logoalt Hacker News

marmaramatoday at 8:43 AM1 replyview on HN

Your "development build" is another person's daily driver.

Case in point: GrapheneOS (or any other custom Android distro) is unlikely to be able to ever pass remote attestation, even a signed, secure boot build with the bootloader relocked, because it's not the original OS for the hardware.

Same goes for any desktop Linux.


Replies

inigyoutoday at 10:46 AM

GrapheneOS implements its own attestation so you can attest that it's real GrapheneOS. The valid approach they've chosen is to try and get on a level playing field with the big guys rather than destroy the playing field. They have a good argument their OS is very secure, so you should accept its attestation. This is how a user-friendly OS backdoors into the attestation system.

I still think destroying the playing field is better, but less likely to succeed.

show 2 replies