manipulated laptop for flashing GrapheneOS

Checkerrr

Dear community,

I have received a used laptop to flash GrapheneOS. Someone who intends to install and use GrapheneOS naturally wants to take every security precaution to get the new operating system safely onto the Pixel device. Security first. The BIOS settings were reset, a new operating system was installed, in this case Debian, and the BIOS was now flashed three times using the image via a USB stick in the BIOS menu. Can I assume that any manipulated BIOS firmware has now also been overwritten, and if not, can I still install GrapheneOS safely, as it does not allow a malicious image to boot through Verfied Boot anyway? I'm not paranoid, I read a lot...

DeletedUser69

Checkerrr security-wise you are better off using a regular Android and Chrome, using web installer.

trashaccount

Checkerrr You have multiple ways to confirm its installed correctly and safely after you're done. Just install it from your laptop, then use the boot fingerprint hash and Auditor as instructed by the website.

Checkerrr

Many thanks for both answers. Both are definitely plausible.

Which would you prefer? To flash from my used laptop, whose origin is unknown, but new BIOS flashed as described, or to flash from another GrapheneOS Pixel device, whose integrity is not certain, since it IS the device of a third person.

I don't want to buy a new laptop just to flash GOS.

DeletedUser88

Checkerrr As @trashaccount said before, it doesn't matter.

From https://grapheneos.org/install/web#verifying-installation:

The verified boot and attestation features provided by the supported devices can be used to verify that the hardware, firmware and GrapheneOS installation are genuine. Even if the computer you used to flash GrapheneOS was compromised and an attacker replaced GrapheneOS with their own malicious OS, it can be detected with these features.

Verified boot verifies the entirety of the firmware and OS images on every boot. The public key for the firmware images is burned into fuses in the SoC at the factory. Firmware security updates also update the rollback index burned into fuses to provide rollback protection.

The final firmware boot stage before the OS is responsible for verifying it. For the stock OS, it uses a hard-wired public key. Installing GrapheneOS flashes the GrapheneOS verified boot public key to the secure element. Each boot, this key is loaded and used to verify the OS. For both the stock OS and GrapheneOS, a rollback index based on the security patch level is loaded from the secure element to provide rollback protection.

Please read the documentation thoroughly next time as your question was already answered by it.

TLDR: Check the verified boot key hash matches and conduct an Auditor check. If both of these pass, your installation is genuine.