support + for hardware-based attestation as part of the hardware keystore API. + Secure devices like Pixels provide both the traditional Trusted + Execution Environment (TrustZone) keystore and StrongBox keystore + based on a secure element, each providing attestation support. The + hardware-based attestation feature is a standard part of the Android + Open Source Project and are used to implement our Auditor app among + other things.

    + +

    Initially, attestation signing keys were required to be batch keys + provisioned to at least 100k devices to avoid them being used as + unique identifiers. Unique attestation signing keys are an optional + feature only available to privileged system components. Recent devices + have replaced the batch and unique key system with remotely + provisioned signing keys. The device obtains encrypted keys from a + service to be decrypted by batch or unique keys inside the TEE and + optional secure element. The new system improves privacy and security + by using separate attestation signing keys for each app instead of + needing to balance privacy and security by sharing the same + attestation signing keys across a large batch of devices.

    + +

    GrapheneOS uses https://remoteprovisioning.grapheneos.org/ by + default which is a private reverse proxy to the + https://remoteprovisioning.googleapis.com/ service. The service splits + up the implementation of provisioning to preserve privacy, and our + reverse proxy adds to that since it's unable to decrypt the + provisioned keys

    A setting is added at Settings ➔ Network & Internet ➔ Attestation key provisioning server for switching to directly using the Google service if you prefer.

    + +

    A future device built to run GrapheneOS as the stock OS would be + able to have a GrapheneOS attestation root and GrapheneOS attestation + key provisioning service rather than a GrapheneOS proxy. A device + built to run another OS without Google certification would need their + own service and we'd need to support proxying to that service too.

  • A test query is done via DNS-over-TLS in the automatic and manually