Bypassing firmware attestation with an OEM private key

ubersecure

Suppose an adversary had access to the private keys for the manufacturer of the firmware (whichever is getting audited by AVB/GrapheneOS at boot).

Would it be possible for them to make a malicious firmware update, perhaps remotely?

Does GrapheneOS mitigate against this?

Tandara

ubersecure It isn't possible, unless the adversaries can exploit device's hardware root of trust (like secure element or boot firmware).

dhhdjbd

ubersecure

if they have a manufactures firmware siging private key, then all they can do is create fake firmware, that would not get rejected at the (frimware) installation/ update stage.

but this is just the last hurdle and does not enable them to distribute it at all.

i am not sure how it is exactly done for grapheneOs, but the full update package is i assume probably signed by them, which is verified before applying anything.

Watermelon

ubersecure Does GrapheneOS mitigate against this?

dhhdjbd that would not get rejected at the (frimware) installation/ update stage

I suggest you to check my thread here:
https://discuss.grapheneos.org/d/24187-can-the-verified-boot-key-be-rotated

dhhdjbd

Watermelon
thank you, but i am a bit confused now,
does it mean grapheneOS signs the firmware themself?
Because the first half of the second comment is about pixel Os and then that it is different for grapheneOs..

Watermelon

dhhdjbd does it mean grapheneOS signs the firmware themself?

Yes, in addition to the signature from Google. The firmware won't boot if it's not signed by Google. But GrapheneOS (neither the System Updater app within the full OS, nor the ADB sideloading feature in the recovery mode of the OS) won't accept any update package that isn't signed by GrapheneOS.

Edit: And GrapheneOS can rotate the key used for update package signing/verification separately from the key used for signing/verifying the files for actually booting them. I don't know if they presently use different keys like this, but they can start at any time.

Upstate1618

Firmware is signed by Google. If that key is compromised, a malicious stock factory image may be signed. Gos may trust that image and extract the firmware in it to publish a gos update.
Even if all of the above is true, there's still insider attack resistance to prevent SE firmware installing without user authentication. Thus a bfu exploit isn't possible through leaked firmware key.

Upstate1618

Please note in that case if the user trust the firmware and input the password, then the malicious firmware may be installed and harms the overall security. It's just impossible under some scenario like seized devices.

Upstate1618

If gos key is compromised, the attacker could also sign an update with malicious firmware. This is also protected by insider attack resistance.

ubersecure

Basically the answer seems to be that they wouldn't be able to install the malicious firmware they created. And all GOS users are getting the same firmware updates, so an individual couldn't be targeted that way.

I also asked on the #General Matrix channel. Some answers for reference:

"GrapheneOS Bridge, [Oct 11, 2025 at 7:43:06 AM]:
<pxlkng:discord> Firmware updates are exclusively shipped through GrapheneOS and cannot be done out-of-band of GrapheneOS releases.

<pxlkng:discord> The firmware can be, and afaik has been, audited."

"<pxlkng:discord> The way GrapheneOS updates work makes this impossible.

<hybridstaticanimate:discord> GOS rips firmware from stock, so they would need to compromise stock too, most likely.

<hybridstaticanimate:discord> And then GOS needs to ship it, which cannot viably be targeted to one person.

<hybridstaticanimate:discord> And then that update needs to be accepted. Which requires getting to the homescreen first."

de0u

ubersecure <pxlkng:discord> The firmware can be, and afaik has been, audited.

I am not sure what @pxlkng is referring to there. If an audit report is available for some or all Pixel firmware I suspect that would be of general interest.