Include build number

Question

Include build number

enduring78 opened this issue 2 years ago · 5 comments

Pretty much like the title says; the patch levels are already included, and it would be really nice not having to compare the boot hashes to check if a phone is updated

Answer 1 · 2022-08-04T10:13:24.000Z

Patch level is provided by the hardware API. Build number would need to be in the OS verified section.

Answer 2 · 2022-08-04T10:18:33.000Z

Okay. Would it be possible from a technical standpoint?

Answer 3 · 2022-08-04T10:54:12.000Z

Yes but it would just be a string in the OS verified information section similar to the existing information there on OS configuration.

Answer 4 · 2023-01-28T02:24:01.000Z

I don't think this is worth the effort. Build.DISPLAY is just an arbitrary string defined by the OS using the property ro.build.display.id. It serves no security value and can simply be checked in Settings -> System -> About.

The patch levels do serve a security purpose because they are from the HSM/TEE provided by the attestation library. It's read from the keymint tag. See https://github.com/GrapheneOS/Auditor/blob/main/app/src/main/java/app/attestation/auditor/attestation/AuthorizationList.java#L272-L280

Answer 5 · 2023-01-28T02:33:15.000Z

We could eventually provide a signed database of the stock Pixel OS and GrapheneOS verified boot hashes to show a version based on them. That would be hardware verified and much more in the spirit of Auditor.