security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

move device support section to FAQ

Browse Source
This commit is contained in:
Daniel Micay 2020-02-14 14:31:38 -05:00
parent 311bcef197
commit 30055d4128
2 changed files with 89 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
static/faq.html
View File

@ -47,9 +47,21 @@
<a href="#table-of-contents">Table of contents</a>
</h2>
<ul>
<li><a href="#supported-devices">Which devices are supported?</a></li>
<li>
<a href="#device-support">Device support</a>
<ul>
<li><a href="#supported-devices">Which devices are supported?</a></li>
<li><a href="#recommended-devices">Which devices are recommended?</a></li>
<li><a href="#future-devices">Which devices will be supported in the future?</a></li>
<li><a href="#when-devices">When will more devices be supported?</a></li>
</ul>
</li>
</ul>
<h2 id="device-support">
<a href="#device-support">Device support</a>
</h2>
<h2 id="supported-devices">
<a href="#supported-devices">Which devices are supported?</a>
</h2>
@ -80,6 +92,81 @@
GrapheneOS is the only party involved in providing the updates. For the same reason,
it has little use for the ability to provide out-of-band updates to system image
components including all the apps and many other components.</p>
<p>Some of the GrapheneOS sub-projects support other operating systems on a broader
range of devices. Device support for Auditor and AttestationServer is documented in
the <a href="https://attestation.app/about">overview of those projects</a>. The
<a href="https://github.com/GrapheneOS">hardened_malloc</a> project supports nearly
any Linux-based environment due to official support for musl, glibc and Bionic along
with easily added support for other environments. It can easily run on non-Linux-based
operating systems too, and supporting some like HardenedBSD is planned but depends on
contributors from those communities.</p>
<h2 id="recommended-devices">
<a href="#recommended-devices">Which devices are recommended?</a>
</h2>
<p>The recommended devices with the best hardware, firmware and software security
along with the longest future support time are the Pixel 3a, Pixel 3a XL, Pixel 3 and
Pixel 3 XL. The Pixel 3a and 3a XL are budget devices meeting the same security
standards as the more expensive flagship devices.</p>
<h2 id="future-devices">
<a href="#future-devices">Which devices will be supported in the future?</a>
</h2>
<p>Devices are carefully chosen based on their merits rather than the project aiming
to have broad device support. Broad device support is counter to the aims of the
project, and the project will eventually be engaging in hardware and firmware level
improvements rather than only offering suggestions and bug reports upstream for those
areas. Much of the work on the project involves changes that are specific to different
devices, and officially supported devices are the ones targeted by most of this
ongoing work.</p>
<p>Devices need to be meet the standards of the project in order to be considered as
potential targets. In addition to support for installing other operating systems,
standard hardware-based security features like the hardware-backed keystores, verified
boot, attestation and various hardware-based exploit mitigations need to be available.
Devices also need to have decent integration of IOMMUs for isolating components such
as the GPU, radios (NFC, Wi-Fi, Bluetooth, Cellular), media decode / encode, image
processor, etc. as if the hardware / firmware support is missing or broken, there's
not much that the OS can do to provide an alternative. Devices with support for
alternative operating systems as an afterthought will not be considered. Devices need
to have proper ongoing support for their firmware and software specific to the
hardware like drivers in order to provide proper full security updates too. Devices
that are end-of-life and no longer receiving these updates will not be supported.</p>
<p>In order to support a device, the appropriate resources also need to be available
and dedicated towards it. Releases for each supported device need to be robust and
stable, with all standard functionality working properly and testing for each of the
releases.</p>
<p>Hardware, firmware and software specific to devices like drivers play a huge role
in the overall security of a device. The goal of the project is not to slightly
improve some aspects of insecure devices and supporting a broad set of devices would
be directly counter to the values of the project. A lot of the low-level work also
ends up being fairly tied to the hardware.</p>
<h2 id="when-devices">
<a href="#when-devices">When will more devices be supported?</a>
</h2>
<p>Broader device support can only happen after the community (companies,
organizations and individuals) steps up to make substantial, ongoing contributions to
making the existing device support sustainable. Once the existing device support is
more sustainable, early research and development work for other devices can begin.
Once a device is deemed to be a worthwhile target, the project needs maintainers to
develop and maintain support for it including addressing device-specific issues that
are uncovered, which will include issues uncovered in the device support code by
GrapheneOS hardening features.</p>
<p>It's not really a matter of time but rather depends on community support for the
project increasing. As an open source project, the way the get something to happen in
GrapheneOS is to contribute to it, and this is particularly true for device support
since it's very self-contained and can be delegated to separate teams for each
device. If you want to see more devices supported sooner, you should get to work on
identifying good devices with full support for alternative operating systems with
verified boot, etc. and then start working on integrating and testing support.</p>
</div>
<footer>
<a href="/"><img src="https://grapheneos.org/logo.png" width="512" height="512" alt=""/>GrapheneOS</a>

44
static/index.html
View File

@ -104,49 +104,7 @@
<h2 id="device-support">
<a href="#device-support">Device support</a>
</h2>
<p>In the current early stage of the project, GrapheneOS provides production releases
for the Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a and Pixel
3a XL. <strong>The recommended devices with the best hardware, firmware and software
security along with the longest future support time are the Pixel 3a, Pixel 3a XL,
Pixel 3 and Pixel 3 XL.</strong> It will support other devices in the future, but
devices are carefully chosen based on their merits rather than the project aiming to
have broad device support. Broad device support is counter to the aims of the
project, and the project will eventually be engaging in hardware and firmware level
improvements rather than only offering suggestions and bug reports upstream for those
areas. Much of the work on the project involves changes that are specific to different
devices, and officially supported devices are the ones targeted by most of this
ongoing work. GrapheneOS also has source level support without device-specific
hardening for the Android emulator, HiKey, HiKey 960 and also generic targets
providing basic support for many other devices.</p>
<p>Devices need to be meet the standards of the project in order to be considered as
potential targets. In addition to support for installing other operating systems,
standard hardware-based security features like the hardware-backed keystores, verified
boot, attestation and various hardware-based exploit mitigations need to be available.
Devices also need to have decent integration of IOMMUs for isolating components such
as the GPU, radios (NFC, Wi-Fi, Bluetooth, Cellular), media decode / encode, image
processor, etc. as if the hardware / firmware support is missing or broken, there's
not much that the OS can do to provide an alternative. Devices with support for
alternative operating systems as an afterthought will not be considered. Devices need
to have proper ongoing support for their firmware and software specific to the
hardware like drivers in order to provide proper full security updates too. Devices
that are end-of-life and no longer receiving these updates will not be supported.</p>
<p>In order to support a device, the appropriate resources also need to be available
and dedicated towards it. Releases for each supported device need to be robust and
stable, with all standard functionality working properly and testing for each of the
releases.</p>
<p>Hardware, firmware and software specific to devices like drivers play a huge role
in the overall security of a device. The goal of the project is not to slightly
improve some aspects of insecure devices and supporting a broad set of devices would
be directly counter to the values of the project. A lot of the low-level work also
ends up being fairly tied to the hardware.</p>
<p>Some of the GrapheneOS sub-projects support other operating systems on a broader
range of devices. Device support for Auditor and AttestationServer is documented in
the <a href="https://attestation.app/about">overview of those projects</a>. The
<a href="https://github.com/GrapheneOS">hardened_malloc</a> project supports nearly
any Linux-based environment due to official support for musl, glibc and Bionic along
with easily added support for other environments. It can easily run on non-Linux-based
operating systems too, and supporting some like HardenedBSD is planned but depends on
contributors from those communities.</p>
<p>See <a href="/faq#device-support">the FAQ section on device support</a>.</p>
</div>
<footer>
<a href="/"><img src="https://grapheneos.org/logo.png" width="512" height="512" alt=""/>GrapheneOS</a>