Circumventing downgrade protection

anselmschueler

In the event that a malicious build was signed and released as an update and installed on a device, could an older version be rebuilt and/or resigned to allow installing it via sideloading, bypassing downgrade protection?

This would be useful in the case that the malicious update prevented unlocking the bootloader.

Or would a device where such an OS build was ever installed be entirely untrustworthy?

de0u

anselmschueler In the event that a malicious build was signed and released as an update and installed on a device, could an older version be rebuilt and/or resigned to allow installing it via sideloading, bypassing downgrade protection?

Downgrade protection can't be bypassed. It would be necessary to have a newer version signed by the GrapheneOS signing key for the device type.

anselmschueler

de0u Does the downgrade protection check the signature and version or does it check the contents? What I'm asking is if the key holders can sign an older version with a newer version number.

de0u

anselmschueler I am not an expert on this, but I am pretty sure an old release could have its version number bumped and then re-signed. The installer checks the old and new signatures; it can't serve as a code critic.