Android: issue adding the xen compatibility parameters to the kernel

hello friends recently i decided to try using android with qubes and i found this

https://groups.google.com/g/qubes-users/c/HGAT6DmuQkM/m/VfcoTKwbDAAJ

guide so far i had no real issues i couldn’t figure out by my self but i’m stuck at the part regarding adding the xen compatibility parameters to the kernel if anyone has experience with android compiling or if you allready tried it and figured it out/ there’s something that i’m missing any help’s appreciated

there’s also a bit of android-x86 docu but it wasen’t too helpful

https://www.android-x86.org/documentation/customize_kernel.html

just to be a bit more spesific this is where i’m stuck

BlockquoteConfigure kernel:
make -C kernel O=$OUT/obj/kernel ARCH=x86 menuconfig
You need to edit these parameters:
XEN=yes
XEN_BLKDEV_BACKEND=yes
XEN_BLKDEV_FRONTEND=yes
XEN_NETDEV_BACKEND=no
XEN_NETDEV_FRONTEND=no
SECURITY_SELINUX_BOOTPARAM=yes
SECURITY_SELINUX_BOOTPARAM_VALUE=1
SECURITY_SELINUX_DISABLE=yes
DEFAULT_SECURITY_SELINUX=yes

so obviously i have to put those parameters somewhere

i’ve spend quite a while digging into the kernel files and lots of different configs but i can’t seem to find what’s right

maybe there’s something i’m missing

idk i’m using good old debian 10 i tried listing everything with ls -a which shouldshow all config files starting with .

i tried looking at temporary obj dir
and it’s a mess

i tried using vim and nano and idk

maybe there is something i’m missing maybe i did something wrong

no gapps… i do plan on installing gapps after first making sure everything works
because i obviously did my research into the matter and from what it seems gapps can cause issues
so…
also i wen with android oreo…
but again that’s a test run first android install
later i’d update add gapps and so on

Welcome to the forum.

I can’t help with the build issue, but there are three ways that have worked for me recently to get Android running under Qubes. It depends on your needs and what apps are needed.

  1. A Debian 10 template with Anbox installed

  2. Android-x86 in a Standalone, templated VM

  3. BlissOS in a Standalone, templated VM

I have not built any of these from source (or even reviewed it) and they all have weakened security properties, so I consider them all untrusted and have them firewalled appropriately. There are various pros and cons which mostly fall under what’s included in the base Android image.

  1. Anbox: A Debian 10 HVM template with the in-VM kernel includes the kernel modules already (ashmem, binder_linux). All that is necessary is to install snapd and the anbox snap.

    It’s the closest to AOSP with no Google Play Services by default. It’s the easiest to get up and running.

    However, the base image is Android 7 (old/outdated) and might be considered abandoned.

  2. Android-x86:

    Has Android 8 (Oreo) and 9 (Pie) images available. However, it includes Google Play Services by default which is set as a Device Policy Owner with “Find My Device” enabled by default. It also contains Android-x86-specific analytics, but can be turned off.

  3. Bliss OS: Derivative of Android-x86.

    Stable image is Android 9 (Pie) and Android 11 is available. They have a FOSS version (contains Aurora Droid and Aurora Store), and a Googled version available (Google Play Services/Store).

    However, they have many preinstalled apps in the base image, but this depends on what you are seeking in an Android ROM.

My current approach is an Android-x86 install, templated, but I “de-Googled” the image after installation.

All in all, I don’t believe anyone uses an Android ROM on the PC with the expectation that it will retain the same security properties as a bare-metal Android install.

All of these images by default have security patch levels that are ancient and they’re all userdebug images with adb and root access.

When it comes to installation on R4.0, the default Android-x86 and Bliss OS images don’t know how to “speak” Xen, so the hard disk Qubes presents to the VM doesn’t show up. There’s another thread on the forum that shows how to deal with this, by making modifications to the stubdomain init file so that the disks are presented as IDE devices.

On R4.1, the hard disk is presented as an IDE device by default, so Android-x86 and Bliss OS install without any hacks.

With Android-x86 and Bliss OS, it’s very easy to make them templated VMs, as if one passes:

DATA=/dev/sdb

…to the “Install…” GRUB menu entry, the userdata partition will point to the private volume that Qubes presents for AppVMs derived from the template. Just remember to:

mkfs.ext2 /dev/qubes_dom0/vm-[appvm_name]-private

…before booting the AppVM for the first time.

Parting words:

xdotool selectwindow key ctrl+alt+F1

…is handy to get a root console for Android-x86/Bliss OS, and use F7 to get back to the graphical window. Also, if you connect the qube to a Proxy/NetVM with adb installed, you can use adb connect 10.137.X.Y; adb shell to get into the image.

2 Likes

thanks yeah from what i’ve seen around here i figured that there are 2 ways to install android
the method i tried and
configuring xen for android

but from how it seemed… well it looked like there are more issues with it
and obviously it’s important not only to run android but also run it efficiently

i also don’t want no conflicts with xen and x-86’s virtualization

but i guess it’s ok still

so say that from 4.1 there’s no issue interesting i’ll try it now

also yeah of course android isn’t as secure and it’s one of the reasons i like the idea of using it in qubes…
i can have a great easy to setup and control firewall this way i can network to the environment and send anything i need
and so on

anbox may be better for development but i’m looking also to test and general use…
not as secure as some around here would need so i don’t mind a googled version

Those are kernel settings for compilation. IIRC the filename is just ‘config’ and created by ‘make -C kernel O=$OUT/obj/kernel ARCH=x86 menuconfig’. But you don’t want to modify the file by hand. I tried the tutorial myself, so you’ll find steps to activate those options in the ‘menuconfig’ gui: https://groups.google.com/g/qubes-users/c/99jtKuNv7pc/m/IsQ1wMkrAgAJ

Processor type and features → Linux guest support → Enable paravirtualization code → Xen guest support (Y)
Device Drivers → Block Devices → Xen virtual block device support (Y)
Device Drivers → Block Devices → Xen block-device backend driver (Y)
Device Drivers → Network device support → Xen network device frontend driver (N)
Device Drivers → Network device support → Xen backend network device (N)
Security Options → NSA SELinux Support (Y)
Security Options → NSA SELinux boot paramter (Y)
Security Options → NSA SELinux boot paramter default value (1)
Security Options → NSA SELinux runtime disable (Y)

In the end it was too much of a hassle and i found the solutions offered by unman & qubesnewb using the ‘-ide’ hack way better: Android runs fine in qubes, no mouse issue, But - #18 by HashBrown

yeah thanks…

thanks for the help people
i did follow Android runs fine in qubes, no mouse issue, But - #18 by HashBrown
's guide and made an android-ide
vm

so i’m obviously happy to see the hardrive recognizing issue resolved

however after trying to boot into adnroid i’m getting stuck on a bootloop

i tried a different version i tried running live
and so far nothing

vm seems to use around the 10-15% of my cpu and full 400mb ram
so idk…
i’ll obviously ask about this there as well but if it’s a known issue i’ve yet to found

plz lmk

ok seems like this

That’s a bit low memory. I don’t know how much android uses, but i have no problems when i assign 2 GB to it.

1 Like

This. 400MB is way too low. I use between 1.5-2GB on mine as well as exclude it from memory balancing.

1 Like

wow yeah ok thanks people…
didn’t even notice or thought about that

yeah that was way too low i guess i’m used to working with older versions of android where 400mb was fine

not to mention that this is android-x86

and that android uses the phone’s general memory as ram

i mean idk why won’t android-x86 simply use a large swap file but that’s a different story

anyway trying now
will update if i’ll have any other issues

thanks again people

edit:
works!
at last thanks

Wow. This post may deseve it’s own thread. Maybe in the #user-support:guides category. Something like “The Qubes Guide to Android”? :wink:

Hi @icequbes1 can you explain how you got anbox installed and running? I cloned the debian 10 template into a standalone. Then changed it’s settings to HVM, raised ram to 2500MB. Ran snap install --devmode --beta anbox.

Then double clicked the Anbox application manager. It says loading, but then closes with no error. I then ran in terminal: anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity

Then I recieve error in terminal: Application manager service is not running yet

I googled around and saw I should run the following to check binder and ashmem.

sudo modprobe ashmem_linux
sudo modprobe binder_linux

the preceding commands both return ‘module not found in directory’.

But you say it’s already installed? Could you shine a light on what I may have missed here?

I did try to install them using apt and snap, and both say no valid packages found.

If it matters, in settings says I’m using kernal 5.4.136-1.fc25

Thank you.

Yes, it matters.

Select the (none) kernel in Qubes Settings so that it uses the in-VM kernel.

The Debian 10 in-VM kernel is a 4.19 build.

Wow thanks. Learn something new every day. When you mentioned “in-VM kernal” I didn’t understand that this setting allows to switch from the qubes kernal to stock debian kernal. Very cool!

Now it runs.

Also could you give a run down on how you got x86 to work. That used to be my goto android vm system degoogled like you, but then I tried booting from iso in qubes, I don’t think it worked. Then you mentioned ISO gives problems. Also you mentioned x86-droid can’t speak xen, but then I’m slightly lost on how help x86 see the drives in xen? Could you offer some help there. Thanks.

Also can’t seem to get networking within anbox connected. I have internet on the qube itself. The browser and terminal connect fine. But when I try to run any app or update from android it fails to connect. Any ideas on how to get anbox internet?

I’ve given up on Anbox. Everywhere says “unstable” and seem many switch to android-x86.

I’ll try x86 following unman’s solution if that’s still correct? Found this link: notes/InstallingAndroid.md at master · unman/notes · GitHub

However I really don’t want to be messing with dom0.

I’m considering R4.1 as ice said “the hard disk is presented as an IDE device by default, so Android-x86 and Bliss OS install without any hacks.”

Just not sure if r4.1 is going to give me a million new problems :frowning:

Wonderful!

Couldn’t get r4.1 installed. So tried on fresh install of 4.0.4. After following the hacks by unman and qubesnewb over here: Android runs fine in qubes, no mouse issue, But - #18 by HashBrown

Still said “no hard drive detected”. So I really cannot get android-x86 installed. I can only assume something changed in qubes from updates since those hacks were written.

(made the title more specific about the problem)

I probably set the right DNS settings, using:

snap set anbox container.network.dns=10.139.1.1

As documented at: https://docs.anbox.io/userguide/advanced/network_configuration.html

where can i find debian 11 template with in-vm kernel with ashmem and binder_linux modules already installed? im stucked trying to run anbox on qubes 4.1 and dont know how do that.