• [deleted]

Hi there,

I've been playing with QubesOS on laptops for a while, and soon hope to be a GrapheneOS user too.

The hardened android sandboxing seems like a really robust way if achieving security through compartmentalisation. I've even seen discussions about attempts to port GrapheneOS into a Qubes template VM.

It's got me wondering if the GrapheneOS team have any plans to implement any established qubesOS features. For instance:

Support for sandboxes and 'disposable' network connections which delete on each reboot. Or is it the case that grapheneOS tackles issues of persistence in its own already established and comparable way?

The ability to open links and attachments in adhoc, disposable user spaces could also provide huge protections, but again, it sounds like maybe this is already the case but I a slightly different presentation.

Can any developers comment on what features may be brought over?

Could GOS become one of the core qubes templates? Will GOS become a computer OS in its own right?

    2 months later

    Having daily driven qubes for years now, I can tell you there are certainly similarities.
    Just like Xen virtualization, Android user profiles have been around for a long time.
    What Qubes and GrapheneOS have done is implement a security model based around compartmentalization using these features.

    Sandboxed Google services, and encouraging users to create different profiles for different domains of applications.
    Graphene does not, however, fully utilize the disposable aspect that qubes has. They do have a guest profile however, they would need to automate a way to spin up guest mode and send untrusted links to it.

    I doubt they will go this route because they are probably very satisfied with Google's application sandboxing as is.

    There are significant differences though.
    The way arm processors handle memory is very different. x86 virtualization can utilize a lot more RAM to give each VM its own memory. But also privileges and permissions are handled smartly on Android, in such a way that untrusted code should never run as root. Whereas on qubes, they must assume malware can run as root on app VMs.

    Android on ARM is a very different architecture. I highly doubt it will run well if ported to qubes.

    It would probably take a lot of work to get the disposable profile feature.
    It would be slow as hell on mobile devices. And graphene would need to implement a lot of interprofile communication.

    I love the idea of something like DispVM on GrapheneOS but that's not something that can be done easily... BTW, are there any robust virtualization tools that can run on GOS?

    Qubes and Graphene are very different... GrapheneOS takes advantage of Pixel hardware security like verified boot and Titan M... Has strong sandboxing and exploit mitigations.

    The main things going for Qubes are Xen virtualization and good UX to work with many VMs in a sane way...

    That's about it... Not sure how you compare them, they are apples and oranges.