I think the reason GrapheneOS never did a GSI is because most of their security improvements rely on specific hardware calls that GSI abstractions don’t provide access to. This probably would still be an improvement over lineage though, just not as secure as base Graphene is.
the containerization features alone would make graphene worthwhile over other roms. i hear graphene can pass play integrity attestation inside those too.
It depends. I run GrapheneOS and it can pass everything except the most strict integrity check (which is just that you’re using a custom ROM at all).
In practice most apps don’t have any problems. Google assistant doesn’t really work for me but I’ve seen posts saying people have gotten it working. Google wallet and Google Pay are also explicitly blocked by google, so they will never work.
Doesn’t GrapheneOS have a lot of benefits besides the 3 pixel-requiring hardening features which are removed in Graphite (and the 3 others which are disabled by default but can be re-enabled on some devices)?
I’m not disputing that those hardening features are worthwhile! Pixels with Graphene are obviously much more difficult to exploit than phones without those features.
But there are billions of non-Pixel phones in the world which aren’t about to be thrown away, and the vast majority of phone users absolutely cannot afford a Pixel. GraphiteOS (if it actually works?) seems to me like it is probably a major improvement over the other options available for them.
I think it’s a lot more than just 3 features removed. AFAIK the whole hardware attestation is based on the Titan chip and you don’t have to trust the devices hardware, because you can cryptographically prove that the software is unchanged. It’s not only about the Auditor app, but the whole integrity of the OS, the boot process and firmware is secured by the Pixel’s hardware or more specific the Titan chip.
And the billions of devices can not be saved by a GrapheneOS fork because they’re mostly missing crucial firmware and generally get no updates anymore. That’s why GrapheneOS is only supporting recent devices and especially Pixel devices because they receive up to 7 years updates.
I’m all into getting people a more secure OS but I fear that a GrapheneOS fork is perceived as a secure OS when it’s actually not. The most important security features are still recent (firmware) updates and hardware attestation, verified boot etc.
It breaks the security model. Graphene doesn’t only support Pixel for fun. Pixels have the best security hardware features, unfortunately (until the Motorola device comes out).
I would never use this ROM, personally. At that point I’d just use something like Lineage.
My impression is that Graphene-without-the-features-requiring-Pixel-hardware would still be a much more secure operating system than Lineage (or the other options available).
It ultimately depends on your threat model, but many of the most important security features in Graphene are at the hardware level. Without those, it’s very possible that a bad actor could bypass the rest of the protections, since Graphene is designed with those hardware features in mind.
I saw it already, but those hardware security features also secure the features you mention there. The other features were developed with the hardware security features in mind. Again, without secure hardware, it’s possible for your software to be modified and no longer secure. That’s the broken security model I keep mentioning.
While it could definitely be more secure than other ROMs, security was never tested without the hardware features and thus it could also expose you to attacks because of that. Worse, it could make you assume that you’re secure when you’re really not.
An excellent example is Cerberos. GrapheneOS is able to completely block attacks from Cerberos by disabling the USB port data lanes entirely, something that most (if not all non Pixel phones) are unable to do. Cerberos uses many zero day vectors to break in though the data lanes, and in this case you likely would not be able to block the attack. They’d be able to dump your phone contents and then much of the software security features wouldn’t matter.
Should the world just throw away the billions of non-Pixel devices in use today?
And/or should everyone just give up on improving security at all for the vast majority of phone users who cannot afford Pixels, since they can’t ever be as secure as a Pixel?
I didn’t say that they should be thrown away? I’m not sure where that came from.
I said that I would rather use something else that was designed without the hardware security features in mind. It’s all about your personal threat model, and mine does not align with this fork of Graphene. I’m either going to use something like Lineage which has at least been tested from a security standpoint (and does not have possible zero days because of patch working a ROM designed with specific hardware features not available on my device) or I’m going to get a used pixel and run Graphene. Even Calyx would be preferred to this once they start up development again.
I think they are frustrated at repeating themselves, as I’m sure you are.
I tend to agree that, even though the hardware security isn’t there, GrapheneOS has some good features that would make it an alternative for these devices. If your threat model doesn’t include eg: physical access to the device then it still has benefits.
Sorry that I interpreted your comment as suggesting that anything less than a Pixel is not worth trying to improve the security of.
What’s with the hostility?
No hostility intended. But I still don’t understand why you think that omitting Graphene’s Pixel-requiring hardening features would cause Graphite to be less secure than other Android distributions which also lack those features.
Should the world just throw away the billions of non-Pixel devices in use today?
Why are you acting like GrapheneOS is the only custom ROM available? There are other GSIs and ROMs that non-Pixel users can use to keep their older phones going.
so that many non-pixel devices can have an OS with most of the benefits of GrapheneOS?
I think the reason GrapheneOS never did a GSI is because most of their security improvements rely on specific hardware calls that GSI abstractions don’t provide access to. This probably would still be an improvement over lineage though, just not as secure as base Graphene is.
Wait… an improvement over Lineage ? That alone makes it worth existing in the first place.
At first I thought, Graphene OS without it’s features… Why? But what you say sounds like it actually makes sense.
the containerization features alone would make graphene worthwhile over other roms. i hear graphene can pass play integrity attestation inside those too.
It depends. I run GrapheneOS and it can pass everything except the most strict integrity check (which is just that you’re using a custom ROM at all).
In practice most apps don’t have any problems. Google assistant doesn’t really work for me but I’ve seen posts saying people have gotten it working. Google wallet and Google Pay are also explicitly blocked by google, so they will never work.
But those benefits rely on the Pixel’s hardware. This is contradictory.
Doesn’t GrapheneOS have a lot of benefits besides the 3 pixel-requiring hardening features which are removed in Graphite (and the 3 others which are disabled by default but can be re-enabled on some devices)?
I’m not disputing that those hardening features are worthwhile! Pixels with Graphene are obviously much more difficult to exploit than phones without those features.
But there are billions of non-Pixel phones in the world which aren’t about to be thrown away, and the vast majority of phone users absolutely cannot afford a Pixel. GraphiteOS (if it actually works?) seems to me like it is probably a major improvement over the other options available for them.
I think it’s a lot more than just 3 features removed. AFAIK the whole hardware attestation is based on the Titan chip and you don’t have to trust the devices hardware, because you can cryptographically prove that the software is unchanged. It’s not only about the Auditor app, but the whole integrity of the OS, the boot process and firmware is secured by the Pixel’s hardware or more specific the Titan chip.
And the billions of devices can not be saved by a GrapheneOS fork because they’re mostly missing crucial firmware and generally get no updates anymore. That’s why GrapheneOS is only supporting recent devices and especially Pixel devices because they receive up to 7 years updates.
I’m all into getting people a more secure OS but I fear that a GrapheneOS fork is perceived as a secure OS when it’s actually not. The most important security features are still recent (firmware) updates and hardware attestation, verified boot etc.
It breaks the security model. Graphene doesn’t only support Pixel for fun. Pixels have the best security hardware features, unfortunately (until the Motorola device comes out).
I would never use this ROM, personally. At that point I’d just use something like Lineage.
My impression is that Graphene-without-the-features-requiring-Pixel-hardware would still be a much more secure operating system than Lineage (or the other options available).
It ultimately depends on your threat model, but many of the most important security features in Graphene are at the hardware level. Without those, it’s very possible that a bad actor could bypass the rest of the protections, since Graphene is designed with those hardware features in mind.
see my other comment in this thread
I saw it already, but those hardware security features also secure the features you mention there. The other features were developed with the hardware security features in mind. Again, without secure hardware, it’s possible for your software to be modified and no longer secure. That’s the broken security model I keep mentioning.
While it could definitely be more secure than other ROMs, security was never tested without the hardware features and thus it could also expose you to attacks because of that. Worse, it could make you assume that you’re secure when you’re really not.
An excellent example is Cerberos. GrapheneOS is able to completely block attacks from Cerberos by disabling the USB port data lanes entirely, something that most (if not all non Pixel phones) are unable to do. Cerberos uses many zero day vectors to break in though the data lanes, and in this case you likely would not be able to block the attack. They’d be able to dump your phone contents and then much of the software security features wouldn’t matter.
Should the world just throw away the billions of non-Pixel devices in use today?
And/or should everyone just give up on improving security at all for the vast majority of phone users who cannot afford Pixels, since they can’t ever be as secure as a Pixel?
I didn’t say that they should be thrown away? I’m not sure where that came from.
I said that I would rather use something else that was designed without the hardware security features in mind. It’s all about your personal threat model, and mine does not align with this fork of Graphene. I’m either going to use something like Lineage which has at least been tested from a security standpoint (and does not have possible zero days because of patch working a ROM designed with specific hardware features not available on my device) or I’m going to get a used pixel and run Graphene. Even Calyx would be preferred to this once they start up development again.
What’s with the hostility?
I think they are frustrated at repeating themselves, as I’m sure you are.
I tend to agree that, even though the hardware security isn’t there, GrapheneOS has some good features that would make it an alternative for these devices. If your threat model doesn’t include eg: physical access to the device then it still has benefits.
Sorry that I interpreted your comment as suggesting that anything less than a Pixel is not worth trying to improve the security of.
No hostility intended. But I still don’t understand why you think that omitting Graphene’s Pixel-requiring hardening features would cause Graphite to be less secure than other Android distributions which also lack those features.
Why are you acting like GrapheneOS is the only custom ROM available? There are other GSIs and ROMs that non-Pixel users can use to keep their older phones going.
Are there any other options with a feature set comparable to GrapheneOS(-minus-pixel-only-hardening-features) ?