Idea: minimal GrapheneOS install liveUSB System

missing-root

This post is somewhat of a Guide and a Discussion about creating a small portable OS that can be used on any PC to reinstall GrapheneOS.

Reasoning:

having a tiny system, portable, only used for this purpose
encrypted pendrive, hard to manipulate
somewhat hardened system with only necessary components
easy and secure reinstallation of GrapheneOS

OS

Any Ubuntu-base Distribution, as Fedora does not work yet and Arch is not great for a rarely updated install.

Debian could also work. I chose Kubuntu, the KDE Neon installer always crashed.

Install

Burn the iso to a small ≈4GB USB stick. I recommend "Impression" Flatpak, or dd, or Rufus (on Windows), or just use an existing Ventoy pendrive.

Boot from the Stick, make sure to use grub2 mode. If you are on NVIDIA I suppose safemode is needed.

Have a second, bigger USB stick ready, at least 16GB. It may not show up as installable medium, so open KDE Partitionmanager and recreate its partition table as GPT, leave it as it is.

It will then show up as installation target, do a regular install and use LUKS encryption with a strong password. Do not use "auto unlock" as that breaks KWallet (which stores Wifi passwords and Brave keys)

Configuration

Once install is finished, power off, and remove the smaller pendrive. Boot from the correct one.

As this is a full desktop system, we will need to debloat it.

sudo apt purge -y firefox* plasma-discover* snap* flatpak* okular* kate* libreoffice* dragon* kolourpaint* calligra* blue* kdeconnect* cups* plasma-emojier plasma-browser* plasma-thunderbolt plasma-vault plasma-welcome kde-spectacle gwenview kmenuedit okular* vlc* mpv* dolphin* samba* smb*

This should leave a very minimal Desktop with very little attack surface (having cups, kdeconnect, samba and more removed). So lets make it usable.

# add the Brave key
wget -qO- https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg | sudo tee /usr/share/keyrings/brave-browser-archive-keyring.gpg

# add the brave repo
sudo cat > /etc/apt/sources.list.d/brave-browser-release.list <<EOF
deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main
EOF

# install the browser & tools
sudo apt update &&
sudo apt install -y brave-browser android-sdk-platform-tools-common adb #pcmanfm-qt #if you want a graphical file manager, not needed normally.

# create an unprivileged user
sudo adduser user
sudo usermod -aG plugdev user
sudo passwd user

# you may want the standalone platform tools, but I think they are not needed. Adb is just needed to reboot to bootloader.

# the fwupd bug is fixed in updated versions.

# permanently disable service to be sure
sudo systemctl disable --now cups
sudo systemctl mask cups.service
sudo systemctl disable --now bluetooth
sudo systemctl mask bluetooth.sevice

# harden the DNS settings
sudo mkdir -p /etc/systemd/resolved.conf.d
sudo cat /etc/resolved/resolved.conf.d/secure.conf <<EOF
DNSOverTLS=yes
DNSSEC=yes
# you may want to enter specific servers
# https://www.privacyguides.org/dns/
# DNS=A,B,C
# FallbackDNS=A1,B1,C1
EOF

# apply minimal hardening to Brave 
# this works for Chromium, unsure about brave

sudo mkdir -p /etc/brave/
sudo cat > /etc/brave-browser/brave.conf <<EOF
#systemwide flags
BRAVE_FLAGS+=""
BRAVE_FLAGS+=" --ozone-platform=wayland"
BRAVE_FLAGS+=" --js-flags=--jitless"
EOF

# create an "install GrapheneOS" desktop entry
wget -qO- https://grapheneos.org/favicon.ico | sudo tee /usr/share/icons/grapheneos.ico

sudo cat > /usr/share/applications/install-grapheneos.desktop <<EOF
[Desktop Entry]
Name=Install GrapheneOS
Comment=OEM unlock, enable USB debugging, enable data transfer over USB and do "adb reboot bootloader" first
Exec=/usr/bin/brave-browser https://grapheneos.org/install/web
Icon=/usr/share/icons/grapheneos.ico
EOF

# allow the user to do upgrades
sudo cat > /etc/polkit-1/localauthority/50-local.d/10-aptrules.pkla <<EOF
[Allow apt upgrades for all users]
Identity=unix-user:*
Action=org.debian.apt.update-cache;org.debian.apt.upgrade-packages
ResultActive=yes
EOF

sudo systemctl restart polkit

# add a desktop entry to upgrade the system
sudo cat /usr/share/applications/upgrade-system.desktop <<EOF
[Desktop Entry]
Name=Upgrade System
Comment=Using apt upgrade
Exec=pkexec apt update && pkexec apt upgrade
Icon=system-software-update
EOF

# finish with a full system upgrade and reboot
sudo apt full-upgrade && systemctl reboot

Apart from the question if the Brave hardening works, this should do the trick.

The OS should be as minimal as possible and allow the easy web install with automatic download.

Keeping it as minimal is good to keep is mostly untouched, to ensure having a secure environment.

Todo:

remove X session
check the debloat
check brave hardening
block all websites apart GrapheneOS, Ubuntu servers and Google
upstream: improve Webinstaller instructions (1. Enable developer options, 2. Enable usb debugging 3. Enable OEM unlock 4. Connect to laptop 5. Enable USB data transfer 6. Use the systems adb (or better a button in the Web installer?) to do adb reboot bootloader 7. Follow web installer)

raccoondad

missing-root I personally would just install Puppy Linux, setup adb/fastboot and download the system image from GrapheneOS. This cuts down the required space of the device and makes it really only require an old blank CD.

missing-root

raccoondad yeah f**k that Kubuntu idea.

The install took forever, needed manual partitioning and the result doesnt boot. Neither Kubuntu nor KDE Neon installed automatically with success.

The problem really is the live USB. Its a weird concept, even though Persistence is not even needed so with this setup one could create a nonpersistent live usb just for this job, may be even better.

Would just need to be encrypted / verified boot, and never saw that on a live USB

raccoondad

missing-root What is most important is just having an env for flashing, any tiny distro will work as long as it has the ability to run adb/fastboot. Puppy Linux is my personal choice for small distros