Time Table

Google has been building Pixel phones based on the Google Tensor series System-on-a Chip (SoC) since the Pixel 6 but not many details about its security architecture and how it enables us to build secure Android devices have been publicly presented. While some of Pixel’s security components, most notably the Titan M2 security chip, have received attention from both independent security researchers and Google’s internal Red Team, a complete picture of how Pixel’s security hardware works together with the software stack that powers a modern Android device has not been presented.

This talk will give an overview of Pixel’s security architecture, starting from the main security features and components of the Google Tensor G4 SoC, introduce the trusted software running on the Tensor Security Core (TSC) and Titan M2, and then give some details on recent security hardening and audit efforts. We will then describe how the software running in the Trusted Execution Environment (TEE), TSC, and Titan M2 enable the secure implementation of key Android security features: Android Verified Boot (AVB), StrongBox (secure user authentication and key management), and File-Based Encryption (FBE) with hardware-wrapped keys.

This talk will show that building a secure mobile device requires close cooperation between hardware and software, a continuous feedback loop between the twoIt requires a design and implementation process that spans multiple layers from SoC to High-Level Operating System (HLOS, Android for Pixel). We will provide a short introduction to each security feature or component discussed before going into details, but basic familiarity with modern mobile devices and Android is assumed.

This talk will present a detailed look at Pixel’s hardware and software security architecture, including efforts on audit, SDLC, and hardening. We expect that the presented security architecture, SDLC, and details about hardening, would be beneficial to a broad audience: manufacturers and engineers designing and building mobile or IoT devices, security engineers working to secure those devices, and highly-technical end users who want to better understand the security architecture of their Android device.

Key takeaways from this talk:

• Modern ARM SoCs provide fundamental security, isolation and mitigation features, but some fundamental security use cases require stronger isolation or discrete hardware.
• Secure design for modern mobile devices spans multiple hardware layers, from SoC to HLOS.
• Building hardware-agnostic abstractions (hardware abstraction layers, HALs) for security features allows taking advantage of hardware-backed security when available, and graceful fallback without changing the overall architecture.