• Development

  • Which of the requirements for GrapheneOS are not fulfilled by Samsung S24 Ultra?

In the FAQ page, it states that these are the requirements for an Android device to get supported by GrapheneOS.

Non-exhaustive list of requirements for future devices, which are standards met or exceeded by current Pixel devices:

  • Support for using alternate operating systems including full hardware security functionality

  • Complete monthly Android Security Bulletin patches without any regular delays longer than a week for device support code (firmware, drivers and HALs)

  • At least 5 years of updates from launch for device support code with phones (Pixels now have 7) and 7 years with tablets

  • Device support code updated to new monthly, quarterly and yearly releases of AOSP within several months to provide new security improvements (Pixels receive these in the month they're released)

  • Linux 6.1 or 6.6 Generic Kernel Image (GKI) support

  • Hardware accelerated virtualization usable by GrapheneOS (ideally pKVM to match Pixels but another usable implementation may be acceptable)

  • Hardware memory tagging (ARM MTE or equivalent)

  • BTI/PAC, CET or equivalent

  • PXN, SMEP or equivalent

  • PAN, SMAP or equivalent

  • Isolated radios (cellular, Wi-Fi, Bluetooth, NFC, etc.), GPU, SSD, media encode / decode, image processor and other components

  • Support for A/B updates of both the firmware and OS images with automatic rollback if the initial boot fails one or more times

  • Verified boot with rollback protection for firmware

  • Verified boot with rollback protection for the OS (Android Verified Boot)

  • Verified boot key fingerprint for yellow boot state displayed with a secure hash (non-truncated SHA-256 or better)

  • StrongBox keystore provided by secure element

  • Hardware key attestation support for the StrongBox keystore

  • Attest key support for hardware key attestation to provide pinning support

  • Weaver disk encryption key derivation throttling provided by secure element

  • Insider attack resistance for updates to the secure element (Owner user authentication required before updates are accepted)

  • Inline disk encryption acceleration with wrapped key support

  • 64-bit-only device support code

  • Wi-Fi anonymity support including MAC address randomization, probe sequence number randomization and no other leaked identifiers

  • Support for disabling USB data and also USB as a whole at a hardware level in the USB controller

  • Reset attack mitigation for firmware-based boot modes such as fastboot mode zeroing memory left over from the OS and delaying opening up attack surface such as USB functionality until that's completed

I wonder which of these features are not present on Samsung Galaxy Phones, preventing them from being supported by GrapheneOS?

  • de0u replied to this.

    JailbreakHat In a sense the answer is that Samsung so far is not making security functions available to third-party operating systems. The problem is not a technical one. The situation can be resolved by Samsung if/when they choose, but not by the GrapheneOS developers. People who wish Samsung to decide differently might wish to lobby Samsung.

    Please note that I do not speak for the GrapheneOS project.