User-facing hardware virtualization support in our next OS release

GrapheneOS · 2025-03-10T04:43:05+00:00

Here's the new release with support for it:

https://discuss.grapheneos.org/d/20670-grapheneos-version-2025030900-released

Terminal app flaky for the initial setup and we'll work on fixing that next.

Ccdflasdkesalkjfkdfkjsdajfd · 2025-03-10T05:21:06+00:00

I'm at the march 8 version but I can't locate the terminal app. Where is? Tjanks

GrapheneOS · 2025-03-10T05:21:47+00:00

cdflasdkesalkjfkdfkjsdajfd You need 2025030900 and it's in developer options.

GrapheneOS · 2025-03-10T17:15:27+00:00

We've backported major improvements to this feature for our next release after 2025030900 including terminal tabs, GUI support with opt-in GPU hardware acceleration (ANGLE-based VirGL until GPU virtualization support is available), speaker/microphone support and fixes for a bunch of bugs including overly aggressive timeouts.

TTrustExecutor · 2025-03-10T17:40:56+00:00

Would MTE still be used by the hypervisor in the case of virtualizing a guest OS?

Secureblue would be an interesting candidate due to hardened_malloc enabled system-wide.

Rraskolnikov9 · 2025-03-10T17:48:45+00:00

GrapheneOS It seems to be available in the owner profile only, correct? Any plans to make it available to other user profiles later down the road?

fid02 · 2025-03-10T18:46:30+00:00

The Terminal app can still be used after you disable Developer options. 👍

leafnose · 2025-03-11T01:10:18+00:00

de0u
Is there not also another category of features in Developer Options, only related to battery life? I was under the impression that this was at least the case for the Wi-Fi scan throttling feature, and that it involved no risk. Was I wrong?

GrapheneOS · 2025-03-11T01:20:35+00:00

raskolnikov9 It will be made available in other profiles in the future.

GrapheneOS · 2025-03-11T01:25:45+00:00

leafnose Developer options are intended for app and OS development. That includes providing previews of experimental OS features for power users which are not yet considered stable and robust including this one. It will be moved out of developer options in GrapheneOS once it's a more mature feature.

You can see the documentation says the Wi-Fi scan scrolling toggle exists for local testing. Users may want to disable it for something like mapping Wi-Fi APs but that isn't really why developer options exist. They sometimes put little things there to provide a way for power users to work around something but that's bad design and should be avoided. Some of the things they've put there are highly misleading, broken features which should never be used despite looking like a good idea including the non-persistent MAC randomization toggle and many others.

Developer options are problematic. There's so much nonsense there with little care taken to remove legacy or broken options, or to fix ones which would still make sense if properly maintained. ADB takes it even further by giving a massive amount of access to all kinds of APIs where users can break tons of things in many ways with no easy way to undo it without a factory reset. People giving apps access to ADB shell via network ADB is deeply problematic.

GrapheneOS · 2025-03-11T01:30:24+00:00

TrustExecutor MTE can be used within virtual machines. GrapheneOS has been using it in microdroid virtual machines for a while which is a stripped down, very minimal form of the OS for running sandboxed low-level code without functionality like the higher level app runtime. Microdroid is barely used right now though.

leafnose · 2025-03-11T02:32:12+00:00

GrapheneOS
Thanks for the answer!

I guess that, in the end, Developer Options are also a sort of catch-all for things that no one had the heart to erase.
I understand that it’s bad design, but still, I used Wi-Fi scan throttling twice in order to fully use the WiFiAnalyzer app: is this option known to be problematic or is it one of those inconsequential little things?

I understood that the throttling, introduced in Android Pie, was supposed to be the new rule, but I was not aware that the toggle, introduced in 2019, was supposed to eventually get mature, or are you saying that it’s the GOS team that’s going to do it?

Aangela · 2025-03-11T06:43:36+00:00

This is exciting! :-)

MMolasses · 2025-03-11T07:48:12+00:00

Awesome!

The recent introduction of 2FA Fingerprint Unlock for everyone was massive already. And now this!

When everything's in good shape, people will be able to run an ARM64 build of Windows 11 in order to use MS Office, Adobe Photoshop, perhaps even WSL2 (nested virtualization)?

On the Linux Terminal side of things, SecureBlue might be a good fit instead of Debian, as someone already mentioned. Not sure why Google picked Debian, since it has so many issues both in terms of security and outdated/modified/"broken" packages. It may be easier to maintain and is popular, but still...

With all these features getting introduced, a Pixel Book with GrapheneOS support can't come soon enough. Using a phone/tablet would necessitate a quality dock, separate mouse/keyboard and a display on a desk. Plus the security of non-Apple wireless Mouse/Keyboards seems questionable. So maybe wired ones may be advisable for such a setup?

Rrobert · 2025-03-11T08:38:57+00:00

GrapheneOS You need 2025030900 and it's in developer options.

I'm on 2025030800, but still can see the setting in developer options.

When I enable the setting I can see the Terminal app. After starting it, I can see the message that it needs to download some data. Then it crashes with this error message:

type: crash
osVersion: google/panther/panther:15/BP1A.250305.019/2025030800:user/release-keys
flags: dev options enabled
package: com.android.virtualization.terminal:35, targetSdk 35
process: com.android.virtualization.terminal

signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
Abort message: 'In context processing binder RPC command (where RpcServer::setPerSessionRootObject is used to distinguish callers), getCallingUid does not make sense (binder sp: 0x0, guard: 0xe24c217424d0).

Kkopolee11 · 2025-03-11T08:42:20+00:00

Molasses

Not sure why Google picked Debian, since it has so many issues both in terms of security and outdated/modified/"broken" packages. It may be easier to maintain and is popular, but still...

Google probably went with Debian, since they have used a Debian image for "Linux on ChromeOS" aka Crostini, their VM implementation on ChromeOS which this is based on, since 2018.

As for why they originally went with Debian, I agree that being relatively easy to maintain is probably their number one consideration. Thankfully GrapheneOS will be able to offer more secure options.

r134a · 2025-03-11T09:46:04+00:00

robert For it not to crash, u need to be on 2025030900

Rrobert · 2025-03-11T13:41:23+00:00

r134a

Yes, thanks, updating to 2025030900 made it work for me.

I was just wondering why I even saw the option in 2025030800

Sspammerofspam · 2025-03-11T14:31:00+00:00

It looks like /mnt/shared mount allows access to the Downloads folder on the Android FS. And /mnt/internal appears to be some internal data for the VM (only accessible in the VM after sudoing to root).

Are there any other virtiofs tags that can be mounted, besides these automatically mounted ones?

GGrapheneOSNewUser · 2025-03-11T15:30:09+00:00

Yes I was also wondering which device paths will be accessible via the terminal