BFU Secondary Profile Security

IguanaDagger

I asked in the matrix chat, but it was hectic at the time I posted, so most people probably missed it. So, I am reposting it here to hopefully get some answers.

Question: Are the secondary user profile's encryption key encrypted by the owner profile's key BFU? Is it part of the "sensitive system-wide operating system data" stated here?: https://grapheneos.org/faq#encryption

In this case, assuming all weaver tokens / keys have been extracted, when the phone is BFU, if the owner has a strong 128 bit password, and the secondary profile has a weaker 6 digit pin, does the attacker need to guess the owner password first before they can guess the others? Or can they just jump straight into cracking the secondary profile?

Someone had assumed I was seeking advice. I am not asking for advice. Extracting weaver keys are very tough, and I do not have a bright red target on my back. Thus, some n-digit pin would suffice. Rather, I am seeking information. (Though some reassurance would be nice)

papyrus9914

IguanaDagger Somewhere in the feature set it mentions that you can't login to a secondary profile before the owner because the owner profile secures system files. I'm not certain, but I am rather confident they would need to compromise the owner profile first.

[deleted]

IguanaDagger Are the secondary user profile's encryption key encrypted by the owner profile's key BFU?

No.

IguanaDagger

[deleted] In retrospect, maybe I should have phrased it differently: Are the secondary profiles protected BFU in such a way that, with only a trivially bruteforcable lock on them, and with the secure element's rate limiting bypassed by extracting the secrets, and with the owner's credentials being significantly stronger, makes bruteforcing it practically impossible without going AFU? Or the opposite, where it is trivially bruteforcable BFU?

I did not mean to only ask about the keys. Sorry for the confusion.

IguanaDagger

IguanaDagger I realised that it's still does not reflect what I want to ask. Let me try again:

Are the secondary profiles protected BFU in such a way that, with only a trivially bruteforcable lock on them, and with the secure element's rate limiting bypassed by extracting the secrets, makes bruteforcing it practically impossible without the owner credentials? Or the opposite, where it is trivially bruteforcable BFU, weather or not the owner's credentials are available?

IguanaDagger

Darn, I can't edit the initial post...

PMUSR

When the secondary profile is off/not started. Does that mean it is in BFU? Im not sure how the secondary profiles works security wise? If it is in BFU. Can that profile be extracted? Can you set profile to shut down after an amount of time or is it only in owner profile you can do that?

Skyway

If I understand what your asking .
If the phone was rebooted then second profiles have the added security of the owner profile . if the owner profile is unlocked then the second profiles have the security of their password alone .

IguanaDagger

Skyway I see. So what data is being protected by owner credentials that are required to unlock the secondary profiles?

GrapheneLover

I know what you're asking, and the way that its designed as of now is that you must first unlock the owner password before you can access any secondary profile, meaning as of now its protected by the owner profile password then the secondary password after owner is unlocked. If your risk factor is very high though you should treat it as they could bypass it somehow and go directly to the secondary profile, so you should always use a strong password on all profiles if you care about your security.