undefined | Better HN

0 pointsHoodedcrow1mo ago0 comments

> The attestation API in AOSP allows companies to trust signing key fingerprints (such as those of GrapheneOS), which means that the attestation system is not controlled by a single company (Google).

I wonder if this would exclude rooted OSes, non-relocked bootloaders and things like that? Sorry for stupid question, still not quite understanding how this works.

0 comments

1 comments · 1 top-level

microtonal1mo ago

Currently probably not, because there are leaked keys, etc. But otherwise it would, since the verified boot state, etc. is added as part of the signed material.

j / k navigate · click thread line to collapse