undefined | Better HN

0 pointsstrcat2y ago0 comments

> the recommended method involves using Web USB in Chromium which is meant to be easier for non-technical people but I couldn't get it to work.

There's a bug on many Linux distributions which was fixed in fwupd but is still present because they haven't updated it to a recent version. It interferes with reconnecting to the device when it reboots into fastbootd mode as part of the install. We cover it in our install guides now. fwupd usually loses the race to connect to the device to the CLI install tool but wins the race against Chromium's implementation, which is why it impacts web install more. This is likely what you experienced before we documented this fwupd bug and got them to fix it upstream. The problem is that even though fwupd fixed it a while ago, Debian and even the latest Ubuntu still have the bug.

0 comments

trompetenaccoun2y ago

Since you seem to be on the Graphene team, may I piggyback on this: I've been wanting to make the switch over from iOS for some time but it bothers me a bit that I have to buy a Google phone. Are there any plans to support non-Google devices? I know this has been discussed and the answer I've seen is that Google devices are the best fit, but at least one more option would be nice.

strcatOP2y ago

The hardware requirements are listed here:

https://grapheneos.org/faq#future-devices

Pixels are the only Android devices meeting these requirements at the moment. Other devices do not currently come close to meeting these standards. This post is about MTE which is essentially a Pixel exclusive feature.

Simply receiving monthly and quarterly updates is essentially a Pixel exclusive feature and using an alternate OS providing them still leaves major parts of the firmware/OS without those improvements.

2 of the features on the requirements list are proposals we made to them which were accepted / implemented. There's another one of these pending for protection against data extraction via physical access through exploiting firmware boot modes on After First Unlock devices. Supposed to ship in April, and then we can add it to the list. The non-truncated key fingerprint display (we reported truncating it as a vulnerability) and the fantastic pinning-based hardware attestation support used by our Auditor app are the existing 2.

We've tried working with other OEMs but it hasn't panned out yet. We're often quite frustrated by Google but you'd probably be surprised at how much they have done based on our requests.

ysnp2y ago

(not on the team) I believe the project are open to supporting other devices that meet the criteria, or collaborating with hardware partners to that effect.

As I understand, the way it works is that the project first has to scope out a hardware target that meets their security requirements before support can be considered and funded for. Just that right now there are no other phones that meet the requirements specified in https://grapheneos.org/faq#future-devices

If a phone met those requirements and was not made by Google, GrapheneOS would consider supporting it. In the case that Google didn't meet the requirements but a different phone did, GrapheneOS would support that phone and not the Pixels.

strcatOP2y ago

> (not on the team) I believe the project are open to supporting other devices that meet the criteria, or collaborating with hardware partners to that effect.

Yes, we want GrapheneOS devices meeting the same security standards we've set based on the baseline provided by Pixels while also including additional features we want to have. Pixels are not the best possible hardware but rather the best available hardware by far. There are no other devices even coming close to the current requirements. iPhones come close but are missing major things like MTE which we expect and of course don't have any alternate OS support and their security APIs are the ones needed by iOS which wouldn't work for what we need.

> meets their security requirements

Worth noting that there are privacy requirements listed there too including this one:

> Wi-Fi anonymity support including MAC address randomization, probe sequence number randomization and no other leaked identifiers

We could list a lot of other privacy, security and performance requirements which we take for granted. We're trying not to be overly strict with the requirements and are trying to keep it simple.

> If a phone met those requirements and was not made by Google, GrapheneOS would consider supporting it. In the case that Google didn't meet the requirements but a different phone did, GrapheneOS would support that phone and not the Pixels.

This is a factor in us advocating for MTE and other features even if they exist in a form we can use today. We do not take it for granted that future Pixels will continue providing what we expect. We push them to continue doing it and to keep important features we need. We know they're moving away from ARM Cortex cores to their own cores and we want them to provide an equally good MTE implementation. This means we need to advocate for MTE and get other people to advocate for MTE. If people eventually want to have CHERI and other more aggressive memory safety features, please advocate for what they've already shipped. Google enabling asynchronous MTE in production for their own code would be a huge security boost for Pixels and would also help assure that it has a future instead of being treated as a debugging feature they don't need to support on all their devices.

thisislife22y ago

> Just that right now there are no other phones that meet the requirements specified

And that highlights the main goal of GrapheneOS - a security hardened mobile OS. (Note that better 'security' doesn't necessarily also mean better privacy protection).

1 more reply

rhizoma2y ago

I felt the same, so bought a then 6-month old preowned Pixel 6 in as-new condition.

j / k navigate · click thread line to collapse

0 comments

trompetenaccoun2y ago

strcatOP2y ago

The hardware requirements are listed here:

https://grapheneos.org/faq#future-devices

We've tried working with other OEMs but it hasn't panned out yet. We're often quite frustrated by Google but you'd probably be surprised at how much they have done based on our requests.

ysnp2y ago

(not on the team) I believe the project are open to supporting other devices that meet the criteria, or collaborating with hardware partners to that effect.

strcatOP2y ago

> (not on the team) I believe the project are open to supporting other devices that meet the criteria, or collaborating with hardware partners to that effect.

> meets their security requirements

Worth noting that there are privacy requirements listed there too including this one:

> Wi-Fi anonymity support including MAC address randomization, probe sequence number randomization and no other leaked identifiers

We could list a lot of other privacy, security and performance requirements which we take for granted. We're trying not to be overly strict with the requirements and are trying to keep it simple.

thisislife22y ago

> Just that right now there are no other phones that meet the requirements specified

And that highlights the main goal of GrapheneOS - a security hardened mobile OS. (Note that better 'security' doesn't necessarily also mean better privacy protection).

1 more reply

rhizoma2y ago

I felt the same, so bought a then 6-month old preowned Pixel 6 in as-new condition.

j / k navigate · click thread line to collapse