Can the verified boot key be rotated?

Watermelon

Out of curiosity, can GrapheneOS rotate the installed verified boot key, e.g. via an OTA update? (In case the verified boot key would ever be compromised.) I guess Google can rotate the hardcoded key in the bootloader because they control its code, but they obviously can't rotate the hardwired key in the boot ROM (edit: I guess they could've designed it so it could permanently install a revocation proof and a new signed replacement key, but then how does it guarantee that it's permanently installed and cannot be removed).

Thanks

GrapheneOS

Watermelon All of the other keys including the one for verifying OS updates can be rotated but not the verified boot key because it's flashed to the secure element while unlocked and enforced from there. It's also taken into account as an input for disk encryption and the hardware keystores so changing it would require wiping. Google cannot rotate their OS verified boot key either since changing the hard-wired key in the code won't avoid it breaking the other things based on it.

We generate separate keys for each device model so the keys do get rotated across generations of devices. Google does either the same thing for the stock OS and firmware. They used to share keys across models launched at the same time. These were the shared stock OS signing keys for 3rd gen Pixels onwards which likely also applied to firmware:

Pixel 3 and Pixel 3 XL
Pixel 3a and Pixel 3a XL
Pixel 4 and Pixel 4 XL
Pixel 4a (5G) and Pixel 5

They haven't shared keys within the same generation after the Pixel 4a (5G) and Pixel 5. It's a bad practice since it means components from one could be used on the other despite not necessarily being compatible and potentially even creating a security weakness although not in a way that's likely to matter much.

Watermelon

Does anyone know?

Watermelon

The official GrapheneOS project account very recently directly answered this question elsewhere:
“Verified boot signing keys can't be rotated.”

Can be marked as solved. Thank you

Watermelon

GrapheneOS but not the verified boot key

Would you prefer if Google made it possible to rotate it too? As far as I understand from reading your FAQ entry about encryption, it's the input for deriving the key encryption key rather than the disk encryption key, so changing it wouldn't require re-encrypting the entire user data. And the secure element can already accept OTA updates to its internal OS, so they could've also designed it to support rotating the verified boot key.

Also thanks for the reply!

GrapheneOS

Watermelon Rotating the verified boot key would require relatively complex firmware support adding attack surface. It wouldn't change that the keys for signing the firmware itself can't be rotated. Since those can't be rotated, it doesn't make much sense to support it for the OS verified boot key from their perspective where they're signing both in a similar way. It's only an entirely separate thing for GrapheneOS because it's not the stock OS. Protecting keys over the lifetime of the device is what's expecting with keys rotated through using separate ones for each device. There's natural key rotation over time through device generations. Moving to a new algorithm for signing, etc. is normally done as part of a new device generation.

Watermelon

GrapheneOS It's only an entirely separate thing for GrapheneOS because it's not the stock OS.

Yes I figured it'd only be useful for non-stock because the firmware has an immutable root of trust.

Thank you