According to the linked article it prevents the use of Samsung Pay and access to the Secure Folder (an extra layer of security you can enable that requires a second PIN to be input before you can access certain apps and files). This seems pretty reasonable, the goal is clearly to prevent access to especially sensitive data if someone has stolen the phone.
I can maybe understand not wanting other operating systems in their attestation chain that is protecting a payment system from the standpoint of liability.
All of the other things are entirely hardware features that any OS should be able to use. They’re using the ARM Trusted Execution Environment (ARM TrustZone) and a embedded Secure Element to enable the ability to store cryptographiclly secured files without the system ever having access to the keys.
Both TEEs and eSEs are not a Samsung invention or IP and are enabled by hardware on the device, the TEE is part of the ARM standard and is used in a huge number of other OSs (https://en.wikipedia.org/wiki/ARM_architecture_family). Secure Elements are also widely used pieces of hardware supported by innumerable OSs and also a feature of the hardware that you paid for.
That makes sense. I figured they were worried that an alternate OS would be more likely to exploit their encryption somehow, but if it’s all using industry standard hardware then it really ought to be open.
GrapheneOS also claims it’s not defending against anything real. Which makes sense as Pixels can clearly maintain security while allowing alternate OSes. So this is just hostile vendor lock-in. Disappointing as there was some speculation that OP would be the GOS OEM, but there’s no way they would do this is that was true.
Yep, Samsung Knox is the feature name; does it actually prevent things or is it just “tamper evidence” for corporate devices?
According to the linked article it prevents the use of Samsung Pay and access to the Secure Folder (an extra layer of security you can enable that requires a second PIN to be input before you can access certain apps and files). This seems pretty reasonable, the goal is clearly to prevent access to especially sensitive data if someone has stolen the phone.
It’s not reasonable in my opinion.
I can maybe understand not wanting other operating systems in their attestation chain that is protecting a payment system from the standpoint of liability.
All of the other things are entirely hardware features that any OS should be able to use. They’re using the ARM Trusted Execution Environment (ARM TrustZone) and a embedded Secure Element to enable the ability to store cryptographiclly secured files without the system ever having access to the keys.
Both TEEs and eSEs are not a Samsung invention or IP and are enabled by hardware on the device, the TEE is part of the ARM standard and is used in a huge number of other OSs (https://en.wikipedia.org/wiki/ARM_architecture_family). Secure Elements are also widely used pieces of hardware supported by innumerable OSs and also a feature of the hardware that you paid for.
That makes sense. I figured they were worried that an alternate OS would be more likely to exploit their encryption somehow, but if it’s all using industry standard hardware then it really ought to be open.
GrapheneOS also claims it’s not defending against anything real. Which makes sense as Pixels can clearly maintain security while allowing alternate OSes. So this is just hostile vendor lock-in. Disappointing as there was some speculation that OP would be the GOS OEM, but there’s no way they would do this is that was true.