Many companies and individuals are trying to mislead people about the future of GrapheneOS to promote their insecure products and services.
-
In 2017, Pixel 2 added an off-the-shelf secure element (SE) with Weaver and insider attack resistance. Weaver provides aggressive throttling to make disk encryption work without a strong passphrase. Insider attack resistance means SE firmware updates require Owner user unlock.
Weaver has a key-value mapping with a slot for each profile on the device where providing the correct authentication token gets back a stored random token needed as an extra input for disk encryption. It's a few hundred lines of code. It's what makes a random 6 digit PIN work.
-
Weaver has a key-value mapping with a slot for each profile on the device where providing the correct authentication token gets back a stored random token needed as an extra input for disk encryption. It's a few hundred lines of code. It's what makes a random 6 digit PIN work.
Most Android devices still lack a secure element providing Weaver, a StrongBox KeyMint and other standard functionality. Weaver was shipped by the Pixel 2 (2017) and StrongBox by the Pixel 3 (2018). It's not a high expectation for devices to provide these features in 2025.
-
Most Android devices still lack a secure element providing Weaver, a StrongBox KeyMint and other standard functionality. Weaver was shipped by the Pixel 2 (2017) and StrongBox by the Pixel 3 (2018). It's not a high expectation for devices to provide these features in 2025.
Most Android devices similarly lack proper privacy/security patches for drivers/firmware from day 1 and don't provide long term support. It's not a high expectation. OEMs get 1 month early access and should always ship Android Security Bulletin (ASB) and similar patches on time.
-
Most Android devices similarly lack proper privacy/security patches for drivers/firmware from day 1 and don't provide long term support. It's not a high expectation. OEMs get 1 month early access and should always ship Android Security Bulletin (ASB) and similar patches on time.
Pixel 8 and later provide 7 years of proper updates. Our minimum requirement is 5 years which has been the case since the Pixel 6. This requirement eliminates most devices despite us keeping it at 5 years. Getting security patches on time for 5 years isn't a high expectation.
-
Pixel 8 and later provide 7 years of proper updates. Our minimum requirement is 5 years which has been the case since the Pixel 6. This requirement eliminates most devices despite us keeping it at 5 years. Getting security patches on time for 5 years isn't a high expectation.
ARM provides standard exploit protections used by firmware and software to defend attack exploitation.
Pointer Authentication Codes (PAC) and Branch Target Identication (BTI) are near universal with ARMv9. Memory Tagging Extension (MTE) is more important and often omitted.
-
ARM provides standard exploit protections used by firmware and software to defend attack exploitation.
Pointer Authentication Codes (PAC) and Branch Target Identication (BTI) are near universal with ARMv9. Memory Tagging Extension (MTE) is more important and often omitted.
All of the standard ARM Cortex cores provide PAC, BTI and MTE. SoC vendors simply need to keep the security features intact and provide basic integration for them. OEMs need to do the same. We greatly expand usage of all 3 of these and were the first to use MTE in production.
-
All of the standard ARM Cortex cores provide PAC, BTI and MTE. SoC vendors simply need to keep the security features intact and provide basic integration for them. OEMs need to do the same. We greatly expand usage of all 3 of these and were the first to use MTE in production.
MTE support launched with the Pixel 8 when it moved to ARMv9, but the stock OS still doesn't use it by default. In GrapheneOS, we always use it for the Linux kernel and nearly all base OS processes including apps. We provide a toggle to enable it for all user installed apps.
-
MTE support launched with the Pixel 8 when it moved to ARMv9, but the stock OS still doesn't use it by default. In GrapheneOS, we always use it for the Linux kernel and nearly all base OS processes including apps. We provide a toggle to enable it for all user installed apps.
We use it for known compatible user installed apps by default but it's incredibly good at detecting memory corruption and uncovers a lot of bugs. Due to this, we integrated it into our user-facing crash reporting system and per-app exceptions can be made for user installed apps.
-
We use it for known compatible user installed apps by default but it's incredibly good at detecting memory corruption and uncovers a lot of bugs. Due to this, we integrated it into our user-facing crash reporting system and per-app exceptions can be made for user installed apps.
With Android 16, Pixel stock OS uses MTE for the small subset of users enabling Advanced Protection. It doesn't use it for the kernel or most of the OS, only a small portion of the OS and a tiny number of apps marked compatible. The implementation is also much weaker than ours.
-
With Android 16, Pixel stock OS uses MTE for the small subset of users enabling Advanced Protection. It doesn't use it for the kernel or most of the OS, only a small portion of the OS and a tiny number of apps marked compatible. The implementation is also much weaker than ours.
Our MTE integration is one of the biggest security features we offer. Qualcomm still hasn't added MTE support, but it's supposed to be available with their 2025 SoC launch. Exynos and MediaTek added it for flagships. Samsung integrated support for it as a development feature.
-
Our MTE integration is one of the biggest security features we offer. Qualcomm still hasn't added MTE support, but it's supposed to be available with their 2025 SoC launch. Exynos and MediaTek added it for flagships. Samsung integrated support for it as a development feature.
Snapdragon provides solid overall security. It includes a basic secure element for the flagships. Our expectation is Snapdragon will add MTE this year and OEMs willing to do the work of providing proper security features and patches can make devices meeting our standards in 2026.
-
Snapdragon provides solid overall security. It includes a basic secure element for the flagships. Our expectation is Snapdragon will add MTE this year and OEMs willing to do the work of providing proper security features and patches can make devices meeting our standards in 2026.
The most secure non-Pixel devices disallow using another OS or don't allow another OS to use important hardware-based security features. Samsung flagships would be the next best option if they didn't do this. Our expectation is we need to work with an OEM, so we're doing that.
-
The most secure non-Pixel devices disallow using another OS or don't allow another OS to use important hardware-based security features. Samsung flagships would be the next best option if they didn't do this. Our expectation is we need to work with an OEM, so we're doing that.
GrapheneOS will continue supporting the current devices we support until their end-of-life dates. We'll also add support for new Pixels as long as they meet our requirements. We've tried to make that clear, but recent posts about changes to AOSP have been widely misrepresented.
-
GrapheneOS will continue supporting the current devices we support until their end-of-life dates. We'll also add support for new Pixels as long as they meet our requirements. We've tried to make that clear, but recent posts about changes to AOSP have been widely misrepresented.
Prior to Android 16, Pixels had first class support in the Android Open Source Project as the official reference devices. This was never one of our requirements and no other device provides it. Many people are promoting hardware and software with atrocious security based on this.
-
S sigmundur@radikal.social shared this topic
