Hypervisor-based security on GrapheneOS

TheGodfather

Does GrapheneOS make use of hypervisor-based security similar to Samsung's RKP or Windows' VBS and if so is there somewhere I can read more into it?

Dumdum

TheGodfather
https://grapheneos.org/faq#roadmap

The initial phase for the long-term roadmap of moving away from the current foundation will be to deploy and integrate a hypervisor like Xen to leverage it for reinforcing existing security boundaries. Linux would be running inside the virtual machines at this point, inside and outside of the sandboxes being reinforced. In the longer term, Linux inside the sandboxes can be replaced with a compatibility layer like gVisor, which would need to be ported to arm64 and given a new backend alongside the existing KVM backend. Over the longer term, i.e. many years from now, Linux can fade away completely and so can the usage of virtualization. The anticipation is that many other projects are going to be interested in this kind of migration, so it's not going to be solely a GrapheneOS project, as demonstrated by the current existence of the gVisor project and various other projects working on virtualization deployments for mobile. Having a hypervisor with verified boot still intact will also provide a way to achieve some of the goals based on extensions to Trusted Execution Environment (TEE) functionality even without having GrapheneOS hardware.

TheGodfather

Dumdum

Since I mentioned VBS and RKP, I was thinking more about use cases like protecting (critical) parts of the kernel, not so much about using a hypervisor in a QubesOS-like style for stronger sandboxing. Examples:

RKP gives some protection against modifying Selinux state
VBS with HVCI for protecting kernel memory
WDAC where the hypervisor ensures only whitelisted applications can run and an attacker needs to draft the whole exploit chain in memory

Dumdum

TheGodfather
I'm not any kind of programmer or technician so none of this is in any way my area of expertise, but the paragraph above my quote on the link mentions using a microkernel-based model. Not sure if that's any relevant to your question, or gives answers regarding "protecting parts of the kernel"?

Otherwise you can try searching through the GOS Mastodon posts for posts relating to the kernel. A cursory glance didn't really show much beyond what the website tells you (though it was only a cursory glance, so maybe more could be found). Maybe users with more expertise/knowledge and/or official GOS team members can find time to give a proper answer?

Carpool7341

I see some pKVM related activity in GrapheneOS repos, like the microdroid kernel hardening, so I'm assuming they're preparing to virtualise parts of the system...