Just try asking about rooting in the GraoheneOS Discord, and you risk getting banned.
GrapheneOS has a ton of locked down stuff they don’t want you to access. They make rooting extra hard, they don’t support compiling the OS from source, there’s still the TEE you can’t access even with root, and the OS filesystem is readonly to inhibit customization.
GrapheneOS promotes “verified boot” that stops you from doing many important things.
What they don’t support is making modifications to GrapheneOS, compiling it, and then still calling it GrapheneOS. It’s not. You changed it, so it’s something else. It’s your own fork of GrapheneOS, so you should name it accordingly.
there’s still the TEE you can’t access even with root
Uh that’s by design? Do you even understand the purpose of a secure element and trusted execution environment, and how they work?
and the OS filesystem is readonly to inhibit customization
It’s read-only for security reasons. This is the default AOSP behavior. iOS/iPadOS and macOS handle this very similarly. This is the industry standard for secure devices. If you want to make modifications, the code is open source, you can freely modify the OS, compile it, sign it with your own keys and use it with full verified boot enabled.
GrapheneOS promotes “verified boot” that stops you from doing many important things.
Well yeah, because grapheneos is specifically made for security, not customiseability. Rooting your phone makes it a lot less secure, so it doesn’t seem strange to me that grapheneos doesn’t want you to.
I can understand them not wanting you to root since their focus is security above everything else, but that bit about not supporting compiling from source is a bit sketchy 🤨
Just try asking about rooting in the GraoheneOS Discord, and you risk getting banned.
GrapheneOS has a ton of locked down stuff they don’t want you to access. They make rooting extra hard, they don’t support compiling the OS from source, there’s still the TEE you can’t access even with root, and the OS filesystem is readonly to inhibit customization.
GrapheneOS promotes “verified boot” that stops you from doing many important things.
They literally have a whole instruction page for it on their official website: https://grapheneos.org/build
What they don’t support is making modifications to GrapheneOS, compiling it, and then still calling it GrapheneOS. It’s not. You changed it, so it’s something else. It’s your own fork of GrapheneOS, so you should name it accordingly.
Uh that’s by design? Do you even understand the purpose of a secure element and trusted execution environment, and how they work?
It’s read-only for security reasons. This is the default AOSP behavior. iOS/iPadOS and macOS handle this very similarly. This is the industry standard for secure devices. If you want to make modifications, the code is open source, you can freely modify the OS, compile it, sign it with your own keys and use it with full verified boot enabled.
Verified boot is a built in featore of AOSP. https://source.android.com/docs/security/features/verifiedboot
What is your strongest example of an important thing that can’t be done on GrapheneOS because of its boot/loader security?
Well yeah, because grapheneos is specifically made for security, not customiseability. Rooting your phone makes it a lot less secure, so it doesn’t seem strange to me that grapheneos doesn’t want you to.
Can you please explain how rooting adb only, not any apps, makes it less secure? Use concrete examples, not abstract.
An exploited app can do more on a system that has more capabilities, simple as that.
I can understand them not wanting you to root since their focus is security above everything else, but that bit about not supporting compiling from source is a bit sketchy 🤨
Totally, since being able to compile from source is very much a security issue.
You can compile from source