thestinger
commented
1 year ago As far as I know, updating the time on GrapheneOS works only by actively contacting an external service hosted by GrapheneOS over the internet to get the current time. While this is better than using a Google service, it's far from ideal.
Why is it far from ideal? It's a first party service and while it relies on TLS and WebPKI for security, that could be improved with DANE support. Android's time update system isn't really meant to be incredibly precise. We increased the granularity where it will update the clock from 2000ms to 50ms but it's not clear if making that 1ms or 0ms to have it update whenever it doesn't match would be a good idea. It's designed to support multiple sources (telephony, manual, network, gnss, external) with priorities and if there are multiple enabled but it only gets time from one since boot, it will use that one. We can't have GNSS as the only time source since it doesn't work everywhere, so we'd need to do something like [network, gnss] or the other way around, meaning that it's still only as precise as our network time in general, and more precision would require further increasing the permitted offset before updating the clock.
AOSP supports enabling GNSS as a time source but we don't know if it works with either the Qualcomm and Broadcom GNSS implementation. We also don't know which networks they'll use for time if it does work. They support multiple GNSS systems and it's not clear what they would do in a situation where some reported different values. The only configuration in AOSP is whether GNSS time suggestions are enabled and the priority of time suggestions which we change from [network, telephony] to [network]. Also not known exactly how it will work. It may only passively give time suggestions while using GNSS via location services. It may not ever proactively try to obtain time from GNSS.
It's also pretty hard to tamper with a GPS signal in a way that you can't even get an accurate timestamp from it or can't notice that it has been tampered with.
GPS has no authentication and is fairly easily spoofed. Galileo had authentication added to it retroactively but we don't know the details and it may not help much with this use case and it seems unlikely that any of the Qualcomm and Broadcom GNSS implementations support it. If we simply enabled GNSS as a time source, time could be easily spoofed with proximity to the phone. Not really something we want to do.
BlauerHunger
As far as I know, updating the time on GrapheneOS works only by actively contacting an external service hosted by GrapheneOS over the internet to get the current time. While this is better than using a Google service, it's far from ideal.
With GPS, you can synchronize receivers extremely accurately to the satellites clock, which is one of the most accurate time sources there are. From a technical perspective, you don't need the almanach data that is required to get a position fix when you're only interested in synchronizing your system clock, and you don't need to send any signal from your device to accomplish any of this. It's also pretty hard to tamper with a GPS signal in a way that you can't even get an accurate timestamp from it or can't notice that it has been tampered with.
I don't know whether the APIs exposed by GPS module drivers used on phones supported by GrapheneOS support this, but if it is possible to implement, it would be a great feature, as you can now synchronize your time using only a completely passive receiver whenever you receive a single GPS satellite without letting the outside world know that there is a phone nearby (especially great from an opsec perspective, but also for applications where no internet connection is available).
If this is possible to do with the existing drivers on GrapheneOS, please implement it.