What they don’t support is making modifications to GrapheneOS, compiling it, and then still calling it GrapheneOS. It’s not. You changed it, so it’s something else. It’s your own fork of GrapheneOS, so you should name it accordingly.
there’s still the TEE you can’t access even with root
Uh that’s by design? Do you even understand the purpose of a secure element and trusted execution environment, and how they work?
and the OS filesystem is readonly to inhibit customization
It’s read-only for security reasons. This is the default AOSP behavior. iOS/iPadOS and macOS handle this very similarly. This is the industry standard for secure devices. If you want to make modifications, the code is open source, you can freely modify the OS, compile it, sign it with your own keys and use it with full verified boot enabled.
GrapheneOS promotes “verified boot” that stops you from doing many important things.
They literally have a whole instruction page for it on their official website: https://grapheneos.org/build
What they don’t support is making modifications to GrapheneOS, compiling it, and then still calling it GrapheneOS. It’s not. You changed it, so it’s something else. It’s your own fork of GrapheneOS, so you should name it accordingly.
Uh that’s by design? Do you even understand the purpose of a secure element and trusted execution environment, and how they work?
It’s read-only for security reasons. This is the default AOSP behavior. iOS/iPadOS and macOS handle this very similarly. This is the industry standard for secure devices. If you want to make modifications, the code is open source, you can freely modify the OS, compile it, sign it with your own keys and use it with full verified boot enabled.
Verified boot is a built in featore of AOSP. https://source.android.com/docs/security/features/verifiedboot