Build for older smartphones / Pixel

https://grapheneos.org/faq#future-devices

GrapheneOS supports EOL devices for a limited amount of time, when afaik Google doesnt ship any updates anymore.

Samsung does not have the necessary requirements for GrapheneOS to work on it, because they chose so. Think of that if you want a custom OS for their Hardware. Samsung does not care about supporting alternative Operating Systems.

End of Life Devices may be supported by DivestOS. But this will always include incomplete backports of security patches to an old stable Kernel. For example the Pixel 4a used the old LTS 5.15 Kernel, and that one got the fixes backported until Google stopped support. GrapheneOS can only backport subset of possible fixes, just as DivestOS, and now they also need to maintain the Kernel themselves.

At the same time, hardware evolves and gets more secure, so even with the same kernel as a Pixel 8, a Pixel 4a would not be as secure.

Thats poorly how Android and Tech in general works. Apart from the hardware improvements, the problems with maintaining a OS are

• firmware updates need to be signed by hardware manufacturers. This is a complete showstopper
• at the same time, firmware is the reason for many security vulnerabilities, and these will not be fixed even using GrapheneOS
• the hardware is not like an x86_64 laptop. The vendor code and kernel are specifically made for that device, which means unlike Desktop Linux the Kernel is specifically tailored for that device. Once 5.15 is EOL, I suppose the work needed to make 6.1 run on older hardware is pretty big

GrapheneOS cannot support insecure devices out of various reasons

• their capacities are very limited, and the project is not yet sustainable (Donate!)
• a Samsung/Huawei/Xiaomi/Nokia "GrapheneOS Phone" would be drastically less secure and misleading, especially if both devices where flagships
• old devices are not the target, as they cannot be secured anymore.

GrapheneOS relies heavily on Google, their hardware features, very recent updates including the Android Security patches and Pixel specific patches (which afaik include even more than just Android).

They also depend 100% on the hardware suppliers to ship those updates, as mentioned before, many issues are firmware related and firmware needs to be signed.

GrapheneOS already does a lot of more work than other custom OSses.

• hardened Malloc
• kernel hardening
• full fledged Chromium Variant
• Camera, Attestation, PDF Viewer, Dialer
• many well integrated changes on Android: Permissions, Scopes, Profiles, secure app spawning, exploit mitigation, native code debugging, ...
• own server infrastructure for: SUPL, Captive portal, Connectivity Check, Attestation, Google Mirror, DNS (?)

Compare that with LineageOS, CalyxOS, iodeOS, /e/OS, its just way more substantial.

Other Distributions of AOSP may have fancy applications in the foreground, but in the background there are Google connections, stock AOSP, missing security patches and in general incomplete systems.

My hope is that those Distros rebase on GrapheneOS, because a better look or some Apps could improve GrapheneOSses UX.

Sorry for quite some specific vocabulary:

• EOL: end of life, not getting updates by hardware vendors and stock OS anymore
• OS: Operating system. GrapheneOS etc. are not ROMs
• ROM: Read Only Memory, a tiny part of the firmware that cannot be changed
• Kernel: the core part of Linux, including many drivers
• LTS: long term stable, a specific version of software that gets security fixes but nearly no feature updates
• Backport: (security) fixes originally developed for a newer version of software, applied to an older, often LTS version. This means the LTS can be assumed as secure, but it does not have all the features. Often it is more reliable ≈ stable that way
• stable: a piece of software that does not change (in feature updates). Stable ≠ always working ≠ secure
• patch: a change in the code that fixes an issue or vulnerability
• malloc: memory allocator (?), a part of the process or writing data to the nonpersisting working memory or a device. On GrapheneOS important data like the encryption keys are stored in a protected area of memory
• SUPL: secure user plane location, a part of A-GPS
• A-GPS: a system speeding up the connection with GPS sattelites to improve speed
• Captive Portal: A mechanism used in Wifis to block connection to the internet, unless you get unlocked, often by accepting Terms of Service. Often used in public Wifis. Captive Portals require to deactivate all DNS protection mechanisms and a server that the OS tries to reach. That server is normally Googles, and the request bypasses any VPN in any mode, which is intended as unlocked Internet access is needed to reach the VPN. The local Wifi manipulates the request to the Server (which only works when using very insecure DNS) and redirects it to their locally hosted login page. All that is handled by a seperate process on Android, using Chromium/Vanadium Webview.
• DNS: Domain Name System, how text addresses (example.com) are translated to IP addresses. You need a DNS resolver, and there is encrypted DNS and more security measurements like DNSSEC. You should use DNS over TLS.
• Connectivity Check: another service normally regularly connecting to a Google server. If the server is reached, everything is fine. If not, the OS will switch for example from Wifi to Cell Data
• Cell Data: Internet Communication over various standards (2G, 3G, 4G/LTE, 5G). GrapheneOS can enable LTE-only mode, because 3G and 2G are very insecure.

If there is a mistake I cannot edit the comment 🤷‍♂️