Is it possible to install Graphene OS from Qubes? If yes, how does one go about doing it?
2 Likes
One probably can do it from a disposable sys-usb.
Do you have Chrome and network in your disposable sys-usb?
Thinking about it now, I could have just used my Windows HVM with one USB controller attached. But then again, I had that Windows laptop just standing there collecting dust⌠
I donât see why it would be impossible to install Chrome and temporarily connect the network to sys-usb if needed. Itâs going to be reset after that, right?
Who said impossible?
1 Like
I tried doing this and flashing from the command line, and it did not work. The Pixel goes through several reboots, and after a certain reboot the Pixel didnât appear in the USB device manager GUI (though I didnât dig any further with the terminal).
If you follow my suggestion, this should not be necessary. Your sys-usb has the usb devices connected directly and should behave like a standard Linux OS with the connected devices. You do not need to connect them anywhere.
1 Like
+1
Ive always found your method works best. I do it as so: make disposable usb Qube, attach the PCI device ID of the USB controller, start qube, install latest ADB, download g=GrapheneOS then run flash-all.sh from the GrapheneOS installer.
of course, if the keyboard is USB and not PS/2 then there can be some issues to work around.
1 Like
Related:
Command line install (this is quick and incomplete steps to follow)
In Fedora sys-usb, download, verify and extract the standalone platform-tools on Linux
Next, add the tools to your PATH in the current shell so they can be used without referencing them by file path, enabling usage by the flashing script.
$ export PATH="$PWD/platform-tools:$PATH"
$ fastboot --version
Download from grapheneos.org: factory.pub, Graphene OS image in zip file and zip.sig file.
Install in Debian signify-openbsd to verify the install (couldnât find signify in Fedora)
Copy files to Debian AppVM and verify command:
$ signify-openbsd -Cqp factory.pub -x grapheneos-factory-2021.09.01.zip.sig && echo verified
PHONE (see online for full tutorial)
Enabling OEM unlocking
Unlocking the bootloader:
$ sudo fastboot flashing unlock
INSTALL
$ sudo ./flash-all.sh
If thereâs a space problem (unable to allocate bytesâŚ), delete tmp folder and tryâŚ
$ sudo mkdir tmp && sudo TMPDIR="$PWD/tmp" ./flash-all.sh
2 Likes
Got this finally working by
1/ adding Android udev rules in sys-usb qube
2/ increasing disk space for sys-usb
3/ using sys-usb qube directly (copying platform-tools and the image with qvm-copy-to-vm sys-usb ...
Definitely not the ideal Qubes-proper solution, but worked. I will try to figure out how to get the low-level access for flashing from a regular qube with access to internet etc. (rather than directly within sys-usb)
6 Likes
Thanks a lot for coming back and sharing your update 
1 Like
If you have an archlinux template, then you can create an HVM qube based on it passing only the usb device you intend to use (make sure to have at least 2GB RAM & 8GB of free storage), then installing the required packages with sudo pacman -S android-udev android-tools signify (connect the device after packages are installed to avoid permission errors) and following the official instructions.
2 Likes
Did you follow up on this?
It would be nice to have a community guide for this 
If you do not have time but a working solution please DM me and I will test and compile into a community guide.
please change the command existt after the line âcopy files to Debian AppVM and verify commandâ to :
ssh-keygen -Y verify -f allowed_signers -I contact@grapheneos.org -n "factory images" -s DEVICE_NAME-install-VERSION.zip.sig < DEVICE_NAME-install-VERSION.zip
that command could be found on CLI install guide | Install | GrapheneOS, using 'ctrl + F âverifyâ.
i wonât revommend to use $PWD/platform-tools:$PATH", i mean, itâs not bad to do $PWD, but iâm not sure whether it is due to $PWD recognized as that time i type the command OR NOT, but i think keeping platform-tools .zip or folder into ~!/ directory and just typing export PATH=â~/platform-tools:$PATHâ is better, since i have to type it again when i mistyped other step.
- get root terminal, sudo su.
- fastboot flashing unlock
- extract ROM file(bsdtar, Xarchiver, whatever) and go to directory
- type export PATH=â~/platform-tools:$PATHâ (if you didnât pasted it on ~/, then you should have to write full directory you extracted platform-tools
- make sure terminal is root, then sudo bash flash-all.sh
i have grinded my last evening for this task.