Unfortunately, Signal seems bearish on their future if the bill becomes law, it seems.

Not all countries governments are that "stupid", but I wonder how "independent" one can be from the US influence in the long run.

<cx2[m] "I don't know if RIots data is en"> It is, when you choose it in room settings

<cx2[m] "Can you only pay with paypal on "> No, they accept cc (albeit, through PayPal)

<DannyWorkOrderPr "It is, when you choose it in roo"> Good to know as a new user but.....says encryption is disabled in this room. (?)

Most mass-rooms do not have it enabled

Only secured by SSL

Which, on days like today, seems unfortunate

(The general state of things, not that this room is unencrypted)

There are many reasons for public rooms not being encrypted

Well, end-to-end encrypted

brenneke[m]: This channel is a public one, accessible to all. Turning on encryption in a public room which anyone can join is like building a 100-foot high wall around your house to keep intruders out, then leaving the gate open and not turning anyone away at the door.

Doing so will also break any form of bridging or interoperability and most clients don't support it

There would be no meaningful security gain either, because anyone can join it, and it'd also mean everyone would have to bear the burden of doing the key exchanges with all ~300 users in this channel.

That exact quote from you is in the link xD

That's funny, hahaha

Rrgh. Policykit is acting up again.

<hitchhooker[m] "kohntree I don't think project h"> Google and Qualcomm firmware no?

strcat: You've criticized the Whonix docs before. Could you be more specific? I want to fix it. I've already made a post about the host OS page because that's really bad. Anything else?

kohntree: don't worry about EARN IT. Shit's gonna die in committee like it did the last two times.

<TheJollyRoger "brenneke: This channel is a publ"> Cool. You are passionate.

What? That's an apt description.

"No! You can't look! You have to walk in the wide-open door first. Then you can look."

Any chance to run Gcam (with all permissions disabled)?

Hi bseeinu[m], at this moment while some people have discovered ways that we don't officially endorse to get gcam to run and vehemently recommend against, at this moment gcam only runs because of a loophole in a security policy that GrapheneOS may close at a future date.

It's also likely to stop working if Google decides to stop playing ball, so I wouldn't recommend it. OpenCamera isn't quite there yet as I understand it, but it's miles ahead of the default AOSP camera app.

TheJollyRoger: Could I port Graphne to a s3

Wait what?

hi skyfall007[m], if you're asking me for permission, I am not the one who can or can't give it to you but the code is under MIT license. That said, I really don't know if you'd have anything to gain from trying to port GrapheneOS to a device from... ~2013?

TheJollyRoger: 2012

(assuming it's *that* s3)

*sigh*

Yeah goodness gravy.

Fun fact pre AOSP the Samsung S4 was directly supported by CopperheadOS

GuardianROM was the only attempt at a secure rom for the S3, but it failed as it was over ambitious

22:41 <rutxonboard[m]> Fun fact pre AOSP the Samsung S4 was directly supported by CopperheadOS

22:44 <rutxonboard[m]> GuardianROM was the only attempt at a secure rom for the S3, but it failed as it was over ambitious

I remember those projects :)

Relics from the days of yore!

An S3 lacks in every single area in security. There's virtually no way to secure it now. I think even if you built your own vendor image with source you would have countless critical security vulnerabilities and no support for any sort of basic security model home to Android today. If I had a gun to my head and had to make a reasonably secure OS for the S3 likely xen4android would need to be resurrected, but even

then that's deeply flawed running on that hardware and has way too high of ram requirements

The best affordable option for a secure phone new is the Nokia 1.3. It has a snapdragon 205 with 1gb ram. It's brand new and will get consistent security updates for 3 years. It has Android 10. Disable gapps and call it a day. It will be a much better phone than an S3 in 2020

The other option is a used phone like a screen burned Pixel or a shattered iPhone which you should be able to find under $100 if you are willing to look at the Pixel 3 or iPhone 8

Something I really like to do when looking at the cost of a device is think about when I'm going to need to end up replacing it. That's always been a big factor at when I look at buying a phone.

Yes, I look at guaranteed support and factor price per year

$80 for an iPhone SE, $30ish for a Nokia 3.1, $150 for a Pixel 3a

I have always only given up a phone since it no longer got security updates

Yeah. It's not worth it for me to spend $150 on a phone if I know that even nine months, it will be a pop tart and I'll have to repeat the ordeal. At that rate, I might as well just spend the money on a Pixel 3a.

Hell, it'd be worth less than a pop tart at that rate because at least a pop tart makes a tasty snack.

Right that's what is so great about Nokia phones. Super budget price and third place in security too Apple/Google

If you can't afford a Pixel or iPhone then there's no shame in a Nokia

Nice!

I'll have to keep that option on my table, thanks rutxonboard[m] :O

I read about that when I went through all of Daniel's reddit posts. Android One is very good for the average person. I recommend them to friends all the time

Android One without gapps is absolutely the poor man's GrapheneOS

Oh huh. I haven't tried Android One before - I'm a refugee from BackdoorBerry.

The biggest issue is their low end used to go MediaTek, but everything is now Snapdragon

Beautiful.

For most people I recommend an iPhone. If they can't afford it Nokia. If they don't like how restrictive it is I recommend Pixel

Nokia is usually what my friends go for

Samsung promises four years of security updates for Galaxy Xcover 4s Enterprise Edition and Galaxy Xcover Pro Enterprise Edition

It's not perfect, there has been a telemetry scandal. Though the value and security combo is off the charts. They also make the only security focused phones with good sized screens so it is good for people who can't stomach how small a Pixel 3a XL or iPhone 11 Pro Max is

> Samsung promises four years of security updates for Galaxy Xcover 4s Enterprise Edition and Galaxy Xcover Pro Enterprise Edition

Crappy support though. After some time it is quarterly updates. Cheaper devices start as quarterly

Yeah. I think it was three years of montly updates and the last year quarterly

I am pretty sure it's 2 for a flagship

Could be wrong

Mid range phones are quarterly right away

Samsung is not horrible, but way too many caveats to recommend. iPhones and Pixels are both very comparable phones. Even Nokia depending on what you want

Samsung is definitely not the worst phone maker out there. They might even pull off a 5th place. I just wouldn't recommend them since they are so much worse than the alternatives

OK that's it I'm adding the term "pop tart" to my lexicon. "pop tart: n. (alt. spellings: poptart, pop-tart) - slang term for a useless, insecure, or obsolete phone now only useful as an impromptu charge pack for energy, much like the eponymous pastry which provides calories, but no nutritional value."

That's amazing

Hehehe X)

I hate how expensive phones are now

Same here :(. Some of my relatives have the bigger iPhones, and spent almost more than enough money to buy new laptops on them.

I can't afford a secure daily driver and a device to write for

We need to go back to the old days

> Same here :(. Some of my relatives have the bigger iPhones, and spent almost more than enough money to buy new laptops on them.

iPhones can be incredible value, but buying them new? No thanks. I wouldn't mind a 2 year old one with a good battery for half the price. They are basically 2 years ahead on performance anyway

Interestingly, there are also Enterprise Editions of some Samsung flagship devices, but those are much more difficult to buy than the standard editions

Yeah. >_<.

iPhone XS still keeps up with every Android out and still has longer support

Why people don't either keep their iPhones longer or buy used amazes me

I would like to have removable battery, which is a difficult thing to ask for nowadays

> I would like to have removable battery, which is a difficult thing to ask for nowadays

Look into Rugged Android Enterprise phones. 5 years support and I think some have removable batteries

They are around $1000 on 3rd party sites though

Yeah, but those phones rarely are supported by AOSP based projects

I dunno man. Stick to Google, Apple, and Nokia they are just killing it lately

Batteries aren't that expensive

I usually carry around a charge pack in my backpack... best I can do at the moment.

*a 10,000 mAH charge pack

Currently i have a Pixel 1st gen with a swollen battery... that's the problem with non-removables

PinePhone and Librem sure suck for security, but if that's the hill you're going to die on then they are a lot better than an ancient Android

(I'm joking, don't do that)

hehe

I highly recommend the iPhone SE or Pixel 3a for anyone looking for a phone right now

I'll second that!

It's a bit of a premium option, but if you can find an Orico Multicharger charge pack with the USB-C port, keeping one of those around can be a lifesaver, especially for long car trips and such.

Ah yeah, pixel 3a battery life is obscene on GrapheneOS though

With the USB-C to USB-C or the USB-A fast charging to USB-C port, you can usually have your phone from 30% back up to 90% in less time than it takes to eat lunch.

Aww yes :D

My 3a could handle 700 miles ha

Wow, by bus that's quite a trip!

Haha ouch

oh the 3a has better battery?

<rutxonboard[m] "Ah yeah, pixel 3a battery life i"> Are you saying it's good or bad?

rip

pixel 2 xl is dogshit battery life :(

comparatively

battery lasts me like maybe 8 hours of actual use

nothing heavy either

> > <@rutxonboard:matrix.org> Ah yeah, pixel 3a battery life is obscene on GrapheneOS though

> Are you saying it's good or bad?

2-3 days

Lasts me 3-4 hours of Zoom conferencing.

Well, that's the difference in terms of whether something's in the foreground running and the screen is on, or the phone is idle.

3-4 hours of streaming is actually pretty damn good all things in.

Jitsi usually has my phone's battery flattened in 2.

(With the cameras running and all)

So I keep a 10,000mAH juicepack with me all the time.

:D

cx2[m]: HDR is not buggy on GrapheneOS, Open Camera just has a shit tier implementation of legacy HDR

cx2[m]: also if you mess with the camera settings and change them from the defaults, it stops the Pixel Visual Core on the 2 / 2 XL / 3 / 3 XL from being used which loses HDR+

you definitely never want legacy HDR, it's near useless

the only way to use HDR would be to set up your phone on a tripod and use it to take a picture of a static scene without anything moving and that includes the wind not blowing around leaves, etc.

legacy HDR is not very useful

it takes 3 pictures and naively merges them, blurring anything that moved, and without a tripod EVERYTHING is moving

so HDR on a phone just gives you blurry, awful looking pictures

that's not what HDR+ does at all

HDR+ sets the camera to CONTINUOUSLY capture high quality frames and then when you take a picture it selects a bunch of those (8-12 or more) and INTELLIGENTLY merges them with an algorithm tracking what moved, etc.

so it captures far more image data than 1 image

Ahoy strcat.

finally some progress in narrowing down the bluetooth issues - I suggested that approach before to start narrowing it down

glad to see someone started

Very good

my initial guess was that hardened_malloc caused it which is why I suggested starting with that

I can't do it because I can't reproduce the problem

Understandable

I have a funky bug where everything goes really dark after switching between apps between normal and work profile. I assume that's upstream

Doesn't go away for a while

was color accent option taken away?

what color accent option?

if you mean something in developer options, those settings aren't meant for users

some are there for app developers, others for OS developers, often to test things

The color theme

Like having dark and brown theme

It's a normal AOSP thinf

android 10 has color accents

i was able to change it from blue to white on my primary device

but i dont see the option anymore

android always had color accents in the theme

r4v3r23[m]: you can't depend on developer options

what do you mean? it was available in prev build of graphene

i was able to change it

where was the option

in developer options?

yes, pretty sure

so, as I explained, those settings aren't meant for users

they come and go\

the settings in developer options are not features for users

they're for app and OS developers to test things including features that are under development

strange

developer options aren't meant to be used on a production device

r4v3r23[m]: why strange? I mean it's in a hidden developer options menu

it's hidden and not available to users, that's the intent

removing of settings from there is not removal of a feature for users, those settings aren't for users

and some of them have consequences you wouldn't realize

guess i got lucky getting to change it then :)

that dev options menu is a bunch of obscure, dangerous, and largely unsupported options

many come and go

it's hidden away for a reason

right but we need dev options to oem unlock/usb debug soooo

usb debugging isn't for production devices

for users submitting bug reports we need to make an app

> right but we need dev options to oem unlock/usb debug soooo

You should always turn that off after you're done

and then turn off dev options ideally

ok done

enable it only to disable oem unlocking again and then turn it off

That's what I do

having dev options enabled doesn't really hurt anything IF you haven't changed anything in there

but worth noting it usually asks for your password to enable dev options

it doesn't ask for your password to change stuff there once it's enabled

How do you recover if the OS got bricked if OEM locking is on? I've never done that

Recover that is

how would the OS get bricked?

if it fails to boot after an update, the firmware rolls back the update

verified boot ensures you have a bit-for-bit identical copy of the OS as what passed testing on the same device model

rutxonboard[m]: hard to see how that could happen - it never has happened

That's a good point, I guess it is impossible good both to get corrupted

rutxonboard[m]: if the flash memory actually broke I don't think being able to unlock would save you

rutxonboard[m]: also you can wipe data in recovery even with OEM unlocking disabled

Right, that's a good point

rutxonboard[m]: disabling OEM unlocking just reduces attack surface

locking the bootloader to enable verified boot is extremely important, and it provides most of the physical security that's available too (verified boot is mostly about protection against remote attackers, but it provides some more physical security too)

Right, you would have to have something in userdata break the system (basically impossible?) And then the recovery and backups would save you

disabling OEM unlocking as an additional step is just a minor reduction of attack surface by disabling the ability to unlock in fastboot mode

rutxonboard[m]: it's quite possible for userdata to end up corrupted somehow due to bugs in a way that breaks booting but you can always just wipe that from recovery

recovery doesn't read any of that persistent state so it can't break like that

it's stateless

the only thing recovery reads is the recovery command

Right, and if it gets a bad update it just rolls back

and it wipes that after trying to use it

recovery is just part of the boot image, alternate boot mode that boots up that recovery system and doesn't use persistent state

My apologies I really didn't think that through very well

no need to apologize

is the seed vault back up essential like reflashing my surrent set up when restoring?

* is the seed vault back up essentially like reflashing my surrent set up when restoring?

* is the seed vault back up essentially like reflashing my current set up when restoring?

r4v3r23[m]: it backs up system and app data via the standard backup service infrastructure

it's definitely not a filesystem image

what would be the best option for that?

for the system, it has support for backup/restore of the majority of the settings, etc.

and by default it fully backs up app data

unless apps disable backups

r4v3r23[m]: you can't take a filesystem image of userdata and restore it, it doesn't work that way

userdata is encrypted

gotchya

and there isn't a way to access all of it like that

if you took the flash chip in your phone and put it in another phone

it would not be possible to decrypt any of the data/metadata

Thanks to the Titan chip right?

no not really

the baseline data outside profiles is encrypted with hardware-based encryption, that doesn't involve the Titan M

profile data is encrypted with a combination of hardware-based encryption and credential-based encryption, it uses both as inputs to derive the key encryption key

hows the support for the project going? i remember saying you were having difficulty securing a model to make graphene sustainable

is the still the case?

Gotcha, I thought it did the hardware encryption I should look into that more

the Titan M is involved in that - it makes profile-based encryption stronger

rutxonboard[m]: the Titan M strengthens credential-based encryption

via an API called Weaver

* is that still the case?

rutxonboard[m]: Weaver has 'slots', one slot per profile

rutxonboard[m]: slots are basically a map of auth token -> randomly generated token

That's an awesome design actually

rutxonboard[m]: so when you create a profile

rutxonboard[m]: and set an auth method

rutxonboard[m]: the OS passes an auth token derived from the auth method and a random token to the Titan M via Weaver

to set it up for the profile

now, for future unlocks, the OS needs that random token as one of the inputs for encryption key derivation and so on

For a guest account(with no login) the data I assume is using the basic hardware encryption?

and the Titan M will only provide that random token if the correct auth token is supplied

rutxonboard[m]: or just a profile without a lock method

yeah

rutxonboard[m]: setting a lock method uses the lock method as an ADDITIONAL input for key encryption key derivation, and also sets up Weaver and uses the random token stored on the Titan M as another input for key encryption key derivation too

rutxonboard[m]: the hardware-based inputs to key derivation are still used - your lock method adds security, it doesn't remove any

if you use a totally shit tier lock method like a password 223344 it doesn't make the encryption any weaker than it was

> and the Titan M will only provide that random token if the correct auth token is supplied

The Titan M protects from bruteforcing with enforcing rate limiting I imagine?

That's amazing

rutxonboard[m]: it has a secure internal timer protected from tampering and enforces an exponentially increases delay that quickly reaches 1 day per attempt

rutxonboard[m]: the key derivation is the basic defense against brute forcing, including hardware-bound key derivation designed to prevent brute forcing on a different machine

rutxonboard[m]: Weaver via the Titan M is in addition to this

other devices can implement Weaver - it's all open source

rutxonboard[m]: Pixel 2 doesn't have the Titan M and still has Weaver

it used an NXP security chip for Weaver

rutxonboard[m]: it requires a secure element with persistent storage + a secure internal timer and the ability to put an applet on it implementing this

rutxonboard[m]: there's also 'insider attack protection'

rutxonboard[m]: to do firmware updates of these security chips (including the one before the Titan M), the owner account must authenticate successfully

rutxonboard[m]: the security chips have signature verification for updates + verified boot

but they ALSO enforce that the owner account has authenticated

rutxonboard[m]: you have 2 options really: successfully authenticate or wipe the security chip (which happens when wiping data)

rutxonboard[m]: otherwise can't update the firmware on the chip

That allows for safely flashing a custom one of they open source it? Or just from a GovtOS type situation?

rutxonboard[m]: no it doesn't bypass signature verification

it's in addition to signature verification

the purpose is that the US government or an insider at Google cannot make evil firmware and use it to bypass the Titan M Weaver feature

rutxonboard[m]: 'insider attack protection' as in it protects you from the company that makes / signs the firmware

even if they can be pressured into making evil firmware, it can't be installed without authenticating successfully

rutxonboard[m]: remember when the FBI wanted apple to make evil SEP firmware?

Right pre Secure Enclave right?

they can't pressure Google to do that, Google doesn't have the power to make a firmware update that can be installed on the Titan M without the owner account authenticating

rutxonboard[m]: no not really

They were trying to compel Apple using their own interpretation of the All Writs Act to essentially force Apple to write what I would call a "Rogue Update" which would disable the "nuke" feature.

it's a good design and I haven't seen something like their insider attack protection feature

> they can't pressure Google to do that, Google doesn't have the power to make a firmware update that can be installed on the Titan M without the owner account authenticating

Which defeats the point

Then they wanted Apple to sign it using their signing keys, and push that to the phone they had confiscated.

IIRC the Pixel 2 had this too with the NXP chip

> They were trying to compel Apple using their own interpretation of the All Writs Act to essentially force Apple to write what I would call a "Rogue Update" which would disable the "nuke" feature.

Which is essentially forced labor

rutxonboard[m]: NXP security chip on Pixel 2 *just* does Weaver and IIRC still has insider attack protection via requiring auth to do firmware updates

> it's a good design and I haven't seen something like their insider attack protection feature

That's fascinating. If they open sourced Titan M would it still be required to be built and signed by Google?

Not that it really makes any difference

rutxonboard[m]: Titan M has both of these things but also expands the functionality, it adds enforcement of verified boot state, lock state, factory reset protection (not a security feature - anti-theft feature) and the StrongBox hardware keystore implementation which is by far the largest feature and includes features like physical confirmation support via the power button

rutxonboard[m]: open sourcing firmware doesn't mean you can install modified versions of it

you can build it yourself and use their signature as long as builds are reproducible

The firmware is digitally signed by Google and digitally validated directly by the chip, right?

rutxonboard[m]: it shouldn't be possible to install modified firmware on these kinds of security chips

TheJollyRoger: yes it verifies the signatures of updates *and* has verified boot

TheJollyRoger: *and* the owner must authenticate before it accepts firmware updates at all

Wow. Verified boot, for a device that acts as a root of trust for verified boot within the device.

TheJollyRoger: you can look at the source code for the Pixel 2 security chip

WOW!

> rutxonboard: it shouldn't be possible to install modified firmware on these kinds of security chips

That's a brilliant design. I'm not surprised Google doesn't advertise that feature

it's a proprietary NXP security chip but the Google code is open source

rutxonboard[m]: well they kinda do

That's awesome

they advertise the security chip and have blog posts about it

Sec, I'll go and dig it up.

here are the security chip applets used on the Pixel 2 security chip

and can be used elsewhere

> they advertise the security chip and have blog posts about it

Is hands on and blog posts your main wat of learning about this stuff? I haven't really found whitepapers or anything

android.googlesource.com/platform/e…bese/+/android-10.0.0_r30/apps/boot was the early draft of security chip enforcement of verified boot / lock state

I do enjoy researching this stuff

wasn't actually used on the Pixel 2, it enforced it via the SoC only

didn't ship

is weaver

on the Pixel 2 NXP chip

Oh, beat me to it XP.

Interesting, I can't wait to see what Google can do if they start making their own chips

I'm looking forward to hearing about OpenTitan.

is where it throttles attempts

rutxonboard[m]: this code is the Pixel 2 Weaver applet for the NXP security chip

which is basically a standard Java smartcard

That's awesome reading that code right now

where they signed the firmware, implemented insider attack protection and included this weaver applet

rutxonboard[m]: so, Weaver + insider attack protection were carried over to the Titan M - which is their own security chip (it is their own hardware, just not their own SoC design - it's a standard ARM secure element SoC design)

rutxonboard[m]: they did design and manufacture the Titan M themselves

Essentially there's little to gain security wise them

Then*

rutxonboard[m]: Titan M adds a production implementation of the 'boot' applet there to enforce verified boot and lock state

By building their own SOC

rutxonboard[m]: and adds factory reset protection support (i.e. it has a little data section usable by the OS to implement FRP)

rutxonboard[m]: which is an anti-theft feature - we don't use that

rutxonboard[m]: basically what they do is put a token in there that maps to your Google account so that after a factory reset it's still tied to your account and forces login after boot

rutxonboard[m]: anti-theft feature

to make it not tied to your account you have to remove your account

rutxonboard[m]: that makes it so someone that steals the device and wipes it via recovery can't use it even tho they wiped all the data

So it's like the iCloud Lock that junks iPhones? Very broadly speaking

Oh gotcha

That makes more sense

rutxonboard[m]: yes, it's on all Android phones, but Pixels have a secure element based implementation

Yeah. Incentivizes returning the phone to discourage steal-and-sell.

rutxonboard[m]: usually there's just a frp partition used for this little bit of data

rutxonboard[m]: pixels got rid of that and put it on the Titan M via a tiny little API for setting and retrieving a small block of data there

rutxonboard[m]: it's really super overkill

This is all very impressive, I didn't know how far ahead Google was

In hardware level security

Wow. So to circumvent factory reset protection, they have to attack the HSM itself... which is paranoia-level secure. Brilliant.

so gen 1 chip on Pixel 2 (NXP chip) had Weaver, insider attack protection

Titan M has Weaver, insider attack protection, verified boot enforcement, lock state enforcement, factory reset protection enforcement, and StrongBox keystore

the biggest feature by far is the StrongBox keystore - it's an HSM implementation of the standard keystore API used by the OS and apps

rutxonboard[m]: so for example, that's what Auditor is based on

it uses a hardware-backed key with attestation enabled

it generates a persistent key used to identify / verify the pairing with that device via signatures from the hardware-backed key

and it turns on attestation which adds attestation metadata to the public key certificate (private key cannot be exported from the keystore of course, just the public key certificate)

the public key certificate is signed by the batch key in the keystore which chains to the attestation root

Auditor pins that certificate chain rather than relying on the root cert

rutxonboard[m]: anyway lots of apps have a use for the keystore

For the other phones that support your app

rutxonboard[m]: as an example an SSH client can generate an RSA or ECDSA key in the keystore

What are they doing?

rutxonboard[m]: there is a traditional TEE-based keystore

rutxonboard[m]: and then StrongBox == secure element based keystore

Pixel 3 and 3a have StrongBox via Titan M

very new Samsung phones with a Qualcomm SoC implement StrongBox via Qualcomm SPU

rutxonboard[m]: the keystore API is an HSM API basically

the traditional one is implemented via the TEE and has a lot more features / algorithms and "unlimited" storage for keys

rutxonboard[m]: because the way that the TEE stores data is it encrypts it with a hardware-bound key and then passes the data back to the OS to be stored by the TrustZone service

rutxonboard[m]: so one of the issues with the traditional approach is that someone could save this encrypted data and try to do a replay attack

rutxonboard[m]: so there is an optional 'rollback resistance' feature

rutxonboard[m]: which uses the Replay Protected Memory Block to store data to prevent replay attacks

rutxonboard[m]: an example would be lets say you delete a key in the TEE-based keystore

so it really just ends up deleting encrypted data it stored via the OS

it can't really reliably get rid of it or ensure it wasn't copied elsewhere by a compromised OS

I'm not confident I know what HSM stands for

hardware secure module

security chip basically

Okay Hardware Security Module that's what I thought, wanted to be sure

rutxonboard[m]: using the StrongBox (HSM) keystore is as simple as doing builder.setIsStrongBoxBacked(true)

rutxonboard[m]: it's the same API as the traditional TEE-based keystore, with fewer supported features / algorithms

rutxonboard[m]: developer.android.com/training/arti…les/keystore#HardwareSecurityModule

and if you're curious why it supports 3DES, it's because banks and financial services heavily use it and wanted it included despite stripping away most of the algorithms

*shrug*

Heh. Well...

and it's a simple symmetric algorithm so it doesn't add much attack surface or complexity at all

It's kinda funny how 3DES soldiers on and refuses to die... *sigh* kinda crazy.

rutxonboard[m]: so the way the keystore works is you either generate or import a key, and the private key can never be exported

it tracks whether the key was generated internally or imported as one of the key properties

rutxonboard[m]: and then from that point on the OS can only use the key within the constraints placed on it

> and if you're curious why it supports 3DES, it's because banks and financial services heavily use it and wanted it included despite stripping away most of the algorithms

That's surprising, but also not.

rutxonboard[m]: developer.android.com/reference/and…eystore/KeyGenParameterSpec.Builder is how you generate/import a key

setAttestationChallenge(byte[] attestationChallenge)

so that's how you enable attestation

you set a challenge string (provided by the host doing the attestation verification - random string) that it includes in the attestation metadata it adds

and it signs the public key cert with attestation batch key and provides that cert chain

setUnlockedDeviceRequired(boolean unlockedDeviceRequired)

rutxonboard[m]: you can use that, to keep the key at rest when the device is unlocked, and the keystore can then encrypt the key based on the token passed when unlocking

rutxonboard[m]: so you can use keystore keys to keep data at rest when the screen is locked by encrypting data with them

you can either DIRECTLY encrypt the data (ideal) or encrypt another key with them for performance

<strcat "it's a proprietary NXP security "> It is compliant with global platform standards, it runs javacard apps you can install or update if you have card manager keys

setUserAuthenticationRequired(boolean required)

is to require recent authentication

different from requiring the profile to be unlocked

setUserPresenceRequired(boolean required)

is to require user presence to use the key

in practice that means the user has recently interacted with the device via a physical button, etc. that cannot be faked by the main SoC

setUserConfirmationRequired(boolean required)

and that requires explicit user confirmation

Sets whether this key is authorized to be used only for messages confirmed by the user. Confirmation is separate from user authentication (see setUserAuthenticationRequired(boolean)). Keys can be created that require confirmation but not user authentication, or user authentication but not confirmation, or both. Confirmation verifies that some user with physical possession of the device has

approved a displayed message. User authentication verifies that the correct user is present and has authenticated.

rutxonboard[m]: the way the TEE-based keystore implements this is via the fingerprint scanner, since the fingerprint scanning stuff is implemented with the TEE

rutxonboard[m]: so it can use that to do presence / confirmation / authentication checks directly

rutxonboard[m]: StrongBox keystore has access to all of that via the TEE (it pairs with the TEE)

That's so interesting, so to fake it you would need to actually hack the chip directly

rutxonboard[m]: on the Pixel 3, the Titan M has the power button directly wired to it and can detect when it's pressed

rutxonboard[m]: so basically you can store a key that requires prompting the user to press the power button to use it

rutxonboard[m]: the API is designed so that the security chip could in theory display the confirmation message to the user

and it provides a signed proof that the user saw the message

rutxonboard[m]: in practice, there isn't a secure display, and the OS is just displaying the message to the user

but it's set up so that in the future, the security chip could do something like temporarily taking over the display in a way that the main SoC can't interfere with

rutxonboard[m]: and the API provides proof that it happened and was confirmed

> but it's set up so that in the future, the security chip could do something like temporarily taking over the display in a way that the main SoC can't interfere with

Is that the kind of thing you want to make custom hardware for?

yeah

rutxonboard[m]: also consider something like a Bitcoin wallet

so, ideally the StrongBox keystore would support secp256k1 curve

and then it could be used for Bitcoin wallets

rutxonboard[m]: and ideally, it would support taking over the screen to display a recovery seed, so you could generate the key on the security chip instead of in the OS and then importing it

rutxonboard[m]: and ideally it would have direct support for Bitcoin and requesting confirmations via taking over the screen rather than only lower level signing operations without an understanding the protocol

and then you'd have a real hardware wallet inside the device

protected confirmation is useful but doesn't confirm a specific operation just USING the key

Beautiful.

rutxonboard[m]: anyway the keystore can already be used for things like SSH or whatever

That would require allowing the Titan M to control the display stack, but very possible

rutxonboard[m]: including confirming usage of the key via physical confirmation

The GPU and the display

rutxonboard[m]: yeah just like they wired it up to the power button

it doesn't need the GPU

it doesn't need to do any fancy graphics

it'd just need a way to take over the display temporarily

That's insanely cool what this chip could do

And can

Oh yeah :D

> it'd just need a way to take over the display temporarily

Does the Titan M enforce OTAs require any form of consent?

Sorry about bouncing so much, I'm making some changes >_<.

I know it doesn't matter since one could just sideload them without consent. Purely curious how it handles the verification steps in that case

literally > 700 spam emails to danielmicay⊙gc in past couple days

fuck email

Holy cow.

I don't get spam to my @grapheneos.org / @attestation.app emails yet

I don't really want to start using them to make commits because then the spam will start

I think posting to mailing lists is what really triggers it

Sheesh >_<.

if people send me an email that goes to spam, which happens a lot when people use their own mail server that's not properly set up (missing SPF, DKIM or DMARC, or missing proper reverse IP record) it goes to spam

and then...

I never see it

cause I get hundreds of spam emails a day

so if people send email from their own domain I often won't see it since they probably don't have it set up properly

*shrug*

Would it make more sense to have people communicate another way?

doesnt gmail automatically sort ML emails?

fastmail has a tab that filters mailing list stuff

renlord: yeah and I also make my own filters to set stuff as never going to spam

I set emails relayed via github to never go to spam and I do the same for mailing lists

PeterEaston: oh so I said 700+ spam emails in 3 days

PeterEaston: but note... I have filters that immediately deletes tons of patterns

so those don't even go to spam

I was trying to clean up my spam folder to find useful emails

didn't work

> ʜᴇʏ__Danielmicay__ᴜɴʙᴇʟɪᴇᴠᴀʙʟᴇ💥_ʏᴏᴜ'ᴠᴇ_ᴡᴏɴ_$𝟸𝟶𝟶𝟶ᴄᴀsʜ+𝟷𝟶𝟶%_ғʀᴇᴇ_sᴘɪɴs____ᴄᴏɴғɪʀᴍ__ɴᴏᴡ___

Ay carumba >_<.

FUCK Me💋 <mjefwkgM0IKyqF⊙rrbc>

You should just tell people to reach you on a sane communication platform

to RmqpUmdARN7N2SRSet-RmqpUmdARN7N2SRSet

the spammers have proper reverse IP, SPF, DKIM, DMARC ofc

I'm still trying to get my sorry butt off MailFence... or at the very least, get them to start respecting the antispam measures we talked about on incoming mail >_<.

luckily it all goes to spam

Good gravy.

You've get more spam email in a few days than I got in my whole life

I rarely ever get spam that goes to my inbox other than stuff like people sending me developer surveys or doing university studies

rutxonboard[m]: yeah I highly recommend not contributing to projects using mailing lists

or discussing things on mailing lists

you get a fucking ridiculous amount of spam

rutxonboard[m]: also people repost my email everywhere referencing my commits or the arch linux keyring

this spam email is totally fucked up

I'm looking at the original raw email

> I'm still trying to get my sorry butt off MailFence... or at the very least, get them to start respecting the antispam measures we talked about on incoming mail >_<.

Why MailFence? I only use email for accounts so I only use Gmail since I can trust them not to get hacked

it has like

20 different spam emails

inside the same email

wtf

How?

That's disgusting

what the fuck is this shit

it has ascii art

it has a comment with an ascii header art thing

...good gravy...?!

and it has a ton of additional spam emails with display:none

like

you need the aliases to track which shit provider is leaking your email

they included 20+ spam emails in this

I think "private" email is bs PeterEaston there's no reason to use it. Gmail, Outlook, or iCloud would be the only ones I'd consider

then just blackmail the alias

renlord: I use my email publicly

mailing lists

commits

renlord: you're going to get tons of spam to whatever email you used for the GrapheneOS commits

rutxonboard[m]: so far I've *kinda* had some good luck with Startmail. The only thing they've failed so far is DMARC alignment... >_>

so far none

but my spam filter is so aggressive

I think mailing lists are the main issue

renlord: well I'm looking at my spam folder

none of this makes it into my inbox

even emails from my institution goes into spam immediately

I want to stop receiving mail that's classified as spam

it's rare that legit emails go into my spam folder

but people do send me emails that do

anyways, if urgent, my supervisors will email me directly

I used ProtonVPN for a while and their own emails went to spam

strcat: you remember the Red Green show? There's this episode where Uncle Red on Handyman Corner made a flyer-remover by putting a vacuum cleaner over his mail slot and he joked "Is this a coincidence that the vacuum cleaner head fits over the mail slot? Nah, probably not."

> but people do send me emails that do

I'm not an email guy, but wouldn't an auto reply to spam work?

then I'll prob get even more spam

> rutxonboard: so far I've *kinda* had some good luck with Startmail. The only thing they've failed so far is DMARC alignment... >_>

I wouldn't use StartMail either if it's not a $100 billion company I'm not going to trust them with the keys to my kingdom

I should really just stop using email

> I should really just stop using email

Insist they use another platform

If it's important they will do that

I'm happily hosting my own email server for GrapheneOS

rutxonboard[m]: you raise a good point :(

Crud... Aaargh...

i have a auto-reply rule for *@student.unimelb.edu.au

that auto-deletes everything and replies "your email has been deleted. thanks"

Such broken protocol

> rutxonboard: you raise a good point :(

I only trust Google to make my phone. GrapheneOS to make my rom. Google with my email/accounts. And I definitely try try too much with my laptop between everyone making stuff for that

I at least only use OTP on my phone

gmail is getting more hostile with imap/smtp support

Trust*

renlord: just with passwords

not imap/smtp

> * PeterEaston basks in the glory of rutxonboard[m]'s humility.

That's a first

they're hostile towards using passwords because they want everyone to use 2FA

i cant remember if you need to toggle 'enable less secure apps' if you use 2FA

when you enable 2FA it makes you set up app passwords for apps

so with ^ do you need to toggle it?

I think it disables that altogether

you can't login with the username + password alone once 2FA is on and have to make app passwords

rutxonboard[m]: hehehehe, well, it's... it's kinda a long story, I've spent so much time fighting with, then finally just trying to tune out the shrill voices of the dubious Toxic Power Users it's finally great to hear someone say look, listen to some real sense.

app passwords are meant to be per-app, temporary passwords

and it regularly warns you in the security review that you have them

they don't want you using them

they want apps to implement OAUTH and get access to a specific set of stuff that the user can review

and that does login via Google's login implementation including 2FA

renlord: it's hostility towards passwords, basically

renlord: they want apps using Google's login implementation

how's oauth going to work with imap/smtp credentials?

lol

> rutxonboard: hehehehe, well, it's... it's kinda a long story, I've spent so much time fighting with, then finally just trying to tune out the shrill voices of the dubious Toxic Power Users it's finally great to hear someone say look, listen to some real sense.

I totally relate. The privacy community has an insatiable hate for a popular solution or anything corporate at all

renlord: thunderbird implements this

isnt that a form of hostility?

I used to be roped into that

renlord: well thunderbird works using the modern way

Yeah T_T

Same here, ahaha.

renlord: don't need app password for TB

renlord: try using thunderbird with it and you'll see

the last time i used thunderbird, it crashed on average twice a day or something

well it's a fucking terrible application

and coredumped till my disk space ran out

Wow.

I'm just suggesting trying it to see how the proper login works

its a dysfunctional mail client

Mozilla did something right for once?

I have to admit... I'm not too fond of Mozilla Blunderbird, but...

I'm shocked

Maybe rustlang

I'm kinda sad that it's in the shape it's in right now because it's one of the few programs that my grand dad can sit down at and without any computer training, start using right away.

it is a mozilla initiative

why dont they rewrite thunderbird with rust?

so it will stop coredumping

It's very disappointing to hear that beneath the UI the program is rotting.

> Maybe rustlang

I do love that. Also first party isolation. I know some people who never clean their browser ever.. that is the only way they get any privacy

Mozilla knows enough to be dangerous

and servo as well

dont know how its going

I'm going to have to start switching to mutt >_<.

i use neomutt, its great

at least its snappy and never crashes

Servo is fantastic, Firefox Nightly is legitimately the fastest browser I've ever used

I've got it merged but... I've had a hard time trying to use it.

the mime handling is abit troublesome

PeterEaston: you can checkout my muttrc file

I'm going to stick with Chromium for a good long time since I can't bring myself to use Windows

And many other reasons

CFI, site isolation, jemalloc, win32k sandbox. So much is missing from Firefox and they expect people to take it seriously? /rant

Oh wow!

Oh wow thank you!

I mean that they use jemalloc*

rutxonboard[m]: now I'm imagining that old "getamac" commercial where the mozilla dude is counting out advertising budget and it's like "slick marketing, slick marketing, slick marketing..." *piles bricks of cash in one pile* "...fix Firefox." *puts one dollar into the other* "slick marketing, slick marketing..."

200//4

sry, irssi fail :D

FINALLY my chatting VM lives again.

> rutxonboard: now I'm imagining that old "getamac" commercial where the mozilla dude is counting out advertising budget and it's like "slick marketing, slick marketing, slick marketing..." *piles bricks of cash in one pile* "...fix Firefox." *puts one dollar into the other* "slick marketing, slick marketing..."

$1 that's a bit rich. Do you have a link to the one you're thinking of??

Oh man. One sec and I'll find it.

i dont think mozilla is deliberately malicious, they have to work to provide quality software at a small percentage of Google's budget

Dev option "don't keep background activity" is what I have had enabled. Controversial thoughts on this. Some say it saves battery, some say it doesn't as it needs to fully load apps into RAM which draws power

Any thoughts?

This community is by far the most intelligent, hence off topic-ish question

rutxonboard[m]: sent!

> i dont think mozilla is deliberately malicious, they have to work to provide quality software at a small percentage of Google's budget

Yeah, it's true. They do some good things. The services are brilliant. I often recommend Firefox to my less tech savvy friends due to the good password manager, the multi email breach monitoring, the email aliasing is legitimately a good idea

joshman[m]: I try to avoid tinkering with the dev options. Not only do I not know what they do most of the time but my guess is that the developers who actually did know what they were doing and knew what they do set already tested and set them deliberately for the best tradeoffs.

If they don't know the first thing about security and privacy I've found the ecosystem can be more friendly

<TheJollyRoger "josh.man: I try to avoid tinkeri"> I guess you're not using BT earplugs don't ya?

For that, I have to because it's a workaround. But it's been discussed widely here and it's a matter of "well either you do this or you don't get your headset to work." But for something like not keeping background activity, if I don't know what it does, I stay away from it.

The other thing Mozilla does get right is they do a better job auditing extensions. That's one thing I have to give them

Sometimes it's difficult to call dev options as dev options. Things like Transition and Animation can be easily put in the Accessibility section. It makes the system so much snappier

I am probably too hard on them

Hehehehe X3.

For non tech savvy people Firefox might be fine. If you're knowledgeable then Chromium extra security is very meaningful

Ah that just reminded me of something funny... I'll take that to PM.

for tech savvy people, lynx is enough

or wget URL | emacs

Lynx I am wary of

At least w3m had some exploits and has no sandboxing

i dont think any of them have sandboxing

renlord oh good golly.

Since that's exactly what I had to do, it was MISERABLE

I couldn't get a browser to merge.

And I couldn't figure out lynx.

lynx is my favorite

So I lived like that for a month until Awilfox rescued me.

I use lynx on my phone

I mean, everyone can say everything about non-free javascript but trying to live with no web browser was an awful experience.

Haha, no js web is still the best

X)

this chinese domain registrar is trying to extort us for money

going to send them a super threatening email and tell them to fuck off

tired of their bullshit

it's some extortion scam

they claim that someone is trying to register domains using your branding and you need to register the domains with them first

Oh good gravy.

I seriously doubt anyone is trying to register the domains these bloodsuckers just threaten people

they probably will register the domain and I really couldn't care less about a grapheneos.cn domain

they can fuck off I'm not buying domains from them

grapheneos.cn the whinnie the pooh secure rom

anyway time to write a super threatening email

XD

Interesting post

Some resources linked from there look handy

fuck these chinese domain registrar people

eg. The Grey Matter of Securing Android Applications

TheJollyRoger: this scam is some real BS

strcat yeah thats crappy ):

I find it really hard to care about them threatening to register a bunch of chinese / indian domains

Was just wondering yesterday if you had other GrapheneOS domains

they're basically threatening me and demanding that I register the domain

dazinism: I really couldn't care less if people register grapheneos.cn / grapheneos.xxx or whatever

there are probably 10000+ tlds at this point

I'm not registering grapheneos across them all

grapheneos domain is grapheneos.org and domains like grapheneos.com, graphene.org or whatever else are unrelated

not going to register a bunch of variations of the name and do it per TLD that's insane

I don't even want grapheneos.com even if someone hadn't registered it to domain squat it

I'm not paying for unnecessary domains

and then once you start paying and redirecting you can't stop in case someone started relying on it

Theres just so many

anyway threatening these fuckers with retribution if they proceed

maybe I'll find some quality rant in a movie and paraphrase it

Yeah exactly

strcat: jeez oueeze >_<.

*loueeze

just going to switch to scamming them instead

O_O

Oh boy.

k sent them an email

told them our elite team of hackers has determined their identities and location

<strcat "they can't pressure Google to do"> So how do companies Cellebrite break the passwords if the delay increases to 1 passw a day? Do they bypass the restriction?

Likely that those Cellebrite/Graykey machines use canned exploits for exploiting older devices that aren't patched properly against that vector.

Don't think the Titan-Equipped Pixels are vulnerable to those UFED machines at this point in time. The Titan has its own internal clock that doesn't answer to the host clock.

can icann do something about it?

Time to pile up the Zs. Night!

for grapheneos.com i think you can hijack it via ICANN

there's some rule that you cant squat a trademark

<TheJollyRoger "Don't think the Titan-Equipped P"> If i remember correctly they claim to unlock all modern phones including iphone 11 pro,but i have read that as long as you have long alphanumeric pasw then its nearly impossible to break,

dazinism : update on the pm uninstall of stock and google apps from Miui, after unsitalling both stock and google apps , even after an OS update, they stayed uninstalled , created another user to see if i can uninstall for that user as well, for some reason having multiple users has a problem and i cant completely go through with it so idk if that's possible, all the gapps are uninstallable and the phone works out

just fine just as rutxonboard said however its the stock apps that i have problems with rn, some are built into the system and are clearly bloatware however unistalling them results in some part of the OS not being functional anymore

limitless0[m]: that's not what they claim

one of the extraction methods they list supported devices for requires already having the password and people misinterpret it as having an exploit

and yet the instructions for using it start with unlocking, enabling dev options and enabling adb

for example there is an app called security center, it has multiple functions, one being that it acts as a AV and wants to scan the system using either Avast or Tencent or Avira engin and another that it collects data, everything xiaomi related connects data, calculator and clock need internet acess, removing that security center results in the app manager not working anymore and also some other parts of setting

renlord: I'd probably need to register the trademark in the US which I'll do 'soon'

<strcat "one of the extraction methods th"> Thats good news then

<strcat "one of the extraction methods th"> Si its safe to use numeric passw

shitty experience overall, i dunno if its really worth having miui as stock even tho the bootloader is locked and i have Verified Boot rather than having LOS with all of its fake privacy and security implementations

limitless0[m]: it's obviously safest to use a strong passphrase where you don't rely on the hardware security features other than key derivation acceleration to strengthen the key derived from the password

but I seriously doubt anyone has bypasses for the Titan M throttling

people are prone to spreading misinformation based on skimming and not understanding things

happens a lot with that UFED stuff

they see a list of phones and imagine it to mean there is an exploit for those devices

without actually READING what it says

per usual

mxnorvak: thanks for the feedback. I used pm uninstall to remove bloat from a cheap Alcatel device I was messing with. For spyware system components that couldnt be removed the best I could think of was setting up NetGuard to block their internet connection

<strcat "limitless0: it's obviously safes"> I remember you talking about this on twitter a few years back,about iphone ios and usb disabled and how os exploit meant that usb disabling didnt mean anything if they had the exploit.I cant remember exactly but something along this lines

mxnorvak: not failsafe, but best effort

The way cheap androids build spyware into essential system components is proper nasty

<dazinism "The way cheap androids build spy"> its really a shame , the hardware used in this phone is really great for the money

<dazinism "mxnorvak: thanks for the feedbac"> can i do that without NetGuard without root?

> <@DzzzzzzR:matrix.org> mxnorvak: thanks for the feedback. I used pm uninstall to remove bloat from a cheap Alcatel device I was messing with. For spyware system components that couldnt be removed the best I could think of was setting up NetGuard to block their internet connection

* can i do that withNetGuard without root?

* can i do that with NetGuard without root?

mxnorvak: yes.

Its possible that some data can get past - eg. When the device starts before NetGuard has started

If you look in Settings>app you can see how much network data an app has used

So you can check if NetGuard has stopped everything or not

<dazinism "Its possible that some data can "> :( , am i really not better off with LOS till when i can get a pixel? Miui 11 is based on android 10 but it doesnt even have the network restrictions control per app in the app manager ( its still like the old model that you could only restrict mobile data) , i dont really know how much i can trust this rom

the Network toggle is a GrapheneOS feature

<strcat "the Network toggle is a Graphene"> really? i thought that's an ASOP feature cuz LOS had it too, i guess they might have just stupidly implemented it just to look like GreapheneOS

mxnorvak: guess it depends how much it'll hurt you if Xiaomi gets some of your data vs. making your device a fair bit less secure by using Lineage.

Guess need to consider that you are using a Xiaomi device - so already putting trust in their hardware / firmware

mxnorvak[m]: I don't think they have the same feature

<strcat "mxnorvak: I don't think they hav"> well yeah i havent seen the network toggle in GrapheneOS so i could be wrong about calling em the same thing

they have a toggle for access to wifi / mobile data (rather than just mobile data) which does NOT offer the same functionality and cannot be used to totally block network access

not the same thing

There was something in Lineage in settings>apps>some_app>network(or something similar)

Could disallow mobile data

And WiFi data

Not seen recent Lineage though

In GrapheneOS its a permission toggle for the app. Listed under app permissions like storage, location etc.

<dazinism "mxnorvak: guess it depends how m"> to be honest its the feeling of always being recorded and watched that annoys me so much, every app and the rom itself , other than that i dont have a clear threat model other than wanting to lessen the data collection which shouldnt be there in the first place, the hardware , its mostly not xiaomi ,a Snapdragon 855, a samsung made display, a sony camera lens , but yeah

idk how much i can trust the firmware either

<dazinism "In GrapheneOS its a permission t"> its the same in LOS 17, toggle for each app allowing or disallowing mobile data, wifi, vpn access and another thing i cant remember

I'd say stay on stock and block the spying system apps with NetMonitor then

Sorry NetGuard

I mean

mxnorvak[m]: no that's not the same thing as I explained above

this fucking VM ovh gave me has 8.3MB/s write speed

mxnorvak: I didnt quite understand if you managed to get a second user profile to work? Did it work but pm uninstall didnt?

<strcat "mxnorvak: no that's not the same"> oh sorry for my misunderstandings

on my local computer

1073741824 bytes (1.1 GB, 1.0 GiB) copied, 0.48348 s, 2.2 GB/s

on this ovh vm

1073741824 bytes (1.1 GB, 1.0 GiB) copied, 129.127 s, 8.3 MB/s

what the fuck

it's supposed to have an SSD

this is on another VM:

1073741824 bytes (1.1 GB, 1.0 GiB) copied, 39.9155 s, 26.9 MB/s

lol

"SSD"

<dazinism "mxnorvak: I didnt quite understa"> no the setup for a second user profile kept crashing for some reason even when i had a fresh stock rom installed , both on miui 10( android 9 ) and miui 11 (android 10 )

I'll give it one more shot tho

strcat: hypervisor busy

renlord: yeah

and maybe they cap speed at 10MB/s

VPS providers should publish cotenancy metrics

so users know how busy their boxes are

if ISPs have to publish metrics on virtual circuit usage, then obviously VPS providers should also publish these metrics

especially since the way I want to scale stuff is having many VPS with geographical load balancing

DNS-based load balancing is appealing

anycast DNS provider with load balancing + geoip stuff

so just start making a VPS per region and adding it in

if one is overloaded, add another for that region

to avoid using a third party CDN

why is using a 3rd party cdn so bad?

when you can verify the integrity of the object that is being downloaded anyways

if someone has time

looking into using slab_debug to see if the upstream debugging options uncover the same issue (like redzones) would be nice

someone reported they hit the same issue on a non-Pixel device porting the code to it

and mentioned that slub_debug redzones trigger the same issue

may be easier to debug that

debug cable may be helpful

mxnorvak: some Xiaomi devices are known to have issues with work profiles, guess the same issue may effect other profiles

They mention on f-droid.org/app/net.typeblog.shelter

Was thinking you could have Play Store running in an extra profile for updating critical system components - eg. whatever is providing your webview, but possibly other system stuff is receiving updates that way.

Alternatively I'd hope you could get these updates via Aurora Store

strcat: hows the support for the project going? i remember saying you were having difficulty securing a model to make graphene sustainable

r4v3r23: need a load more developers to solve issues on github

None of the supported devices have maintainers

so realistically how sustainable is the project?

Daniel has said it cant continue without more devs, and looks like thats not happening

There are more folks contributing

Just needs more

Support for devices can be dropped to free up time

This may well happen if nobody steps up to maintain a device

need lots of help

not just for technical things

<dazinism "Was thinking you could have Play"> i was thinking about replacing the system webview with bromite's version of webview

<dazinism "Was thinking you could have Play"> is there really anything important that play store updates that makes it work a separate user profile?

<dazinism "mxnorvak: some Xiaomi devices ar"> the work profile works normally , adding another user was problematic

its weird that for you to be able to add another user you need to activate developers options first and then the setting for managing guest user and adding another user appears

mxnorvak: you cant change the webview without building the OS yourself, or getting root on the phone. So you'll have to stick with whatever is used

<dazinism "mxnorvak: you cant change the we"> didn't know that !

does netguard require using it as a vpn to manage the connections coming and going through each app?

One year old articles, but it seems that Play Store indeed has some kind of functionality for system upgrades also.

interesting but it doesn't seem like its a mainstream feature yet

Having a look, appears the security updates via play is only on devices launched with Android Q

Project Mainline

Good for phones that are only getting irregular system updates

Project Mainline updates the Media Codecs, Media Framework Components, DNS Resolver, Conscrypt, Documents UI, Permission Controller, ExtServices, Timezone Data, ANGLE, Module Metadata, Networking Components, Captive Portal Login, Network Permission Configuration

mxnorvak: so I think possibly you only have to worry about updating whatever provides webview

Can see in developer options

<dazinism "Can see in developer options"> yeah its android system webview

Think thats basically chromium

Lots of phones use chrome for webview using monochrome or trichrome. GrapheneOS used to use monochrome so that its chromium (pre renaming it to vanadium) provided the webview

Not sure what the implications of having chrome doing webview

i was able to pm uninstall both chrome and webview tho

mxnorvak: you'll find removing webview breaks lots of apps

dont know what the effect would be , i was in the process of testing to see what works and what doesnt

Also when I tried it a few years back, the WiFi settings broke

WiFi was stuck on permanently

can confirm wifi setting didnt break for me

Couldnt turn it off (I never turned it on in the first places)

Still lots of apps use webview. Even apps that don't connect to network

still couldn't get around setting up another user, seems to be a device specific thing as it can not register a fingerprint to complete the process

and when on the main user or when im on work profile , i cant pm uninstall anything from work profile , results in [DELETE_FAILED_INTERNAL_ERROR]

so thats that

mxnorvak: guessing that the work profile will be -user 10

Sorry I think -user 11

Can check by installing f-droid.org/app/me.zhanghai.android.files

In the work profile

Then in ⁝ menu

Copy path

Annoying thing about that app is that in the launcher name and icon is almost identical to GrapheneOS files... very slight different shade of blue

ok managed to uninstall apps from work profile as well

you were right, i had selected the wrong user

How do you enable work profile anyway? Or is it just another user profile you talk about?

One has to install an app for that

Work Profile is a special type of user profile

ah

flabbergasted: hub.libranet.de/wiki/and-priv-sec/wiki/user-profiles

Because shelter has device admin permissions its very powerful, which makes using a work profile like this less safe than a separate user profile

But it can be very handy being able to copy stuff from one profile and paste it into the other.

Also being able to use app share functionality to share stuff between profiles

yeah I think I'll stick to the regular user profiles if I ever need it

What's the actual usecase for another profile. I mean I admit it's ok to share a laptop. A smartphone is so much intimate

* What's the actual usecase for another profile. I mean I admit it's ok to share a laptop. A smartphone is so much more intimate

Plenty.... imagine a work profile, play profile, and family profile....

it woudl take a bit of work to setup.... but in each one you only have things relating to that area..... limiting distraction from the others, and vice versa

The other good thing about work profile is apps in both profiles can run at the same time and you get notifications from both. Its a great way to run a messanger / video call app you need to use and needs permissions (storage, contacts etc.)

Can let it have access but no contacts in work profile, and keep storage empty

I think we are confusing two different things. I am refering to using User profiles.

Above I meant a "work" user profile, the the managed work profile. Sorry.

As I understand it, it seems that while not entirely frowned upon, the concensus is to not allow apps like Shelter or Islands have access to those permisisons.

> > <@DzzzzzzR:matrix.org> Was thinking you could have Play Store running in an extra profile for updating critical system components - eg. whatever is providing your webview, but possibly other system stuff is receiving updates that way.

> i was thinking about replacing the system webview with bromite's version of webview

You should contribute the changes you want to Vanadium web view. Vanadium is more secure, the other issue is that Bromite has no support for ad blocking on webview recently so there's no point that I can see. Just use Vanadium

quick question, does bromite need any further configuration to work with its full potential?

rutxonboard: they were talking about stock on a xiaomi phone

mxnorvak: bromite has a always incognito feature which can be good, depending on what you are doing with it

<flabbergasted "How do you enable work profile a"> for my use case it is built in to the os which is a xiaomi android based rom, i dont like their implementation tho

<dazinism "mxnorvak: bromite has a always i"> yeah i've noticed that, in a youtube video from the user named thehatedone i also noticed that he has the HTTPS everywhere extention on bromite, i dont know how that can be possible, seems like a good one to have beside the app based ad blocking

> > <@DzzzzzzR:matrix.org> mxnorvak: bromite has a always incognito feature which can be good, depending on what you are doing with it

> yeah i've noticed that, in a youtube video from the user named thehatedone i also noticed that he has the HTTPS everywhere extention on bromite, i dont know how that can be possible, seems like a good one to have beside the app based ad blocking

Only Brave and Kiwi support an "extension for that"

In relation to Shelter app: reddit.com/r/GrapheneOS/comments/g0ly0j/islandshelter_on_grapheneos

madaidan: this the place?

<anupritaisno1[m] "madaidan: this the place?"> Ye

Yes*

Well where's Daniel?

<anupritaisno1[m] "Well where's Daniel?"> He's strcat

<madaidan[m] "He's strcat"> ....sounds like a fight is about to break out...

<cx2[m] "....sounds like a fight is about"> Lol

haha

<cx2[m] "....sounds like a fight is about"> cx2: nah

It's just that I'm new here and don't want to mistake someone for someone else

That's all

Aaaaa madaidan.

Black theme broke on riot.im

My eyes is there a different client?

Riot is such a terrible, buggy client.

I haven't tried any others though

<anupritaisno1[m] "Black theme broke on riot.im"> You mean, their black theme? Don't think it inherits from OS

I just set black and nothing happened

No no I get it..... anupritaisno1 I enjoyed the busting through the door with a hearty "Alright alright, where is this guy.... bring him to me"....

The way it played out in my mind has some sort of medival setting.... I'm sure it's far funnier between my ears

Well uh

Idk what to say man

madaidan.: what client do you prefer?

or prefer the web?

CLI preferably nice tbh

And the web one seems to have electron

<cx2[m] "madaidan.: what client do you pr"> I've only tried riot on android and I hate it

Need to find a better one

anupritaisno1: yeahhhhh i tried getting cli up and running.... ive determined that I was attempting to punch above my weight class

I guess there's one that goes by pattle

It resembles telegram a bit

BTW madaidan explain

Or is a strongbox actually needed?

Perhaps read the text at the bottom lol

I'm pretty sure mine's supported

It's a GM1911

anupritaisno1: attestation.app/about#device-support

GM1911 isn't supported atm

haven't had time to add support for more devices

it's time consuming to deal with it and some of the existing entries may have issues

Device is in the list

I lack the time to investigate and resolve it so I stopped adding more

Oh okay

Oh 1913

it's not in the list

Yeah no don't have that one

OnePlus 7 Pro (GM1913 model)

Yeah got it

GM1911 not whitelisted

it may use the same verified boot key and may just need the model whitelisted

but has to be checked and verified via a sample submission

it's painful and time consuming to go through them all

this issue needs to be resolved before moving on to add more

need help

Yes it does

All oneplus use the same OS

There's 3 versions of the OS, the Chinese, the EU and the Global version

There's a beta but oneplus themselves break CTS sometimes on it

strcat (@strcat:matrix.org): like how can anyone help with just that information?

Need a log

<madaidan[m] "I've only tried riot on android "> RiotX is better overall for my needs, but still missing a feature here and there, some major (like calls).

They've yet to have a mobile 1.0.0, so, I wouldn't give up just yet.

Danny@WorkOrderPro: Do you have a bug with RiotX where if you jump to first unread message in a room it doesn't load the following ones? I can only load upwards and not downwards for some reason

strcat (@strcat:matrix.org): would you think we have a bug in the Qualcomm BSP itself regarding that issue?

04-08 14:10:04.131 10154 7210 8919 E AndroidRuntime: java.lang.NullPointerException: Attempt to invoke virtual method 'boolean android.hardware.fingerprint.FingerprintManager.hasEnrolledFingerprints()' on a null object reference

weird crash

probably just need a null check for this

What if the person tries to set a secure lockscreen and enroll a fingerprint?

strange this is the first device without that service, other devices with no fp scanner seem to have it

shrug

The galaxy tab A by any chance?

From Samsung

I have a galaxy tab a

anupritaisno1: yes this GrapheneOS/Auditor #64

Don't know which refresh/edition

It's completely unused though

ideally would add a new check for biometrics and a new OS enforced flag

maybe phase this out

super unimportant

<Zenithium[m] "Danny@WorkOrderPro: Do you have "> Have yet to see this, I'm afraid. I'm on F-Droid build on a 3a, ftr

strcat (@strcat:matrix.org): you're just converting a null to false

Maybe you should add a notification or something?

Failures shouldn't just be silently ignored

anupritaisno1[m]: it's not a failure

Besides what if it is a device which isn't expected to return null but does so anyway. Sounds like an attestation failure

I think it doesn't have a fingerprint scanner and they removed the service

I don't know if that's normal

I have to work around samsung BS already

I don't really feel like it's supposed to be possible for it to be null

Absence of the fingerprint HAL on a device that is supposed to have it, would such a case go undetected then with the patch?

It doesn't have a fingerprint scanner

but shouldn't FingerprintManager still work

so I can detect that

Unless Samsung maybe is playing games and removing deprecated methods?

anupritaisno1[m]: it's deprecated only for newer API levels because they want you to support biometrics generically

but I can't remove this

anupritaisno1[m]: the issue is the FingerprintManager service is null

I get it

Then can't we just service == null?

Oh wait

Yeah you did that

I don't know if that can go wrong though

you made me second guess that workaround

I don't know if services can ever be null when they are supposed to be supported

I don't really think so

Hypothetical case is a device that should have a fingerprint sensor reporting null

Yes it can

how?

I would expect it to not boot if a service wasn't added to the mapping

Does anyone have a link to the only documentation?

I experienced that once when bringing up android Q for my device

Old*

which?

Developer options was looking for some adb service and crashed because it was null

Thankfully lineage fixed that on their side

rutxonboard[m]: the legacy_documentation repo? I somehow wiped it from existence moving it

rutxonboard: the old one?

I have it locally

<rutxonboard[m] "Does anyone have a link to the o"> Use wayback

Hah

> rutxonboard: the legacy_documentation repo? I somehow wiped it from existence moving it

:( Yeah I am trying to web archive it

It's all good though

strcat (@freenode_strcat:matrix.org): that said

Do you think that issue we talked about today

Is related to qcom's bsp itself?

anupritaisno1[m]: the canary one?

I can't remember

I'm the same guy whose device didn't boot with either canaries or redzoning

Yes

anupritaisno1[m]: it may be a bug in the qualcomm kernel for the soc

I don't know

it could be an android common kernel bug or an upstream kernel bug

I would guess qualcomm

I assumed it was pixel specific tied to shadow call stacks or something

and didn't have time to work on it yet

Well I can send information if possible but would you like me to try it on a oneplus 6?

trying to figure it out anywhere is helpful

My kernel is a mix of several branches

So I want to make sure it's not just some upstream merge error

unfortunately I don't really see a way to handle the fingerprint thing aside from checking for null like that

I think I merge 12+ branches on that kernel every month

sigh

Anyway CAF branch r4 (sm8150/10.0.0)

fuck samsung

And google common kernel (4.14-p)

anupritaisno1[m]: github.com/GrapheneOS/Auditor/blob/…/AttestationProtocol.java#L264-L271

That's pretty desperate

I already have this samsung workaround stuff

Find something better xD

I have that to avoid removing checks for other devices

just hard-wire all the broken samsung devices

I could do that for FingerprintManager

Does Samsung even run custom roms?

Auditor is mostly for checking the stock OS

on most devices

strcat (@freenode_strcat:matrix.org): also while we are at it

compare size of custom OS table to stock OS

I can confirm almost every single issue with exec spawning

I don't get any signal at all from my carrier and can't go 4g-only on my device

github.com/GrapheneOS/Auditor/blob/…/AttestationProtocol.java#L429-L454 are the StrongBox ones

Voice over LTE, WiFi calling and others are broken, no autobrightness and something is broken in overlay parsing

Exec spawning ^

anupritaisno1[m]: you need to disable RROs

Will try

n-PRODUCT_ENFORCE_RRO_TARGETS := *

+#PRODUCT_ENFORCE_RRO_TARGETS := *

anupritaisno1[m]: this is a workaround for an exec spawning limitation

anupritaisno1[m]: in Android 10 (I think) AOSP changed how resource overlays work

and they didn't implement them for WrapperInit

Can a transition be done without resetting strcat?

I thought there was much more?

anupritaisno1[m]: no need to reset

In my experience going from exec spawning to without or the other way around always breaks something

rutxonboard[m]: that's it

and that's not the newest ver of that repo

Alright

rutxonboard[m]:I removed stuff as I migrated it

anupritaisno1[m]: enabling / disabling exec spawning works fine

but you're probably running into the fact that all the overlays are ignored if RROs are used

it's possible enabling / disabling the overlays breaks something

and enabling/disabling exec spawning without disabling this will cause that

I have an issue filed about support RROs

anupritaisno1[m]: afaik all this does is break generic system image support or something

> rutxonboard:I removed stuff as I migrated it

Ah any idea where I could find that? Or is it likely gone?

There were errors like those

rutxonboard[m]: I have it locally

Sdcard permissions became location permissions somehow

And various other errors switching from exec to non-exec

strcat (@freenode_strcat:matrix.org): couldn't care about gsi/qssi

rutxonboard[m]: there are only 3 files in the current repo

If someone boots a gsi on my vendor I'll watch from afar and pretend I didn't see it

anupritaisno1[m]: basically if you enable exec spawning without this RRO disabling commit

it ignores all overlays

and overlays could override all kinds of things

Got it

if you're using LineageOS stuff they may change core frameworks resources with overlays

in ways that aren't compatible with disabling it

Yeah a lot of stuff is there

dunno

anupritaisno1[m]: GrapheneOS/os_issue_tracker #133

it's technically an upstream issue

because WrapperInit has this same issue

and I modelled ExecInit after WrapperInit

> rutxonboard: I have it locally

Interesting well if you ever publish it again I would love to read through it.

Took me a while to add vanadium with it

Also is there a bug with chromium in general?

anupritaisno1[m]: what do you mean?

Certain "huge" pages crash my devices

could be an issue uncovered by Vanadium

or hardened_malloc

Hmm

Well it's reproducible on almost all my devices, some even running the stock rom

Loading this in vanadium causes the browser to freeze

It's not related to vanadium

Almost all chromium browsers behave kind of the same

Hardened malloc, maybe but I saw the issue happen on a device that doesn't have hardened malloc

Makes me believe it's an upstream chromium bug

does it happen in chrome?

it could be a build option issue

And if that doesn't crash it

The link above will immediately do so

That app is a wrapper around vanadium

The browser froze so quickly it didn't even let me copy the link

If I change it to something else

With bromite not only the app, it's like my entire device freezes for a few seconds

anupritaisno1[m]: does chrome with same ver crash tho

Downloading

Pretty much

Firefox loads it fine

anupritaisno1[m]: perhaps it's uncovered by one of the hardening features

if it occurs on the stock OS tho it's a Chromium problem

Hard to tell for sure

even if a hardening feature does uncover it

doubt it's an issue with any of the features

probably a chromium issue

Well

Your hardening features did tell me the OEM messed up the kernel a lot

Thanks for that, without them some of the stuff cleanup would never be found

anupritaisno1[m]: GrapheneOS/Auditor a0cc37c

*stuff to

new take on that

real pain

I wanted to just check for FEATURE_FINGERPRINT and return false if it's not supported

but apparently some devices have it but don't set the feature

missing CTS test case I guess

Can I see where you implemented generalsecurityexception

Okay got it

One sec

strcat you need more cables?

Tbh how would you make those?

My device has this proprietary dump mode that while very helpful, nobody knows how to use it

So debugging kernel panics is insanely hard

How do you get Chrome to have tabs?

Interesting question

anupritaisno1[m]: I have a tutorial on making /android/ debugging cables for the Pixels and GrapheneOS developers that need them can get them from me for free under a gentleman's agreement that if they don't need them anymore, they'll send them to someone who will.

Sorry dunno

How do these work?

kohntree[m]: tap on the little "[1]" in the upper right corner of your screen.

And can I dump a pstore? Assume the device always warm resets on debug builds

GrapheneOS dark theme users may enjoy this "custom" Qwant URL for setting as their homepage. Loads minimalist dark view, doesn't load trending news bits, etc:

anupritaisno1[m]: they talk to the device via its uart interface. This only works if the device's bootloader has been unlocked to permit uart debugging.

I can't make it look like that

(Vanadium doesn't have Qwant as a default just yet, & the config is a bit buried on site, so, figured I'd share!)

TheJollyRoger: I believe the oneplus 7 pro does have it

<kohntree[m] "I can't make it look like that "> because that screenshot is firefox, not chrome

Ah

github.com/Peter-Easton/android-debug-cable-howto anupritaisno1[m] This will tell you what you need.

At this very moment I don't sell those cases because they're too expensive and nonessential. Wrap the pcb in tape before you use it.

DannyWorkOrderPr: if you enable the OS dark theme, apps targeting the current API level use the dark theme

and in Vanadium and other Chromium-based browsers it tells the site to use a dark theme

strcat: I'm currently out of serial cables. Would you like me to make more?

TheJollyRoger: yeah

Ok on the way.

<strcat "and in Vanadium and other Chromi"> Mhmm =] Not sure Qwant implements this, currently.

Heads-up that this batch will not have cases; I cannot make cases during the pandemic. The subcontractor has shut down.

TheJollyRoger: thanks

I was almost banging my head on the wall with some of the issues I had

anupritaisno1[m]: these might not work with your device

Heh, well... I can't take credit for the knowledge. One of the other contributors showed me what to do but has asked me not to mention them by name. :)

anupritaisno1[m]: Nexus devices and 1st gen Pixels used an older debug cable system

Pixel 2 and later uses this (Suzy-Q) which is an extension of what Chromebooks use

anupritaisno1[m]: not sure how many other devices use it

strcat (@freenode_strcat:matrix.org): probably my only hope tbh

this is pretty funny:

anupritaisno1[m]: I can't stress this enough though, before you use it, wrap the PCB entirely in tape, otherwise it can short your phone.

There's no way to get pstore

My device boots to this weird mode when it panics

It just shows the last function the program counter was on

That's it

*Some error message*

PC at: <function_name>+some offset

Ha, who'd have thought that Brazilian Jiu-Jitsu would be close to golang.

Very funny.

TheJollyRoger: not the one I find funny

Go is a great language

Just compile it with pie though

strcat: heh, I'm a bit slow on the uptake ^_^; enlighten me...?

This classic never gets old

OH.

TheJollyRoger: how high is the risk of killing the phone?

I plan to keep this one for a good 5-6 years so yeah

anupritaisno1[m]: not very, but for the amount of time it takes to wrap the little circuitboard in tape and the consequences of the risk the tape mitigates, it's worth wrapping the PCB in tape.

You won't ever have to unwrap it.

anupritaisno1[m]: TheJollyRoger: just note random devices probably don't implement the Suzy-Q debugging

it's a Pixel thing

AFAIK

you don't get serial debugging on other devices

they probably disable it for non-employees

Yes yes

strcat: oh. Oh I see... so uart may not be supported on those other devices, just Pixels. Huh, you know that kinda makes sense... only Google's ever been forthcoming with us for this kinda thing :(

But this seems like the only choice here man

anupritaisno1[m]: some other devices did implement the OLD debug protocol

dunno about the new one

Unless I build the bootloader myself

And remove the proprietary crashdump

you probably can't flash a custom bootloader

or if you can flash it probably won't boot

since that would imply verified boot is broken

Oneplus does no validation

You can

:\

that breaks the rules for Android devices

Verified boot isn't a thing on oneplus

anupritaisno1[m]: they don't enable secure boot?

but it's mandatory afaik

Idk how they get past Google

But the bootloader does absolutely zero verification

Somebody has been running magisk all the time on a locked bootloader on my builds

Well the bootloader says "secure boot: enabled"

However there is no yellow verity warning

Locking the bootloader completely removes the warning that a custom OS is loading

As if the bootloader doesn't implement the yellow state at all

wow

anupritaisno1[m]: yeah that's a security vulnerability

Wow.

in the late stage bootloader

The bootloader does implement red, green and orange

anupritaisno1[m]: yeah but not implementing it == it won't boot with it locked

they broke it

Holy shit. So all this time... those oneplus devices are being carried around with... with effectively no root of trust?

if they hadn't messed up the reference code it would just hit an error

<strcat "anupritaisno1: yeah that's a sec"> strcat (@freenode_strcat:matrix.org): well oneplus isn't the most secure

when it can't fetch the AVB key

I got this because their highest end model was cheaper than the lowest end pixel

At least where I live

And honestly I can't even lock my bootloader

Since I am the one doing releases a bad kernel means I'm stuck on a locked bootloader and need to use an exploit to go back to the stock OS

Wow. How the hell can OnePlus be still doing this, running around with no bootloader security?

So it's only ever people who use my roms who get tested builds and can be confident locking the bootloader won't wreck them

I kinda expected it

<anupritaisno1[m] "Idk how they get past Google"> Money and/or users seeing their ads usually does it.

Well... I'd heard about the OP6 which had verified boot that would happily allow arbitrary images to boot if it was on and "enforcing" and I thought they called it a bug...

I did not know they not only did not learn from it but systematically swept it under the rugs and continued course!

But tbh the hardware is nice, and they don't make a fuss with unlocking

Yeah well don't buy a oneplus if you want security

Though if you're careful

You'll most likely not have an issue

there is a lot to doing verified boot right

and having such a blatant bug is pretty bad

Yeah...

I mean it's supposed to ENFORCE the AVB key

Is there any way that they could fix this with a firmware update or are we talking "this bug can't be fixed, send the phones back?"

anupritaisno1[m]: it implies that with the stock OS, locked bootloader, device as it was bought

Having owned 2 other oneplus devices I knew what I was buying into

anupritaisno1[m]: attacker could swap out the images

and it wouldn't notice

strcat (@freenode_strcat:matrix.org): that concern was raised by one of my users

it may break decryption if they haven't fucked up the encryption integration

I told him the only solution is to use the edl exploit to write the ufs

anupritaisno1[m]: if they aren't flashing a custom AVB key it shouldn't boot an alternate OS at all

if bootloader is locked

Well yipes. No wonder why the OnePlus seems to offer devices that "look good on paper" for so cheap.

Well that too is doubtful

it's supposed to enforce valid OS signed with the hard-wired key OR the AVB key flashed onto the device

if one has been flashed

displaying the yellow boot state notice is a secondary thing

It seems fastboot uses a regex

fastboot flash ^avb_

If a partition name starts with avb_

The bootloader silently reports success

I've tried avb_.* (many combinations)

Bootloader reports success on trying to flash any partition that starts with avb_

Pixels have a custom implementation of avb_custom_key

it's not really a partition

it's a virtual partition basically

it flashes it to the Titan M

alongside the rollback index

I don't even know how other vendors could implement it without a security chip

Yes but if I do fastboot flash avb_notmy_key or some shit

unless they use the Qualcomm SPU

The bootloader reports a success

strcat: how many cables do you think we'll need this time?

anupritaisno1[m]: it sounds like OnePlus fucked up all the areas of the code that they are expected to implement

Well one thing I can confirm

Trying to replace the OS on a locked bootloader

like if they didn't touch it at all

Makes /data inaccessible

anupritaisno1[m]: yeah that's the encryption thing I mentioned

that's like Nexus 5X era verified boot enforcement

Anti-rollback is fine

anupritaisno1[m]: it sounds like the issue is they tried to implement the yellow state

and fucked it up

I can verify because anti rollback has made me lose data multiple times

they implemented it as the green state

but that's pretty strange

anupritaisno1[m]: it sounds like what they did is DELETE a bunch of the standard security checks

if you look at the qualcomm bootloader sources

it has a yellow state implementation

the vendor needs to provide an implementation of fetching the custom AVB key

anupritaisno1[m]: another thing, is this all with a testkey signed build or a custom key signed build?

or disable yellow state so that it just fails (red)

They always do

sounds like what they did

is try locking bootloader with custom OS

notice it's broken

They removed speculative store bypass disable from the kernel

I still can't enable ssbd

delete all the security checks for yellow state

cdesai: I'm using RSA8192_SHA512

it makes a difference, sometimes they handle those two differently

anupritaisno1[m]: yeah ok so custom, not testkey

Yes all keys custom

User build and verity enforced

I think I satisfy most of the hardening checklist however from what my users are telling me

I'm really concerned about the bootloader

anupritaisno1[m]: sounds like they do pass the correct data to TEE

anupritaisno1[m]: that's why decrypting /data fails

because TEE uses the verified boot key as an input to key encryption key derivation

Well yes

so as long as the bootloader isn't compromised

can't decrypt data

with wrong key

I can confirm that does happen

But the user might naively reset

but the bootloader is supposed to ENFORCE the key

anupritaisno1[m]: well also an evil OS

can reset

for them

strcat (@freenode_strcat:matrix.org): also I use a different encryption method than what oneplus uses

anupritaisno1[m]: or more evil: put a valid data partition

anupritaisno1[m]: but keep the rest of their data

just move it or w/e

I use wrappedkey which forces the key to never leave the TEE

The key is never written to ram

I had to do that because an exploit on all oneplus devices allows you to read all ram at will

The ram has a temporary key that is invalidated very quickly after usage

init_on_free/init_on_alloc helps avoid some metadata leakage

And I'm making sure the kernel always forces a hardware reset

But I'm unsure how much my mitigations can protect a oneplus

strcat (@freenode_strcat:matrix.org): that doesn't work

well you reinforced my lack of interest in even looking at one of their devices to evaluate it lol

Keymaster or something will throw a decryption failure even if you image /data and /metadata

Well if you want hardware that will last

Go for it

But don't expect anything else

All the oneplus phones I've owned have been super reliable

I really just want to have our own devices produced from a reference design

heh. Well, now I'll have something to say if anyone else asks about OnePlus...

strcat (@freenode_strcat:matrix.org): also good luck hardening these

It took me 8+ months to get it working properly

I had to spend days cleaning up their mess

Hey, you know that jokeb about "anything can be fixed with a big enough hammer?"

I think that applies here.

It can't be hacked if we smash it into tiny pieces :P.

TheJollyRoger: yeah I can fix my phone with it

Smh I should get a proper job instead of this bs developer job

Maybe I'll buy a pixel then

Naw man, naw... didn't mean to imply that, I mean like..

I don't think we can fix the vendor's problems for 'em :(

TheJollyRoger: I kinda like the op7pro tbh

Can't be hacked if there's nothing to hack

Easily one of the best displays I've had

<madaidan[m] "Can't be hacked if there's nothi"> madaidan.: next we know you'll hack something that nobody knew of

cdesai: yeah you there?

anupritaisno1[m]: yeah

./build/tools/releasetools/sign_target_files_apks -o \ -d /home/suzumiya/mount/.android-certs \ --avb_vbmeta_key "/home/suzumiya/mount/.android-certs/avb.pem" \ --avb_vbmeta_algorithm SHA512_RSA4096 \ --avb_system_key "/home/suzumiya/mount/.android-certs/avb.pem" \ --avb_system_algorithm SHA512_RSA4096 \ --avb_vendor_key "/home/suzumiya/mount/.android-certs/avb.pem" \ --avb_vendor_algorithm SHA512_RSA4096 \

--avb_boot_key "/home/suzumiya/mount/.android-certs/avb.pem" \ --avb_boot_algorithm SHA512_RSA4096 \ --avb_system_other_key "/home/suzumiya/mount/.android-certs/avb.pem" \ --avb_system_other_algorithm SHA512_RSA4096 \ --avb_dtbo_key ".android_certs/avb.pem" \ --avb_dtbo_algorithm SHA512_RSA4096 \ --avb_vbmeta_system_key "/home/suzumiya/mount/.android-certs/avb.pem" \ --avb_vbmeta_system_algorithm SHA512_RSA4096 \

--avb_vbmeta_vendor_key "/home/suzumiya/mount/.android-certs/avb.pem" \ --avb_vbmeta_vendor_algorithm SHA512_RSA4096 \ out/dist/lineage_guacamole-target_files-eng.suzumiya.zip \ signed-target_files.zip ./build/tools/releasetools/ota_from_target_files -k ~/.android-certs/releasekey \ --verify \ signed-target_files.zip \ signed-ota_update.zip

Sorry about the shit formatting

Will try to fix it

I changed my 4096 key with an 8192 key later

Heh. RSA8192 on a little SOC? That doesn't take absurd amounts of time?

It is lineageos

TheJollyRoger: no

I've seen zero difference in performance

Ha, fancy.

Then again I don't use my phone that much

anupritaisno1[m]: well it sounds like they aren't using your key to check anyway :P

anupritaisno1[m]: the RSA key is only used to verify vbmeta by the bootloader

anupritaisno1[m]: yeah I took your word for it.

the RSA pub key is what you flash to avb_custom_key

anupritaisno1[m]: the rest of verified boot is just the hashes from vbmeta chaining to the other stuff

anupritaisno1[m]: bootloader verifies the initial parts of those

<anupritaisno1[m] "madaidan.: next we know you'll h"> I'm an elite hacker sar

and then the OS uses dm-verity to verify everything in system/vendor as it goes

vbmeta just bootstraps that

<TheJollyRoger "Ha, fancy."> strcat (@freenode_strcat:matrix.org): thought so

Well thanks for letting me know

Also about the -ftrivial-auto-var-init={zero,pattern}

Why not build android with it]

*?

anupritaisno1[m]: we do

platform_build_soong

we used to use -fsanitize=local-init which was our downstream feature

we still have a ton of past features to restore

Would you zero or pattern?

zero for sure

for production

Yes zero is a pattern

But the AAAAA pattern or the 000000 pattern?

What happens if you use AAAAA?

zero is better for production

non-zero will uncover bugs and in rare cases potentially make things exploitable

And the Linux kernel?

same thing, zero

-ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang

So we just change pattern->zero?

Hmm

How much is the risk with the "knowing it will be removed" if I'm using mainline clang?

The kernel uses clang 11 from git

Partly because clang older than clang 10 just didn't link the kernel at all

it won't be removed

clang / llvm devs are just assholes

It throws a bunch of errors with the AOSP clang

Thanks a lot will check

anupritaisno1[m]: see twitter.com/DanielMicay/status/1248384468181643272

I don't think writing 0 to the stack is a performance issue

In fact it might give weak protection against unterminated string overflows

strcat am I thinking it correctly?

Let's say your entire stack is 0 and you overflow

A 0 has a higher chance of stopping a c string overflow

anupritaisno1: one of the main issues with non-zero value is existing latent bugs only remain latent because they tend to get zero or enough zeroes

to not crash

the stack starts out as zero, and stuff writes a lot of zeroes to it

so it's pretty common for code to just get zeroes in uninit data in practice

so it ends up depending on that undefined behavior

and the latent bug sits there

so if you use non-zero now suddenly it sees a non-NULL pointer, calculates a big offset from it based on a non-zero size, and crashes trying to access that

lets say you have

struct vector { void *data; size_t size; }

you fill both with 0xAA

so the pointer is 0xAAAAAAAAAAAAAAAA

So you mean to say

I should use pattern while debugging

And zero in production?

Basically split debug and production configuration

yes

pattern will cause crashes

it will uncover bugs

Hmmm

Yes pattern did

Pattern took me to the proprietary crashdump mode and gave me a slab error

anupritaisno1: the same thing applies to hardened_malloc, you could in theory disable zero on free and add code to fill with non-zero instead

Appending slab_nomerge to kernel cmdline fixed it

anupritaisno1: yeah so you found code using uninit data

and depending on it being zero

even tho it's only zero sometimes

but in practice it may always be zero when that code runs

Well slab merging should have been off anyway

But yeah thanks

I get it now

the pattern 0xAAAAA... they call it "infinite scream", no kidding reviews.llvm.org/D54604

valldrac: hmm

Well to me it looks like

101010101010101010101010....

It's an alternating sequence

it must be a non-mappeable address in the target arch, that's the key

Never assume

Assume all pointers are 64-bit

And that FFFFFFFF.... is accessible

> <@freenode_strcat:matrix.org> the Network toggle is a GrapheneOS feature

* really? i thought that's an AOSP feature cuz LOS had it too, i guess they might have just stupidly implemented it just to look like GreapheneOS

mxnorvak: they're different

Like they're completely different features

sry what are you referring to?

Lineage's toggle controls how the app uses the network

Graphene's approach controls if the app uses the network

They're slightly different things

funny you mention it now, was just reading the subreddit about this exact issue

Well I personally like lineage's approach to it

But really

Try both

See what works for you

unfortunately i dont have the opportunity to try GrapheneOS anytime soon ,being stuck with a xiaomi phone that doesnt even have a offical LOS yet and doesnt seem to be going official at all i just wish i could just sell the phone rn, im just looking for stuff that really work and do what they say they do and try to stay away from all the misinformation out there but i keep getting more and more hopeless about my

options

i like that with Graphene , there is very well thought out explanations for each feature and that really shows what Daniel and others working on it value most

anyway thanks for your input

Which xiaomi

mxnorvak: xiaomi just has some legal issues from what I know

The unofficial should be just as good as official

<anupritaisno1[m] "The unofficial should be just as"> even with selinux not enforcing

> <@anupritaisno1:m.apex.to> The unofficial should be just as good as official

* even with selinux not enforcing?

<nickcalyx[m] "Which xiaomi"> Mi 9t pro

Guess I need to rewrite the Oneplus stuff on

dazinism: maybe divide it into sections?

Got a bit lost reading the scrollback....

Its not really doing anything on Oneplus?

anupritaisno1:

you know what would be a true test - sign an update with a new set of keys, but then sign the ota with the old keys so that it can still install.

data won't be accessible so it'll prompt you to reset - but if it even gets that far then we know how broken it really is.

anyone got an issue with the VPN icon on the top menu bar?

define issue.... not showing up? Works fine for me on 3a with Mullvad Client, Wireguard, and OpenVPN

Thoughts on Gboard from Aurora, with all permissions revoked?

cdesai: already tried that one

It won't boot

Unless you reset

I'd call it completely broken in that case

it wouldn't even let you get to the factory reset screen on a pixel

(and that makes sense with what you said about the avb keys seemingly not actually being flashed)