GrapheneOS attestation compatibility guide
grapheneos.org
Guide on using remote attestation in a way that's compatible with GrapheneOS.

cross-posted from: https://slrpnk.net/post/15995282

Real unfortunate news for GrapheneOS users as Revolut has decided to ban the use of ‘non-google’ approved OSes. This is currently being posted about and updated by GrahpeneOS over at Bluesky for those who want to follow it more closely.

Edit: had to change the title, originally it said Uber too but I cannot find back to the source of ether that’s true or not…

  • @[email protected]English
    672 months ago

    It’s only officially supported on google phones because sadly those are the only ones that are not modified to fuck which makes installing and supporting other OS’es way too much work.

    Giving google money once for a device is not a problem from a privacy or security standpoint.

    • @[email protected]
      302 months ago

      That’s correct, but not the reason grapheneOS chooses only pixel phones. It’s the level of hardware security features.

      • @[email protected]
        92 months ago

        Also unlockable and presumably has well working builds. It’s not just graphene, but just about every Android project it there that’s best supported on pixels. Other manufacturers have a crazy variety of locking schemes and required tools. Each one is a nightmare to support.

        • @[email protected]
          142 months ago

          For GrapheneOS, it’s primarily that it’s re-lockable. That’s why other unlockable phones aren’t supported.

          The GrapheneOS install process sets new OS signing keys so you can lock the phone again and get full verified boot. However, most manufacturers haven’t implemented this feature.

          • @[email protected]English
            12 months ago

            What do you get, app/feature wise for verified boot vs. Play integrity app? Does it increase the amount of apps that work on it?

            • @[email protected]
              22 months ago

              No, Play Integrity intentionally checks if it’s a Google-approved key. Android itself has an API to check verified boot and gives info on the signing key - most devs just want to know verified boot is working.

              I feel Play Integrity has a short life ahead of if competition authorities realise how exactly it works. “Anti-competitive” is the first thing policy-minded folks think when I explain the API to them.

            • ladEnglish
              12 months ago

              I would guess that it allows to detect tampering if you have to give your phone to the security officers and they do or don’t do something with it without you present. I heard of such occurrences on the border, but this happens in other places and countries, too. Not sure if locked bootloader would help, though

    • @MTK
      92 months ago

      Second hand, no money for them

    • irelephant 🍭
      32 months ago

      In the EU almost every phone has an unlockable bootloader, there just isn’t any roms or custom recoveries for a lot of them.

    • @[email protected]English
      22 months ago

      Wish they’d at least support Fairphone.

      If Graphene reached out to them I bet Fairphone would even actively work with them to make it an official OS option.