Google "certified" pVM for eu-digital-identity-wallet & friends

user3

Title: Google "certified" pVM for eu-digital-identity-wallet (and Google Pay and Digital Car Key))

Assuming the EU and friends decide to privatize the work of considering a device secure or not, I'm wondering if we can use pVM to run a certified operating system which passes Play Integrity.

Pros:

workarounds the issue

Cons:

it's a kludge instead of a proper fix, which would be the EU institutions not to rely on a private foreign company to certify devices/OS.
I do not known eventually maintenance costs of such solution

de0u

user3 Assuming the EU and friends decide to privatize the work of considering a device secure or not, I'm wondering if we can use pVM to run a certified operating system which passes Play Integrity.

I have a faint memory that the underlying OS is part of the attestation chain. If so then the remote server would learn that the Android inside the VM is running on top of GrapheneOS. Also, I think the Android inside the VM would need to be designed to run in the VM, e.g., Microdroid.

So if Google wants to certify Microdroid and if an app author wants to certify Microdroid running on top of GrapheneOS, sure... but I don't think this is something that can be done unilaterally on the client side.