Question regarding implementation of profiles

DeltaSlim

Hello all,

I have a question regarding the implementation of various profiles in Graphene, specifically how the encryption of those profiles is handled.

I am of course aware of the fact that, as a user, I need to initially unlock the Owner profile before I am able to access other user profiles. However, I noticed the other day that before unlocking my Owner profile, if I click into the setting on the lock screen (on a BFU device) I am able to see all of the user profiles and their names, although those profiles are "greyed out", implying that I need to unlock the Owner profile first.

But this caused me to wonder whether I misunderstood how encryption of these profiles is implemented. If you'll excuse an imperfect analogy, I had thought of these profiles as something like veracrypt containers on a system with, say, LUKS full-disk encryption. In other words, a second layer of encryption, requiring an adversary using bruteforce to access the contents of the device to first unlock the owner profile before they can even begin to attempt to bruteforce user profiles (as would be the case if you had a desktop encrypted with LUKS which also has veracrypt containers on it. An adversary could not even see those veracrypt containers until after they've managed to get past that LUKS full-disk encryption). I now wonder whether that is a mistaken belief.

In a hypothetical scenario where an adversary has access to a before first unlock graphene device which has multiple user profiles on it and is able to use USB-C to interface with that device (I know that this will not be the case for most up-to-date Graphene devices because USB-C is disabled for data exfil on lock screen, but just ignore that for now), could the adversary actually begin attempting to bruteforce the passwords of user profiles before they manage to crack the password associated with the owner profile? Could they hypothetically access a user profile even if they had not bruteforced their way in to the owner profile? If not, why are all of my profiles and their names visible from the BFU lock screen of the owner profile? (the visibility there implies to me that there are not two layers of encryption for those profiles, as there would be with my imperfect above LUKS + veracrypt analogy. And if there are not two layers of encryption I don't see what stops an adversary cryptographically from taking a stab at the passwords of those other profiles before they bust open the owner profile).

The reason I think it is especially important is because if an adversary could attack all those profiles simultaneously, it would mean that users who set weaker passwords for user profiles (on the incorrect assumption that those profiles were also protected by the password associated with the owner profiles, presumably a stronger password) would risk data exfil at least on those profiles.

Very grateful to anyone willing to clear up my (mis-)understanding here.

Kindly
DS

AcclaimSublevel19

No, the owner profile must still be unlocked first. That's how the system is built, no matter if you've got a USB cable connected. The other profiles rely on the encryption of the owner and have their own encryption too. What isn't encrypted is the user list, which is why you can view it BFU.