docs/os: AVB does not prevent evil maid #3183
Conversation
AVB may help deter rouge firmware changes and prevent tampering of the OS. Signed-off-by: ignoramous <ignoramous@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR corrects the documentation about Android Verified Boot (AVB) capabilities. The change removes the technically inaccurate claim that AVB provides protection against "evil maid" attacks and replaces it with a more accurate description of what AVB actually does: protecting against boot path changes, deterring firmware tampering, preventing malware persistence, and ensuring rollback protection.
Key Changes:
- Updated the Verified Boot description to accurately reflect AVB's actual security capabilities
- Removed the incorrect claim about "evil maid" attack protection
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ### Verified Boot | ||
|
|
||
| [**Verified Boot**](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). | ||
| [**Verified Boot**](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It protects from boot path changes, deters firmware tampering, prevents malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). |
There was a problem hiding this comment.
The phrase "protects from boot path changes" should use "against" instead of "from" for proper English grammar. The correct construction is "protects against" when referring to threats or attacks.
✅ Your preview is ready!
Please note that this preview was built from an untrusted source, so it was not granted access to all mkdocs-material features. Maintainers should ensure this PR has been reviewed locally with a full build before merging. |
|
but it does? The encryption key is partially derived through the state of the verified boot chain. an attacker could attempt to modify the ciphertext of the drive since that isn't authenticated but that likely isn't implied here |
|
thinking about it more, I agree a bit more. the heads approach for example shows you a totp key you can manually verify to confim state before entering any passwords it would be neat if eg. GrapheneOS allowed you to use its Auditor before first unlock cc @thestinger |
|
Don't agree with the statement that it doesn't protect against evil maid attacks, especially when considering the existence of Auditor and secondary profiles with separate encryption keys.
It doesn't prevent proxying this to another machine and also doesn't really work since it fails to implement complete verified boot. TOTP is also very cryptographically insecure due to the very small output.
This is a planned feature but we haven't gotten around to implementing it yet. It could be done via a quick tile or lockscreen shortcut for starting Auditor in the Auditee mode. |
|
Evil maid attacks, at least in Mediatec SoC, have been shown to bypass Verified Boot: https://blog.quarkslab.com/android-data-encryption-in-depth.html
At best, AVB may deter all but determined evil maids? Can't really prevent, I don't think? Per https://www.cl.cam.ac.uk/teaching/1314/SecurityII/2014-security2-4-skorobogatov.pdf (2014), secure chips are eventually defeated in years, if given physical access. And the Fuschia docs on Verified Execution scope pretty broad:
|
3 participants
AVB may help deter rouge firmware changes and prevent tampering of the OS.
List of changes proposed in this PR:
cc: @eylenburg / @SkewedZeppelin