static: replace index.html
This commit is contained in:
parent
2f45a8aad6
commit
8275ff0d22
SSH Key Fingerprint:
SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
@ -2,24 +2,22 @@
|
|||||||
<html lang="en" prefix="og: https://ogp.me/ns#">
|
<html lang="en" prefix="og: https://ogp.me/ns#">
|
||||||
<head>
|
<head>
|
||||||
<meta charset="utf-8"/>
|
<meta charset="utf-8"/>
|
||||||
<title>GrapheneOS: the private and secure mobile OS</title>
|
<title>Hakurei: the secure desktop application sandbox</title>
|
||||||
<meta name="description" content="GrapheneOS is a security and privacy focused mobile OS with Android app compatibility."/>
|
<meta name="description" content="Hakurei is a security-focused Linux container runtime for desktop applications."/>
|
||||||
<meta name="theme-color" content="#212121"/>
|
<meta name="theme-color" content="#212121"/>
|
||||||
<meta name="color-scheme" content="dark light"/>
|
<meta name="color-scheme" content="dark light"/>
|
||||||
<meta name="msapplication-TileColor" content="#ffffff"/>
|
<meta name="msapplication-TileColor" content="#ffffff"/>
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
|
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
|
||||||
<meta name="twitter:site" content="@GrapheneOS"/>
|
<meta property="og:title" content="Hakurei: the secure desktop application sandbox"/>
|
||||||
<meta name="twitter:creator" content="@GrapheneOS"/>
|
<meta property="og:description" content="Hakurei is a security-focused Linux container runtime for desktop applications."/>
|
||||||
<meta property="og:title" content="GrapheneOS: the private and secure mobile OS"/>
|
|
||||||
<meta property="og:description" content="GrapheneOS is a security and privacy focused mobile OS with Android app compatibility."/>
|
|
||||||
<meta property="og:type" content="website"/>
|
<meta property="og:type" content="website"/>
|
||||||
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
|
<meta property="og:image" content="https://hakurei.app/opengraph.png"/>
|
||||||
<meta property="og:image:width" content="512"/>
|
<meta property="og:image:width" content="512"/>
|
||||||
<meta property="og:image:height" content="512"/>
|
<meta property="og:image:height" content="512"/>
|
||||||
<meta property="og:image:alt" content="GrapheneOS logo"/>
|
<meta property="og:image:alt" content="Hakurei logo"/>
|
||||||
<meta property="og:site_name" content="GrapheneOS"/>
|
<meta property="og:site_name" content="Hakurei"/>
|
||||||
<meta property="og:url" content="https://grapheneos.org/"/>
|
<meta property="og:url" content="https://hakurei.app/"/>
|
||||||
<link rel="canonical" href="https://grapheneos.org/"/>
|
<link rel="canonical" href="https://hakurei.app/"/>
|
||||||
<link rel="icon" href="/favicon.ico"/>
|
<link rel="icon" href="/favicon.ico"/>
|
||||||
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
|
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
|
||||||
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
|
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
|
||||||
@ -27,21 +25,21 @@
|
|||||||
[[css|/main.css]]
|
[[css|/main.css]]
|
||||||
<link rel="manifest" href="/manifest.webmanifest"/>
|
<link rel="manifest" href="/manifest.webmanifest"/>
|
||||||
<link rel="license" href="/LICENSE.txt"/>
|
<link rel="license" href="/LICENSE.txt"/>
|
||||||
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
|
<link rel="me" href="https://port.mk/@hakurei"/>
|
||||||
[[js|/js/redirect.js]]
|
[[js|/js/redirect.js]]
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
{% with current_page="/" %}
|
{% with current_page="/" %}
|
||||||
{% include "header.html" %}
|
{% include "header.html" %}
|
||||||
{% endwith %}
|
{% endwith %}
|
||||||
<main class="normalize" id="grapheneos">
|
<main class="normalize" id="hakurei">
|
||||||
<div class="content hero">
|
<div class="content hero">
|
||||||
|
|
||||||
<div>
|
<div>
|
||||||
<h1><a href="#grapheneos">GrapheneOS</a></h1>
|
<h1><a href="#hakurei">Hakurei</a></h1>
|
||||||
<p>The private and secure mobile operating system with Android app compatibility.
|
<p>A security-focused Linux container runtime for desktop applications.
|
||||||
Developed as a non-profit open source project.</p>
|
Developed as a non-profit open source project.</p>
|
||||||
<a class="button" href="/install/">Install GrapheneOS</a>
|
<a class="button" href="/install/">Install Hakurei</a>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<figure class="device-img">
|
<figure class="device-img">
|
||||||
@ -53,7 +51,7 @@
|
|||||||
|
|
||||||
<div class="surface">
|
<div class="surface">
|
||||||
<div class="content break">
|
<div class="content break">
|
||||||
<p>Get to know GrapheneOS</p>
|
<p>Get to know Hakurei</p>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
@ -61,63 +59,58 @@
|
|||||||
<section id="about">
|
<section id="about">
|
||||||
<h2 class="start"><a href="#about">About</a></h2>
|
<h2 class="start"><a href="#about">About</a></h2>
|
||||||
|
|
||||||
<p>GrapheneOS is a privacy and security focused mobile OS with Android app
|
<p>Hakurei is a security-focused Linux container runtime for running unmodified
|
||||||
compatibility developed as a non-profit <a href="/source">open source</a>
|
desktop applications, developed as a non-profit <a href="/source.html">open source
|
||||||
project. It's focused on the research and development of privacy and security
|
</a> project. It also implements <a href="/package.html">planterette</a>, an
|
||||||
technology including substantial improvements to sandboxing, exploit
|
experimental self-contained Android-like package manager with modern security
|
||||||
mitigations and the permission model. It was founded in 2014 and was
|
features.</p>
|
||||||
<a href="/history/copperheados">formerly known as CopperheadOS</a>.</p>
|
|
||||||
|
|
||||||
<p>GrapheneOS improves the privacy and security of the OS from the bottom up.
|
<p>Security on the desktop has always left something to be desired. While <a
|
||||||
It deploys technologies to mitigate whole classes of vulnerabilities and make
|
href="https://www.qubes-os.org" target="_blank">Qubes OS</a> provides excellent
|
||||||
exploiting the most common sources of vulnerabilities substantially more
|
security, its performance and usability limitations make it unsuitable for most
|
||||||
difficult. It improves the security of both the OS and the apps running on it.
|
use cases. Hakurei attempts to fill that gap by running applications natively
|
||||||
The app sandbox and other security boundaries are fortified. GrapheneOS tries
|
while still establishing decent compartmentalisation enforced by the kernel.</p>
|
||||||
to avoid impacting the user experience with the privacy and security features.
|
|
||||||
Ideally, the features can be designed so that they're always enabled with no
|
|
||||||
impact on the user experience and no additional complexity like configuration
|
|
||||||
options. It's not always feasible, and GrapheneOS does add various toggles for
|
|
||||||
features like the Network permission, Sensors permission, restrictions when
|
|
||||||
the device is locked (USB-C / pogo pins, camera, quick tiles), etc. along with
|
|
||||||
more complex user-facing privacy and security features with their own UX.</p>
|
|
||||||
|
|
||||||
<p>The <a href="/features">features page</a> provides an overview of the
|
<p>Hakurei runs each container as a dedicated subordinate user and sets up the
|
||||||
substantial privacy and security improvements added by GrapheneOS to the
|
container via unprivileged user namespaces as another layer of defense against
|
||||||
Android Open Source Project (AOSP). Many of our past features were <a
|
privilege escalation. Unprivileged user namespace creation is made unavailable
|
||||||
href="/faq#upstream">contributed to AOSP, Linux and other projects to improve
|
in containers by default to reduce attack surface, but can be optionally enabled
|
||||||
privacy and security for billions of users</a> so they're no longer listed on
|
for applications with strong built-in sandboxes to avoid having to ruin their
|
||||||
our features page.</p>
|
sandbox.</p>
|
||||||
|
|
||||||
<p>Official releases are available on the <a href="/releases">releases
|
<p>Official releases are available via <a
|
||||||
page</a> and installation instructions are on the <a href="/install/">install
|
href="https://git.gensokyo.uk/security/hakurei/releases" target="_blank">Gitea
|
||||||
page</a>.</p>
|
</a> and documentation for the included NixOS module can be found
|
||||||
|
<a href="https://git.gensokyo.uk/security/hakurei/src/branch/master/options.md"
|
||||||
<p>GrapheneOS also develops various apps and services with a focus on privacy
|
target="_blank">here</a>.</p>
|
||||||
and security. Vanadium is a hardened variant of the Chromium browser and
|
|
||||||
WebView specifically built for GrapheneOS. GrapheneOS also includes our
|
|
||||||
minimal security-focused PDF Viewer, our hardware-based Auditor app /
|
|
||||||
attestation service providing local and remote verification of devices,
|
|
||||||
our modern privacy / security focused camera app, and the externally developed
|
|
||||||
Seedvault encrypted backup which was initially developed for inclusion in
|
|
||||||
GrapheneOS.</p>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="never-google-services">
|
<section id="compatibility">
|
||||||
<h2><a href="#never-google-services">No Google apps or services</a></h2>
|
<h2><a href="#compatibility">OS Compatibility</a></h2>
|
||||||
|
|
||||||
<p>GrapheneOS will never include either Google Play services or another
|
<p>Hakurei does not try to support every major Linux distribution and their
|
||||||
implementation of Google services like microG. It's possible to install Play
|
configuration of the kernel. Most Debian-based distributions disable
|
||||||
services as a set of fully sandboxed apps without special privileges via our
|
unprivileged user namespace creation by default, and while that could be a
|
||||||
<a href="/usage#sandboxed-google-play">sandboxed Google Play compatibility
|
good way to reduce attack surface, it also disables a layer of security
|
||||||
layer</a>. See <a href="/faq#google-services">the FAQ section</a> for more
|
where the kernel enforces strict limits on user namespaces created by
|
||||||
details on our plans for filling in the gaps from not shipping Play services
|
an unprivileged user. Having to set up the sandbox as root also adds
|
||||||
and Google apps.</p>
|
significant complexity to the setuid wrapper.
|
||||||
</section>
|
The reduction of attack surface is also made irrelevant since hakurei can
|
||||||
|
disable unprivileged user namespace creation on a per-container basis.</p>
|
||||||
|
|
||||||
<section id="device-support">
|
<p>Users on affected kernels can switch to an unmodified (and up to date) kernel
|
||||||
<h2><a href="/faq#device-support">Device support</a></h2>
|
or enable unprivileged user namespace creation by setting the
|
||||||
|
<code>kernel.unprivileged_userns_clone</code> sysctl to 1.
|
||||||
|
Whether or not it increases attack surface is largely dependent on what runs
|
||||||
|
on the system, however if all apps are spawned by Hakurei and the rest of the
|
||||||
|
system is sufficiently secured, enabling unprivileged user namespace creation
|
||||||
|
should not increase attack surface whatsoever.</p>
|
||||||
|
|
||||||
<p class="end">See <a href="/faq#device-support">the FAQ section on device support</a>.</p>
|
<p>While Hakurei is primarily developed on NixOS and relies on Nix for its
|
||||||
|
integration test suite, it does not target NixOS or make assumptions that are
|
||||||
|
only true on NixOS. Unfortunately, mistakes do happen semi-often as the
|
||||||
|
architecture of NixOS can often hide bugs and assumptions. Please <a
|
||||||
|
href="/contact.html">report</a> such anomalies if you encounter them.</p>
|
||||||
</section>
|
</section>
|
||||||
</div>
|
</div>
|
||||||
</main>
|
</main>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user