On 3/17/26 09:59, Theodore Tso wrote: > On Mon, Mar 16, 2026 at 08:20:29PM -0400, Demi Marie Obenour wrote: >> >> It's worth noting that on ChromeOS and Android, the only trusted >> disk images are those that are read-only and protected by dm-verity. >> *Every* writable image is considered untrusted. > > So I can't speak for ChromeOS or Android, but given discussions that > I've had with folks in those teams when we were developing fscrypt and > fsverity, the writeable images which are soldered onto the mainboard, > where user data is stored, is protected by fscrypt, which provide > confidentiality but not integrity for user data. > > However, from a trust perspective, if there is an "evil maid attack" > (where someone leaves their device unattended in a hotel room, and the > housecleaning staff removes the device, and the flash is removed from > the mainboard and modified) is something which is considered an attack > which is realistically only going to be carried out by a nation state, > and the primary priority was protecting the privileged APK's (the > moral equivalent of setuid binaries), and that's where fsverity is > used to protect against that threat. > > Yes, the nation state attacker could potentially corrupt the metadata > of the writeable file system image, and but there are enough zero day > attacks that involve sending corrupted image files that trigger buffer > overflows, etc., that while it would be nice to protect against this > sort of thing, given that it requires a physical attack (and that > point, the nation state attacker could also enhance the device with > remotely denotated explosives, something which spies on the > touchscreen or microphone and ships the output over the network, > etc.), I don't believe this is considered a high priority threat that > is worth spending $$$ to mitigate. This doesn't require a physical attack. An attacker who has previously gained root access could use a metadata parsing attack to keep that access across reboots. -- Sincerely, Demi Marie Obenour (she/her/hers)