Comment by hmlwilliams

5 hours ago

As outlined here: https://grapheneos.org/articles/attestation-compatibility-gu..., GrapheneOS isn't implementing something unique, it's implementing Android Hardware Attestation: https://developer.android.com/privacy-and-security/security-...

2 comments

hmlwilliams

Retr0id 5 hours ago

Android Key Attestation produces attestations that are signed with a certificate chain rooted in the hardware vendor's CA. If you use Key Attestation on GrapheneOS on a Pixel device for example, it attests that you're using GrapheneOS's AVB keys, but that attestation is still signed by a Google certificate chain.

"Adding support for GrapheneOS" means allowlisting their AVB keys specifically, it does not open a door for 3rd party implementations in general.

If you run GrapheneOS on a different device of your choosing, attestation would fail.

If you run a non-GrapheneOS custom ROM of your choosing, attestation would fail.

NotPractical 2 hours ago

Not to mention self-signed custom builds of GrapheneOS.