I saw a post on matrix (grapheneOS room) about possibly having graphene OS as a template for qubes. How doable would that be? What usability concerns/problems would there be? Assuming it would work, I think it would be great as it would allow users to have an extremely secure guest- What are your thoughts?
So GrapheneOS is derived from Android. So I think in order to have to support for it, first there will need to be android support in Qubes.
There are ways of running it in Qubes already but it’s not very well integrated yet (I’ve had android VM myself). Some related threads:
So maybe following the same steps but for graphene OS may produce some results. But it will take considerable effort.
Other than that I’m not aware of any other effort in this direction. (would like to be proven wrong).
I too would like to see this happening, one of the major drawbacks that cybersecurity experts point out in QubesOS is that it uses insecure guests.
GrapheneOS would be one of the most secure guests that QubesOS could use, running it in a xen container would make it extremely resistant to exploitation.
Perhaps Daniel Micay could lend a hand with development?
Já agora, boa sorte na tese
Related issue:
On the other hand, GrapheneOS might make a lot of assumptions about the hardware it is running on, and adapting it to QubesOS might include disabling many of them, kind of reverting it to an Android that is again more like an off-the-shelf LineageOS?
TheStinger (GrapheneOS founder) has already put forward his thoughts on the topic . You would also need to be aware some things (verified boot, A/B for example) would not work so the whole QubesOS template port of GrapheneOS would not be from the same codebase. TheStinger recommends
I would expect that I could get someone full-time funding to work on this if they got things rolling. This is a target that we want to support for GrapheneOS, but the support for it would be maintained as a separate project without the other changes to AOSP, which would then be used by GrapheneOS to build for the QubesOS guest target.
What stands out to me is that TheStinger appears to be saying that this would be a fork of AOSP and a lot the features in GrapehenOS would not be present “the support for it would be maintained as a separate project without the other changes to AOSP”
Which makes a lot of sense, as there are features (such as verified boot) tied to specific Android hardware devices.
TL/DR: Its not as simple as taking the GrapheneOS image and throwing it into a template. A fork of AOSP is required and then cherry picking of GrapheneOS features to port in and maintain. All of which TheStinger has no time or resource to do. He is open to someone helping for this, but QubesOS wont be simply a new “supported device” in GrapheneOS
I was thinking about how it would be secure to use graphene os on qubes ?
When we can use graphene os in qubes?
Is it technically difficult ?
Can we run android emulator on qubes 4.0 or the latest version 4.1 safely?
There is some available funding for doing this in case anyone with a good background on android wants to step up: