security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

explain attestation key provisioning

Browse Source
This commit is contained in:
Daniel Micay 2023-01-10 15:34:54 -05:00
parent bd3cac9592
commit e348b93ec2
1 changed files with 33 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
static/faq.html
View File

@ -928,17 +928,43 @@
on internet access until it becomes available.</p> on internet access until it becomes available.</p>
</li> </li>
<li> <li>
<p>Connections are made to a server to provision attestation <p>Android devices launched with Android 8 or later provide support
certificates for hardware-based attestation. GrapheneOS uses for hardware-based attestation as part of the hardware keystore API.
https://remoteprovisioning.grapheneos.org/ by default which is a Secure devices like Pixels provide both the traditional Trusted
reverse proxy to the https://remoteprovisioning.googleapis.com/ Execution Environment (TrustZone) keystore and StrongBox keystore
service. Their service splits up the implementation of provisioning to based on a secure element, each providing attestation support. The
preserve privacy, and our reverse proxy adds to that since it's unable hardware-based attestation feature is a standard part of the Android
to decrypt the provisioned keys.</p> Open Source Project and are used to implement our Auditor app among
other things.</p>
<p>Initially, attestation signing keys were required to be batch keys
provisioned to at least 100k devices to avoid them being used as
unique identifiers. Unique attestation signing keys are an optional
feature only available to privileged system components. Recent devices
have replaced the batch and unique key system with remotely
provisioned signing keys. The device obtains encrypted keys from a
service to be decrypted by batch or unique keys inside the TEE and
optional secure element. The new system improves privacy and security
by using separate attestation signing keys for each app instead of
needing to balance privacy and security by sharing the same
attestation signing keys across a large batch of devices.</p>
<p>GrapheneOS uses https://remoteprovisioning.grapheneos.org/ by
default which is a private reverse proxy to the
https://remoteprovisioning.googleapis.com/ service. The service splits
up the implementation of provisioning to preserve privacy, and our
reverse proxy adds to that since it's unable to decrypt the
provisioned keys</p>
<p>A setting is added at Settings ➔ Network &amp; Internet ➔ <p>A setting is added at Settings ➔ Network &amp; Internet ➔
Attestation key provisioning server for switching to directly using Attestation key provisioning server for switching to directly using
the Google service if you prefer.</p> the Google service if you prefer.</p>
<p>A future device built to run GrapheneOS as the stock OS would be
able to have a GrapheneOS attestation root and GrapheneOS attestation
key provisioning service rather than a GrapheneOS proxy. A device
built to run another OS without Google certification would need their
own service and we'd need to support proxying to that service too.</p>
</li> </li>
<li> <li>
<p>A test query is done via DNS-over-TLS in the automatic and manually <p>A test query is done via DNS-over-TLS in the automatic and manually