Motorola Phones and PQC support

n2gwtl

I have been reading the GOS hardware requirements https://grapheneos.org/faq#future-devices and it seems to be missing details on PQC support. It seems Google has adopted an aggressive timeline for transitioning to PQC in their secure element and verified boot. Will the Motorola phones support PQC secure/verified boot and PQC signing keys in the secure element?

de0u

n2gwtl If Google is updating the library code that Android bootloaders use for AVB (source) and believes they can ship this out to current devices to update their bootloaders, the same should be true of other vendors who are on top of things.

I suspect this will be fine.

DohnJoe

n2gwtl

From the same link you posted we can read:

Non-exhaustive list of requirements for future devices

I trust GOS team (and Motorola) they will include whatever is considered important for the project, including PQC (if considered important).

n2gwtl

But belo

de0u but below that, the ROM code must include public PQC keys.

de0u

n2gwtl but below that, the ROM code must include public PQC keys.

Modern devices mostly don't have ROM as such; most work from NAND flash.

Android bootloaders are fairly frequently upgraded. The GrapheneOS installation process includes adding an Android Verified Boot signing key. It is not clear there is any obstacle to adding key material of any type through normal update channels.

n2gwtl

DohnJoe I trust GOS, too. But they have publicly published their hardware requirements and do not mention PQC which goes beyond software.

DohnJoe

n2gwtl But they have publicly published their hardware requirements and do not mention PQC which goes beyond software.

Yea, that's why I quoted:

Non-exhaustive list of requirements for future devices

Non-exhaustive means:

There are other requirements not listed
They can add requirements as needed

And with:

DohnJoe I trust GOS team (and Motorola) they will include whatever is considered important for the project, including PQC (if considered important).

I meant specifically that.
If it will be considered important, they will add it.

Think of the memory tagging.
Before Pixel 7, there were no memory tagging.
This was not cause of exclusion for older devices (for which you still have support), it become a requirement for latter devices only.

Of course a more modern device is recommended.

If newer versions of devices will ship the PQC and it will become a requirement, GOS Team and all the partners will act accordingly.

That's what I trust they will do :)

n2gwtl

de0u

The ROM serves as a hardware root of trust. It is the anchor for secure boot. The higher stages of secure boot probably rely on NAND flash.

de0u

n2gwtl The ROM serves as a hardware root of trust.

Ok, you forced me to have an extended conversation with an LLM (more than an hour). As expected, much of what it said was wrong, but I think I have a coherent picture. Note that what I am posting is my understanding, not LLM output. Also, since the LLM isn't great about providing citations that work, and I've already spent well over an hour on this, I'm not going to provide citations (at least not this afternoon).

At least at present, quantum computers threaten classical signature algorithms (RSA, DSA) much more than they threaten classical encryption algorithms or classical secure hash functions.
The first-stage bootloader on old devices (such as a Pixel 6) performs a classical signature check on the second-stage bootloader, and this code cannot be changed. This is unfortunate, because if the key for that signature is blown by a quantum computer then people can sign malicious second-stage bootloaders.
However, the first-stage bootloader hashes/measures itself and the second-stage loader into Platform Configuration Registers (PCRs). So even if a malicious second-stage bootloader has a fake-correct classical signature and is launched by the first-stage loader, the PCRs will still be off.
The Titan M2 secure element won't release the storage encryption keys for the flash storage if the hashes of the bootloader and OS in the PCRs don't look right.
An upgrade path will be built into a new release of the Titan M2 firmware so that during an upgrade from a classical-signing bootloader chain to a PQC-signing bootloader chain the flash storage encryption keys will be re-encrypted based on the new chain of trust.

I expect I still have some details wrong. But I now believe that Google will be able to update out a new bootloader path that will provide acceptable assurance even on devices that are already in the field. And unless there is a reasonable claim that Samsung or Motorola has made a specific mistake that would stand in the way of them doing something similar, I still/again suspect it'll be ok.

TrustExecutor

It may very well be the case that quantum computing is a VC money pouring technology that will never come to frutition, and my conspiratorial mind tell me that the rush to implement "quantum safe" crypto may very well be a malicious attempt to implement weaknesses in common encrypted protocols. Think about it. It is an entirely theoretical field that hasn't proven anything as of today. Just a lot of fancy computer generated images.

de0u

TrustExecutor The forum moderators have expressed distaste for unfounded alarmist claims. It would be one thing if citations were made to reputable physicists predicting that quantum factoring will never happen (or won't happen for 20 years), but without something like that this seems like an unfounded alarmist claim.

DohnJoe

de0u that quantum factoring will never happen (or won't happen for 20 years)

And even if, this wouldn't automatically translate in "This is a malicious attempt to implement weaknesses"

de0u

DohnJoe And even if, this wouldn't automatically translate in "This is a malicious attempt to implement weaknesses"

Agreed! But at least that could be a discussion based on something factual, as opposed to a discussion based on suspicion alone.