182 lines
12 KiB
HTML
182 lines
12 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en" prefix="og: http://ogp.me/ns#">
|
|
<head>
|
|
<meta charset="utf-8"/>
|
|
<title>GrapheneOS</title>
|
|
<meta name="description" content="GrapheneOS is a security and privacy focused mobile OS with Android app compatibility."/>
|
|
<meta name="theme-color" content="#212121"/>
|
|
<meta name="msapplication-TileColor" content="#ffffff"/>
|
|
<meta name="viewport" content="width=device-width, initial-scale=1"/>
|
|
<meta name="twitter:site" content="@GrapheneOS"/>
|
|
<meta name="twitter:creator" content="@GrapheneOS"/>
|
|
<meta property="og:title" content="GrapheneOS"/>
|
|
<meta property="og:description" content="GrapheneOS is a security and privacy focused mobile OS with Android app compatibility."/>
|
|
<meta property="og:type" content="website"/>
|
|
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
|
|
<meta property="og:image:width" content="512"/>
|
|
<meta property="og:image:height" content="512"/>
|
|
<meta property="og:image:alt" content="GrapheneOS logo"/>
|
|
<meta property="og:url" content="https://grapheneos.org/"/>
|
|
<meta property="og:site_name" content="GrapheneOS"/>
|
|
<link rel="icon" type="image/vnd.microsoft.icon" href="/favicon.ico"/>
|
|
<link rel="mask-icon" href="/mask-icon.svg" color="#1a1a1a"/>
|
|
<link rel="stylesheet" href="/grapheneos.css?18"/>
|
|
<link rel="manifest" href="/manifest.webmanifest"/>
|
|
<link rel="canonical" href="https://grapheneos.org/"/>
|
|
<script type="module" src="/redirect.js?6"></script>
|
|
</head>
|
|
<body>
|
|
<nav>
|
|
<ul>
|
|
<li class="active"><a href="/">GrapheneOS</a></li>
|
|
<li><a href="/install">Install</a></li>
|
|
<li><a href="/build">Build</a></li>
|
|
<li><a href="/usage">Usage</a></li>
|
|
<li><a href="/faq">FAQ</a></li>
|
|
<li><a href="/releases">Releases</a></li>
|
|
<li><a href="/source">Source</a></li>
|
|
<li><a href="/donate">Donate</a></li>
|
|
<li><a href="/contact">Contact</a></li>
|
|
</ul>
|
|
</nav>
|
|
<div id="content">
|
|
<h1 id="grapheneos">
|
|
<a href="#grapheneos">GrapheneOS</a>
|
|
</h1>
|
|
<p>GrapheneOS is an open source privacy and security focused mobile OS with Android
|
|
app compatibility. It's focused on the research and development of privacy and
|
|
security technology including substantial improvements to sandboxing, exploit
|
|
mitigations and the permission model. GrapheneOS also develops various apps and
|
|
services with a focus on privacy and security.</p>
|
|
<p>GrapheneOS is a collaborative open source project, not a company. It's used and
|
|
supported by a variety of companies and other organizations. It won't be closely tied
|
|
to any company in particular. There will eventually be a non-profit GrapheneOS
|
|
foundation, but for now the developers represent the project.</p>
|
|
<p>GrapheneOS has made substantial contributions to the privacy and security of the
|
|
Android Open Source Project, along with contributions to the Linux kernel, LLVM,
|
|
OpenBSD and other projects.</p>
|
|
<p>Official releases are available on the <a href="/releases">releases page</a> and
|
|
installation instructions are on the <a href="/install">install page</a>.</p>
|
|
<p>See the <a href="https://github.com/GrapheneOS">GitHub organization</a> for sources
|
|
of the OS and various standalone sub-projects including the cutting edge
|
|
<a href="https://github.com/GrapheneOS/hardened_malloc/blob/master/README.md">new
|
|
hardened memory allocator</a> and other projects.</p>
|
|
<p>The official GrapheneOS releases are supported by the
|
|
<a href="https://github.com/GrapheneOS/Auditor/releases">Auditor app</a> and
|
|
<a href="https://attestation.app/">attestation service</a> for hardware-based
|
|
attestation. For more details, see the <a
|
|
href="https://attestation.app/about">about page</a> and <a
|
|
href="https://attestation.app/tutorial">tutorial</a>. These also support other
|
|
operating systems.</p>
|
|
|
|
<h2 id="history">
|
|
<a href="#history">History</a>
|
|
</h2>
|
|
|
|
<p>GrapheneOS was founded by Daniel Micay in late 2014. It started as a solo project
|
|
incorporating his previous open source privacy/security work.</p>
|
|
|
|
<p>In late 2015, a company was incorporated which became the primary sponsor of the
|
|
project. The intention was to use the company to build a business around GrapheneOS
|
|
selling support, contract work and customized proprietary variants of the OS. The
|
|
company was supposed to serve the needs of the open source project, rather than vice
|
|
versa. It was explicitly agreed that GrapheneOS would remain independently owned and
|
|
controlled by Daniel Micay. The company failed to live up the promises and is no
|
|
longer associated in any way with GrapheneOS.</p>
|
|
|
|
<p>The former sponsor attempted to take over the project through coercion, but they
|
|
were rebuked. They seized the infrastructure and stole the donations, but the project
|
|
successfully moved on without them and has been fully revived. Since then, they've
|
|
taken to fraudulently claiming ownership and authorship of our work, which has no
|
|
basis in fact. They've tried to retroactively change the terms of their involvement
|
|
and rewrite the history of the project. These claims are easily falsified through the
|
|
public record and by people involved with the open source project and the former
|
|
sponsor. This former sponsor has engaged in a campaign of misinformation and
|
|
harassment of contributors to the project. Be aware that they are actively trying to
|
|
sabotage GrapheneOS and are engaging in many forms of attacks against the project, the
|
|
developers, contributors and supporters. Meanwhile, they continue profiting from our
|
|
open source work which they falsely claim as their own creation.</p>
|
|
|
|
<p>After splitting from the former sponsor, the project was rebranded to
|
|
AndroidHardening and then to GrapheneOS and it has continued down the original path of
|
|
being an independent open source project. It will never again be closely tied to any
|
|
particular sponsor or company.</p>
|
|
|
|
<h2 id="copyright-and-licensing">
|
|
<a href="#copyright-and-licensing">Copyright and licensing</a>
|
|
</h2>
|
|
|
|
<p>The copyright for GrapheneOS code is entirely owned by the GrapheneOS developers
|
|
and is made available under OSI-approved Open Source licenses. The upstream licensing
|
|
is inherited for the modifications to those projects and MIT licensing is used for our
|
|
own standalone projects. GrapheneOS has never had any copyright assignment and the
|
|
developers have always owned their own contributions.</p>
|
|
|
|
<p>The tiny portion of the code written by people under contract with the former
|
|
sponsor has not been included in the project since it was ported to Android Oreo in
|
|
2018. This code became obsolete and was no longer useful. The vast majority of the
|
|
code from the previous era was owned by Daniel Micay, with very few exceptions. It was
|
|
never written under any contracts or employment agreements, was never assigned to any
|
|
company or organization and was the continuation of the original independent open
|
|
source project. The code was originally published under the same permissive open
|
|
source licenses that are used by GrapheneOS today. Only a small portion of this
|
|
historical code is actually still in use today. Most has become obsolete or has been
|
|
replaced by rewrites taking better approaches than in the past.</p>
|
|
|
|
<p>There was an era from September 2016 until the project split from the former
|
|
sponsor in 2018 where non-commercial usage licensing was used for revisions to the
|
|
existing permissively licensed code. This was an attempt to prop up the sponsor that
|
|
was supposed to be supporting the open source project. This did not impact ownership
|
|
of the code and Daniel Micay has relicensed the portions of the code that are used by
|
|
GrapheneOS. GrapheneOS does not contain any code based on code under non-commercial
|
|
usage licensing. Great care was taken to avoid pulling in anything that was not solely
|
|
owned by Daniel Micay, which was the case for nearly everything in the project.</p>
|
|
|
|
<h2 id="roadmap">
|
|
<a href="#roadmap">Roadmap</a>
|
|
</h2>
|
|
<p>Details on the roadmap of the project will be posted on the site in the near
|
|
future.</p>
|
|
<p>To get an idea of the near term roadmap, check out the
|
|
<a href="/contact#reporting-issues">issue trackers</a>. The vast majority of the
|
|
issues filed in the trackers are planned enhancements, with care taken to make sure
|
|
all of the issues open in the tracker are concrete and actionable.</p>
|
|
<p>In the long term, GrapheneOS aims to move beyond a hardened fork of the Android
|
|
Open Source Project. Achieving the goals requires moving away from relying the Linux
|
|
kernel as the core of the OS and foundation of the security model. It needs to move
|
|
towards a microkernel-based model with a Linux compatibility layer, with many stepping
|
|
stones leading towards that goal including adopting virtualization-based
|
|
isolation.</p>
|
|
<p>The initial phase for the long-term roadmap of moving away from the current
|
|
foundation will be to deploy and integrate a hypervisor like Xen to leverage it for
|
|
reinforcing existing security boundaries. Linux would be running inside the virtual
|
|
machines at this point, inside and outside of the sandboxes being reinforced. In the
|
|
longer term, Linux inside the sandboxes can be replaced with a compatibility layer
|
|
like gVisor, which would need to be ported to arm64 and given a new backend alongside
|
|
the existing KVM backend. Over the longer term, i.e. many years from now, Linux can
|
|
fade away completely and so can the usage of virtualization. The anticipation is that
|
|
many other projects are going to be interested in this kind of migration, so it's not
|
|
going to be solely a GrapheneOS project, as demonstrated by the current existence of
|
|
the gVisor project and various other projects working on virtualization deployments
|
|
for mobile. Having a hypervisor with verified boot still intact will also provide a
|
|
way to achieve some of the goals based on extensions to Trusted Execution Environment
|
|
(TEE) functionality even without having GrapheneOS hardware.</p>
|
|
<p>Hardware and firmware security are core parts of the project, but it's currently
|
|
limited to research and submitting suggestions and bug reports upstream. In the long
|
|
term, the project will need to move into the hardware space.</p>
|
|
<h2 id="device-support">
|
|
<a href="/faq#device-support">Device support</a>
|
|
</h2>
|
|
<p>See <a href="/faq#device-support">the FAQ section on device support</a>.</p>
|
|
</div>
|
|
<footer>
|
|
<a href="/"><img src="/logo.png" width="512" height="512" alt=""/>GrapheneOS</a>
|
|
<ul id="social">
|
|
<li><a href="https://twitter.com/GrapheneOS">Twitter</a></li>
|
|
<li><a href="https://github.com/GrapheneOS">GitHub</a></li>
|
|
<li><a href="https://reddit.com/r/GrapheneOS">Reddit</a></li>
|
|
</ul>
|
|
</footer>
|
|
</body>
|
|
</html>
|