Supply chain security measures after the new Motorola partnership

eclhx6uh

First, I would like to thank the developers for new partnership and diversification of device support; however as a person in China, I am worried about supply chain risks. I am aware that Motorola Mobility is now a Lenovo subsidiary, and Lenovo is a Chinese company. It also have repeatedly been involved in OS tampering/injection from the firmware and shipping insecure firmware and injected software.

Lenovo's track record of firmware and hardware security:

the 2015 Superfish adware & spyware preloading that displayed desktop ads and injected self-signed certs for web ads injection
they did it again in 2016
it's UEFI firmware would detect if the booting OS is Windows and inject a bloatware that was downloaded without HTTPS if conditions were met
in recent years, grossly amusing UEFI vulnerabilities such as exposed debug interfaces, unvalidated firmware, etc.
TPM BitLocker key release can be sniffed with a logic analyzer (although this one is prevalent among Windows devices)

https://en.wikipedia.org/wiki/Lenovo#Security_and_privacy_incidents
https://arstechnica.com/civis/threads/lenovo-g50-80-dialog-box.1286817/#post-29497693
https://arstechnica.com/information-technology/2022/07/vulnerabilities-allowing-permanent-infections-affect-70-lenovo-laptop-models/
https://www.zdnet.com/article/lenovo-patches-uefi-vulnerabilities-impacting-millions-of-device-users-worldwide/
https://www.binarly.io/blog/firmware-patch-deep-dive-lenovo-patches-fail-to-fix-underlying-vulnerabilities
https://www.zdnet.com/article/lenovo-receives-3-5m-fine-for-pre-installing-adware-that-hijacks-https-connections/https://github.com/Cr4sh/ThinkPwn
https://www.binarly.io/blog/repeatable-supply-chain-security-failures-in-firmware-key-management
https://www.errno.fr/BypassingBitlocker.html

My threat model (like many others') includes my own regime. In China, the state has absolute authority to compel software and hardware vendors to ship backdoors and vulnerabilities and there is absolutely no security or privacy regulation.

In Canada and the US, it might be easy to realize that Western corporates may not be as trustworthy given the intrusive anti-privacy regulations and government spying exposures, and so on. But it would be, to "drink the poison to satiate thirst" as we say it in a Chinese proverb, to choose to trust a Chinese vendor that can only be worse.

To the developers,

My specific questions are:

Can you guarantee that you use separate development environments: one for development that involves running or trusting software (source & binary) shipped by Motorola, and a "clean" one that does not trust the former?
Can you use different source repo and build servers for the two vendors?
Can you ensure Motorola's proprietary binary blobs, kernel source tree, and source components do not leak to the Pixel side?
Is the 20260301 release currently safe for us?

In general, I want to know if our development & release process does not trust Motorola supply chain and is resistant to supply chain infiltrations.

Anyway, thank you for your tireless effort and the new partnership.

GrapheneOS

eclhx6uh Your claims are greatly exaggerated and do not match the provided information. Whether or not you're serious, the approach is not serious.

koocmit

You seem to be getting the information from an LLM. It may seem alarming without context, but most of the points you have made are understood to be corporate greed, bad security posture pre-Snowden, and not malice. They are also things that work at software level, and not hardware, which means they will be removed on a fresh flash that changes the OS.

eclhx6uh the 2015 Superfish adware & spyware preloading that displayed desktop ads and injected self-signed certs for web ads injection
they did it again in 2016

It was done by lots of companies, including Apple (bundled with java packages and safari extensions) (Link), other companies as Ars reports "100 clients, including Fortune 500 companies" (Link), etc. This was just good old nepotism (for fat contracts) mixed with spyware peddled by some countries that excel at it. The security posture across the board has improved exponentially.

Sony did something similar in 2005 if anyone is curious. (Link)

Again, not a hardware issue.

eclhx6uh UEFI vulnerabilities

How will this affect their mobile device where they don't design security chips or boot chain hardware?

eclhx6uh TPM BitLocker

This is just fishing. How is something that happens commonly on insecure platforms like desktop OSs relevant to mobile platforms? Do vulnerabilities in Pixels (like the last two discovered by the Google security team) make them complicit in peddling spyware?

eclhx6uh China, the state has absolute authority

US does too. Ask your LLM about National Security Letters, Patriot Act, Eminent Domain, and the recent Anthropic vs DoD event.

eclhx6uh Chinese vendor

Based on what? Vibes?

eclhx6uh Citizen Lab

They have also done the same on US based and other spyware, both developed and commissioned by the USG. Isn't the recent one called Coruna? Citizen lab also treats US as a hostile to freedom, spyware loving regime (https://citizenlab.ca/john-scott-railton-on-new-nso-group-ownership/).

China boogaloo is fine if you are personally paranoid, but Abu Ghraib, Pegasus, Gitmo, Cellebrite, PRISM, etc. are all linked to one government and it is not China.

eclhx6uh separate development environments:

Seems you do not understand how software development works.

eclhx6uh Can you ensure Motorola's proprietary binary blobs, kernel source tree, and source components do not leak to the Pixel side?

It does not work like how you think it works.

eclhx6uh 20260301 release currently safe for us

If you trust the OS developers, then yes.

I also advice against taking LLMs at face value. It is weird to ask developers of any software to explain their choices to questions that show lack of understanding, since it confirms that the questions come from some useless slop generator. It also assumes that the knowledge and experience they have can be distilled, poured into your head, and immediately allow you to understand everything in a single paragraph reply, or that they should waste precious development time writing justifications over code again and again.

JollyRancher

GrapheneOS
And the GOS teams refusal to engage with the legitimate concerns that come with a PRC OEM don't signal a serious consideration on the security and privacy issues that come with this partnership.

Saying "Motorola is offering a phone that meets our technical specs so we are supporting it" is one thing. Partnering with them and putting the GOS imprimatur on a Motorola device is another thing entirely.

Is GrapheneOS as an entity prepared to publicly stand up and say that they have access to the firmware and that there are no backdoors? That these Motorola phones are secure at the hardware, firmware, and OS level?

If so that is one thing. If not? Well then it is a secure OS running on hardware and firmware that can't be presumed trustworthy.

eclhx6uh

GrapheneOS I'm sorry; I am serious and I am asking out of genuine concerns. I'm confused, may I know specifically which of my claims are exaggerated? And, just for my own information, can you please explain why my suggestions are not serious or problematic?

I hope the discussion can continue matter-of-factly with an assumption of good will and not accusations.

vtek

GrapheneOS Your claims are greatly exaggerated and do not match the provided information. Whether or not you're serious, the approach is not serious.

Is this really a serious answer? "greatly" != entirely, so which claims then are not exaggerated?

Granted, supply chain attacks can affect Pixel's too, but that doesn't render the OP's question irrelevant.

I refrained from commenting on this partnership yesterday, but I'll say it now; a partnership with Lenovo is decidedly disappointing. That said, I'm not sure there are any foreign companies worth partnering with and they're the ones making all the hardware.

Absent a proper and reassuring response from GOS, I'll be hanging on to my Pixel.

dhhdjbd

JollyRancher

... i keep asking but noone tells me,
what silicon hardware is motorolla producing?

since i am still pretty sure it is all qualcomm,
the silicon and firmware is qualcomm, not motorolla..

userofgos

eclhx6uh customizes the firmware that runs on on the chip and various coprocessors

JollyRancher Is GrapheneOS as an entity prepared to publicly stand up and say that they have access to the firmware

JollyRancher Its the firmware that is likely the biggest potential risk factor.

dhhdjbd And firmware can be much much easier inspected then silicon..

This comment on Mastodon may interest you (emphasis added): https://grapheneos.social/@GrapheneOS/116160393783585567

It will fully support using other operating systems including users making their own builds of GrapheneOS. It's part of our hardware requirements. We'll likely be able to make hardened builds of firmware and drivers which can be released in an official way for easy builds without needing to extract anything from the GrapheneOS or Motorola OS factory images.

The entirely of the firmware and operating system are cryptographically verified with downgrade protection. The secure element is used to store the version metadata for downgrade protection for the OS and efuses are used for the firmware portion of it. It's fully integrated with the A/B update system with automatic rollback until reaching the home screen successfully.

It's the status quo on existing devices and has been one of the hardware requirements for GrapheneOS support for many years. Verified boot was introduced on the Nexus 5X and moved to an earlier version of the current approach with the Pixel 2. We've supported it since it was available and began considering it a requirement shortly afterwards. We only supported 2 generations of devices prior to it being available which could still be locked and had the firmware verification.

userofgos

@eclhx6uh

JollyRancher Is GrapheneOS as an entity prepared to publicly stand up and say that they have access to the firmware

dhhdjbd And firmware can be much much easier inspected then silicon..

This comment on Mastodon may interest you (emphasis added): https://grapheneos.social/@GrapheneOS/116160393783585567

It will fully support using other operating systems including users making their own builds of GrapheneOS. It's part of our hardware requirements. We'll likely be able to make hardened builds of firmware and drivers which can be released in an official way for easy builds without needing to extract anything from the GrapheneOS or Motorola OS factory images.

The entirely of the firmware and operating system are cryptographically verified with downgrade protection. The secure element is used to store the version metadata for downgrade protection for the OS and efuses are used for the firmware portion of it. It's fully integrated with the A/B update system with automatic rollback until reaching the home screen successfully.

It's the status quo on existing devices and has been one of the hardware requirements for GrapheneOS support for many years. Verified boot was introduced on the Nexus 5X and moved to an earlier version of the current approach with the Pixel 2. We've supported it since it was available and began considering it a requirement shortly afterwards. We only supported 2 generations of devices prior to it being available which could still be locked and had the firmware verification.

eclhx6uh

eclhx6uh Sorry, I would like to go a step further. It's hard for myself to find sides of my original post exaggerated or not matching the information I provided, or that I made claims beyond verifiable factual information. I'm not going to mince words anymore; to separate the tone from the substance, in my opinion it could not be further from the truth.

I hope the team could really read the content themselves, including the Wikipedia entry and Citizen Lab's findings, and possibly some of the vulnerability disclosures and blogs before deciding I exaggerated at all.

JollyRancher

dhhdjbd
Honestly, the physical hardware is relatively marginal in terms of risk. Its the firmware that is likely the biggest potential risk factor.

Hardware can at least be torn down and physically indpected, firmware not so much.

dhhdjbd

JollyRancher

the firmware is provided by the hardware supplier, not the phone manufacturer.
(it is part of the trade secret)

And firmware can be much much easier inspected then silicon..

eclhx6uh

@dhhdjbd It is not that Motorola manufactures the SoC chip; it is that they as the OEM

specifies the component choice
customizes the firmware that runs on on the chip and various coprocessors
and ships non-transparent binary blobs that any third-party OSes, including GrapheneOS must carry and load to drive the hardware
and embeds all code that load before the main OS loads (including that deciding if the OS to load is trustworthy or tampered with)
code that runs concurrently at higher privilege levels than the OS
the trusted execution component
customizes the SoC firmware and boot rom
and depending on their scale of production, may order the chips itself fabricated with their own requirements, modifications, and burnt-in bits
and furthermore, the hardware security components (the Titan M in Pixels, which is what handles the encryption key, wipes deleted data irreversibly, prevents an attacker from guessing the unlock PIN from external computers or modified OS, and thus makes Pixel incredibly strong) in the phones can have security weaknesses and sometimes outright backdoors

For example, it would be trivial for them to pull the 2015 Superfish and 2016 Lenovo Accelerator scheme again and have the bootloader to inject component into the ramdisk that would be run in Android, given that the latter is even less inspectable.

And on what risks I am specifically concerned about for Pixel users:
When experimenting with and developing for the devices, you unavoidably need to

build code supplied by the vendor (including running the build scripts, etc.)
allowing software on your development machine to interact with your device, such as adb which most people here are familiar with, debuggers like GDB
if you collaborate closely with the OEM, you may run instrumentation software shipped by them

However,

for example, in the building scenario, building (compiling, turning source code into binary executables) an untrusted codebase may hack your building machine
utilities like adb, gdb, profilers, and sometimes even surprisingly basic tools such as the strings utility that finds all texts in a binary, are not meant to be with untrusted devices, code, processes, dumps, binary images, etc. For example, once the security researchers ran strings on random binaries until they discovered it parsed the binary, and maliciously binary can include malformed parts that cheats the utility into loading and executing bytes in it.
in default mode, code editors run tasks defined in project settings upon opening, saving a file, committing, etc., and extensions may send the code for analyses, compilation and build the project which are not secure (this can be easily disabled, for example, by choosing not to "trust" the source folder)
generally, you should not run random software

Such as, if an attacker hacks your development machine, they would be able to use it as a starting point to poison the codebase and the build and introduce weaknesses or backdoors into the releases.

This may sound sophisticated, but from an attacker's perspective, GrapheneOS is a project of high enough value and prominence that is easily worth it. Many people, important figures, privacy-conscious individuals, political dissidents, journalists, criminals, drug cartels, people with specific digital security needs, people with sensitive access use GrapheneOS.

This is not paranoia. They've done much more sophisticated, covert, complex infiltrations into the open source community. For the most infamous one, see https://en.wikipedia.org/wiki/XZ_Utils_backdoor in which an anonymous person took up the maintenance of a major software used everywhere and made the built library to modify the system's remote login component automatically so that a specific entity with a cryptographic key can log into any systems with it. There are others such as https://en.wikipedia.org/wiki/Supply_chain_attack#Notepad++_compromise, https://en.wikipedia.org/wiki/XcodeGhost, https://en.wikipedia.org/wiki/Watering_hole_attack#2017_CCleaner_attack

(If you wonder about the ending of the xz backdoor: thankfully, the backdoor itself contained a flaw that lengthened login time and thus was discovered during testing before any major releases.)

There is an entire category of attacks called the supply chain attacks (e.g. see https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/supply-chain-attack/) or the "watering hole attack" (https://en.wikipedia.org/wiki/Watering_hole_attack) that seek to hack trusted developers' machines to insert backdoors into their products. Some are by the notorious APT groups (https://en.wikipedia.org/wiki/Advanced_persistent_threat). I believe as a high-profile security-oriented Android distro, we must be aware of these attacks.

Unfortunately they can be successful, especially if your supply chain cannot be trusted (they are presumed malicious) or they have themselves very bad security measures, such as using random code libraries or enforcing weak security requirements (typically for many smaller companies), or not really invested in security. This is not absolute, and modern software all includes massive dependencies that collectively form a enormous attack surface. There is a meme on this: https://xkcd.com/2347/

To illustrate GrapheneOS's value to attackers:
https://grapheneos.social/@GrapheneOS/115584160910016309
https://www.golem.de/news/grapheneos-verlaesst-ovh-frankreich-ist-kein-sicheres-land-fuer-privacy-projekte-2511-202570.html

The politicians' reasoning is basically: 1) in the West: Using a Pixel with GrapheneOS that features MTE, malloc enhancement, hardened kernel, usb restrictions, inactivity reboot, multiple profiles? You must be a drug dealer; 2) in authoritarian regimes: Using a Pixel without our backdoors and with GrapheneOS, an OS that cannot be extracted & mass-monitored by our spyware? Must be a dissident (which sometimes is true!).

Are there mitigations? Yes, there are plenty. Such as, considering all machines that have worked with untrusted software and hardware untrusted (that is, of a lower level of trust than the other working machine, or potentially compromised, or may act as a springboard for hackers). Don't do it on your laptop. Use disconnected, dedicated machines. Don't give these machines the permission to push directly into your source repo. Browse the code with code editors in restricted mode so they don't automatically execute tasks, etc. Set up firewalls between the untrusted machines and the rest of your network. Don't use their build artifacts. Quarantine pull requests submitted from them.

(The discussion is a little heated. We tend to get defensive here, although I personally hope we can approach this on a matter-of-fact bases and without animosity. I just seek an explanation myself and for us.)

dhhdjbd

eclhx6uh It is not that Motorola manufactures the SoC chip; it is that they as the OEM
[...]

sry but where are you getting this information from?
because i do not think that they do custom firmware, they get only firmware blobs from qualcomm and use these (exspecially if it is about the modem)

For the drivers is it different tho

eclhx6uh

dhhdjbd For some components like the modem, I agree. I guess TEE would perhaps depend on their scale? They may add their own trusted applications. On the Secure Monitor in EL3 itself, I believe they indeed use that one provided by SoC vendor.

But on the boot rom & bootloader & other chip firmware, they definitely ship their own. For example, Google explicitly specifies bootloader & AVB etc. depend on OEM implementation.

koocmit

eclhx6uh I would rather they don't waste their time on verbose slop. Bombarding with unrelated links might fool the unwashed masses, but most of the links are useless or unrelated to this discussion.

spammerofspam

Regarding the Citizen Lab findings, e.g. the one on keyboards, I'm not sure it's fair to generalize their findings to a specific manufacturer that wasn't even included in that study. As an example, there have been repeated incidents of American router manufacturers having major security issues (Netgear, Linksys), so would it then be logical to conclude that you shouldn't use an HPE router since they're also American?

Also, if it were deemed necessary to select a manufacturer who's located in a country that's never pressured OEMs to provide backdoors or similar, what county could be chosen? The US government has repeatedly tried to work backdoors into hardware (the Clipper chip, etc.), so that excludes all the US manufacturers.

What manufacturer has a good security track record and is in a country that hasn't in the past pushed for backdoors?

eclhx6uh

koocmit

@GrapheneOS

1) On LLM use: no, I did not use any LLMs, not in generating text, not in getting information. Every bit was hand-typed by myself, I guarantee.
2) The links & information are also not found just for posting, but were actually read by myself in the past.

3) The questions I raised in the end are just good security practices. I think GOS may have already used them, use hardened servers, access in secure ways, use dedicated machines for experimenting around, etc. But since some of us here might suffer real consequences if they did not care that much, we couldn't be sure without their confirmation.
4) Many third-party Android distro developers don't have any security good practices. They run random OEM software (such as the Odin flasher for Samsung, sometimes even downloaded from file sharing websites, or OnePlus etc. EDL flasher, etc.) on their developer laptops, write insecure code, build and ship from cloud VMs by ssh'ing into them from their personal laptops etc. Especially if you are in a partnership with the vendor and "trust" them.

5) Why I posted: Don't take me wrong, I don't think GOS devs are going to be like them--this is what sets us apart from craps like Calyx OS, /e/, Lineage. It's certain that GrapheneOS have taken total care of that. But it would be totally harmless for them to make a post explaining their workflow and confirming that they do have the best security practices.
6) I just want them to make sure they didn't fall for some pitfalls that yeah, are indeed ridiculous but trapped surprisingly many people including those who care, and even some experts, because they don't "bother with it". Such as logging into servers from laptop, experimenting from the machine with write permission to the repo.

7) We brand us as a phone OS distro that guards against targeted attacks on high-profile targets. We are already clear about our other security features on the GOS website. I don't think explaining our secure methods in development is a counter-goal for such a project.

7) Thank you everyone and the GOS devs. I get that most people here don't care. Apology for consuming your time.

eclhx6uh

userofgos

We'll likely be able to make hardened builds of firmware and drivers

a. I mean, that post is about the future. We likely won't have that in the immediately recent years; It would be an enormous feat of reverse engineering to achieve that (and even with partnership the partner is unlikely to give us source since these closed-source blobs are shipped by component vendors). Even projects like Asahi Linux still rely on firmware blobs.

b. My questions are mostly about the development process. Craps such as Lineage OS, /e/, Calyx OS have developers who run random software on coding laptops that have write permissions to repos and ssh into builders. I don't think GrapheneOS do that, but it would be harmless and worthwhile to like, just add a section to our website's section documenting our security features explaining how we have good security practices in development & releasing.

userofgos

eclhx6uh My questions are mostly about the development process.

eclhx6uh explaining how we have good security practices in development & releasing.

This may interest you (added bold emphasis to highlight their comments on official builds, 2nd last paragraph): https://xcancel.com/GrapheneOS/status/2030402535463506069#m

A growing number of our apps are built and signed separately from the OS to provide out-of-band updates. Each of these apps has reproducible builds. The official standalone releases are included in the OS rather than making separate builds for each device as part of building the OS. This is the standard and most sensible way to do things. It means the apps bundled with the OS are the same builds as the standalone releases instead of having two separate types of builds with two separate build systems. Both forms of building the apps are reproducible. It makes far more sense to use Android's standard app build system and tooling for standalone apps. It makes it much easier to work with them and for people to contribute. Needing to build apps as part of building the whole OS is a major barrier to contributions and can be avoided.

Android supports out-of-band updates for the vast majority of the OS. These out-of-band updates are a major advantage over iOS. Many people aren't aware of how much can be updated out-of-band for Android. It's gradually turning into the entire OS having quite modular out-of-band updates which are fully compatible with the verified boot system. It still makes sense to have regular full OS updates which update all of the bundled components.

A huge portion of Android is shipped as APKs which can be updated out-of-band. These can be built with the OS for simplicity but can also be built separately with their own standalone releases. If they have their own standalone releases, those are supposed to be bundled with the OS as a prebuilt instead of using a separate build system for the OS updates and out-of-band updates. It would also not be reproducible if separate build systems and toolchains were being used for both.

An even larger portion of the OS can be updated out-of-band via APEX components which are an APK containing a structured filesystem with native libraries, services, data, nested APKs and other arbitrary files.

Both APEX components and APKs are fully compatible with verified boot. GrapheneOS enables enforced verified boot for system APK updates rather than only APEX components.

Android also has out-of-band updates to images via chained vbmeta (verified boot metadata) images. This works by having a hash of a key for chained vbmetas stored in the main vbmeta where each vbmeta has separately enforced downgrade protection via the secure element.

GrapheneOS has very frequent OS releases and doesn't need out-of-band updates as much as the stock Pixel OS or especially the broader Android ecosystem. We mainly use out-of-band updates for our own apps with standalone releases and include the official releases of those in the OS releases rather than making separate builds. That's the way it's supposed to be done.

Google Mobile Services Android operating systems use Google Play system updates providing APEX updates via standard builds from the Google Play Store. This provides monthly updates to large portions of the OS across devices regardless of their OS update cycle. We have no use for their approach since we have consistent OS updates which are more frequent than monthly releases. We could still set up out-of-band APEX updates to enable shipping an urgent for a specific component without an OS release but we don't currently use them as it would only save build time rather than improving usability.

Android uses prebuilts for the kernels and Chromium WebView which are built separately from the OS. The expected way to bundle most apps with the OS is to have standalone releases with the official releases bundled with it. This is how the stock Pixel OS handles APK and APEX components updated out-of-band. It doesn't interfere with reproducible builds.

Building, signing and shipping updates to the OS via modular components instead of building the entire OS for every change is going to be increasingly important as GrapheneOS scales up to a larger development team and a larger number of supported devices. It makes it far easier for people to work on smaller parts of the OS and we can release smaller updates for specific components. We're using it on a case-by-case basis for components we need to update frequently such as our GmsCompatConfig APK shipping the text file setting up most of our sandboxed Google Play compatibility layer shims. We also plan to start shipping GmsCompatLib as a standalone app but it was delayed due to banking apps wrongly believing updating it out-of-band was tampering.

The claims which are being made in the linked post are extremely misinformed and backwards. They're attacking us for using approaches focused on security while claiming doing things in a far less secure way would be much better. The motivation for it is quite clearly promoting non-hardened operating systems through desperate attempts at misleading people about GrapheneOS with poorly informed claims.

They're claiming we should be doing builds and signing on cloud servers because they believe having CI web interface is a substitute for third parties reproducing and verifying builds. We make all of our official builds on local infrastructure under our physical control for clear security reasons. Our app and OS builds are both reproducible. We're gradually working on turning reproducible builds into a more useful feature by setting up a system of having alternate build locations and a system for verifying the results match across our locations and also third party locations. Our App Store and System Updater are eventually going to support verifying builds based on other official and third party build locations. Moving our builds and signing to cloud infrastructure would not reduce trust in us but would greatly expand attack surface and how much needs to be trusted.

GrapheneOS is a serious privacy and security project which is in the process of greatly expanding by hiring many developers and other people. We're improving our overall organizational and development processes as part of expanding. Expanding our use of out-of-band updates to the extent that it makes sense is part of this.