Auditor icon indicating copy to clipboard operation
Auditor copied to clipboard

Published 20 hours ago verified publisher icon GrapheneOS

Attestation fails to generate key pair after factory reset and restore from backup

Open NarwhalPrince opened this issue 1 year ago • 10 comments

After doing a factory reset through recovery, I restored the device using a seedvault backup. After doing this, I am unable to complete local or remote attestation. The pairings have been cleared and the device has been rebooted. Fails with:

java.security.ProviderException: Failed to generate key pair.

Included Auditor's verbose log Auditor log cec7810070dd.txt

First time submitting an issue, please go easy on me.

NarwhalPrince avatar Feb 14 '24 18:02 NarwhalPrince

Did you connect to the internet already? Try clearing Auditor data and trying again. This looks like a firmware issue rather than something GrapheneOS specific.

thestinger avatar Feb 14 '24 18:02 thestinger

I did connect to the internet and tried clearing Auditor app data. Is internet required for local attestation?

NarwhalPrince avatar Feb 14 '24 18:02 NarwhalPrince

Not directly, but an internet connection is needed for remote key provisioning to update the the hardware attestation keys. It can work without that but perhaps not after a factory reset where it previously remotely provisioned keys.

thestinger avatar Feb 14 '24 18:02 thestinger

Understood, I will try it again after disabling my firewall. It's possible that it wasn't able to update the keys. Do you know the IP address(es) that would be contacted for this process?

NarwhalPrince avatar Feb 14 '24 18:02 NarwhalPrince

One of these 4 depending on GeoIP:

https://grapheneos.org/articles/grapheneos-servers#grapheneos.network

thestinger avatar Feb 14 '24 18:02 thestinger

No luck still with remote or local attestation on a clear network.

NarwhalPrince avatar Feb 14 '24 18:02 NarwhalPrince

Also tried Google's key provisioning server, no luck.

NarwhalPrince avatar Feb 14 '24 18:02 NarwhalPrince

I have the same problem. Factory reset device, installed Seedvault Backup. Attestation fails. Internet connection is fine. I removed the device from attestation server and did a reset on the attestation app. Tried to enable it again, still the same.

java.security.ProviderException: Failed to generate key pair attesttation.log

zacha81 avatar Jun 07 '24 10:06 zacha81

I am hitting the same issue with a new pixel8Pro.. Installed GrapheneOS Factory Reset after I missed the restore option at install Initial setup after reset, and restored from seedvault backup. Device has wifi connection. I have tried rebooting. When I try to run as auditee:

Error encountered generating attestation java.security.ProviderException: Failed to generate key pair

Do we have any suggestions on a workaround? I am due to travel internationally shortly, and I would like to have this sorted out before then.

snrkl avatar Jun 18 '24 06:06 snrkl

Some extra data to this:

  1. I was able to reset to factory without restoring data from seedvault
    • This allowed me to run auditor as per normal.
    • I believe this might indicate it is a data problem with the seedvault backup, and not a firmware problem? (unsure)
  2. Per This forum post I tried restoring from seedvault on first setup, then deleting the auditor and keychain data via ADB. This did NOT resolve the issue
    • adb shell pm clear com.android.keychain
    • adb shell pm clear app.attestation.auditor

I am now setup with ADB to troubleshoot this, so if anyone has any other suggestions, or data they think could be useful, let me know and I will get it ASAP.

snrkl avatar Jun 19 '24 02:06 snrkl

Just chiming in, I have this exact same issue. Same apparent cause too: restoring from a seedvault backup

neutralinsomniac avatar Aug 23 '24 21:08 neutralinsomniac