![]() The latest version of key attestation provides a signed result with the verified boot state, verified boot key, a hash of all data protected by verified boot and the version of the operating system partitions among other properties. The key attestation feature provided by the hardware-backed keystore provides direct support for attesting to device properties and bootstrapping the Trust On First Use model of the Auditor app with a basic initial verification chained up to a known root certificate. The results are passed along to the hardware-backed keystore and used to protect the keys. Verified boot validates the integrity and authenticity of firmware and the entire operating system (both the kernel and userspace) from an immutable hardware root of trust. The protocol used for both local and remote attestation is documented in the source code. The device performing verification can either be another Android device running the app in the Auditor mode or the service for automated verification on a regular schedule with support for email alerts. It performs a pairing process between the device performing verification (Auditor) and the device being verified (Auditee) to implement a Trust On First Use (TOFU) model. The foundation of the Auditor app is generating a persistent key in the hardware-backed keystore for verifying the identity of the device and providing assurance that the operating system hasn't been tampered with or downgraded via verified boot. It builds upon the hardware-based verification of the operating system by chaining verification to the app to perform software-based sanity checks and gather additional information about device state and configuration beyond what the hardware can attest to directly. A downgrade to a previous version will also be detected. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. The Auditor app uses hardware-based security features to validate the identity of a device along with authenticity and integrity of the operating system.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |