Auditor icon indicating copy to clipboard operation
Auditor copied to clipboard

Published 20 hours ago verified publisher icon GrapheneOS

Include build number

Open enduring78 opened this issue 1 year ago • 3 comments

Pretty much like the title says; the patch levels are already included, and it would be really nice not having to compare the boot hashes to check if a phone is updated

enduring78 avatar Aug 04 '22 10:08 enduring78

Patch level is provided by the hardware API. Build number would need to be in the OS verified section.

thestinger avatar Aug 04 '22 10:08 thestinger

Okay. Would it be possible from a technical standpoint?

enduring78 avatar Aug 04 '22 10:08 enduring78

Yes but it would just be a string in the OS verified information section similar to the existing information there on OS configuration.

thestinger avatar Aug 04 '22 10:08 thestinger

I don't think this is worth the effort. Build.DISPLAY is just an arbitrary string defined by the OS using the property ro.build.display.id. It serves no security value and can simply be checked in Settings -> System -> About.

The patch levels do serve a security purpose because they are from the HSM/TEE provided by the attestation library. It's read from the keymint tag. See https://github.com/GrapheneOS/Auditor/blob/main/app/src/main/java/app/attestation/auditor/attestation/AuthorizationList.java#L272-L280

girlbossceo avatar Jan 28 '23 02:01 girlbossceo

We could eventually provide a signed database of the stock Pixel OS and GrapheneOS verified boot hashes to show a version based on them. That would be hardware verified and much more in the spirit of Auditor.

thestinger avatar Jan 28 '23 02:01 thestinger