Question about driver isolation in kernel

ryrona

GrapheneOS is putting a lot of effort into making it harder to exploit kernel vulnerabilities, and have implemented many mitigations. But I wonder, in case a driver in the kernel nonetheless does get remotely compromised, such as the Wifi driver or 4G/5G driver, what can the attacker access and do in that case?

What I wonder is, is the driver running in a sandbox of some kind, such that even if an attacker has full remote code execution access in the driver, they still cannot compromise other parts of the kernel, nor access your files at all? Or is it game over when the attacker has full remote code execution access in the driver, since that means full remote code execution access to the whole kernel, because no meaningful isolation?

If the latter case, are there any plans to isolate drivers in the future, for example similar to how QubesOS has done it, such that damage is contained in case of successful compromise? Firmware components already seem to be isolated from each other and from the kernel, in case of firmware compromise. Apps are also already sandboxed. But I find no information about drivers. I wonder if that is the weak point right now in GrapheneOS?

de0u

ryrona I wonder, in case a driver in the kernel nonetheless does get remotely compromised, such as the Wifi driver or 4G/5G driver, what can the attacker access and do in that case?

I am not an expert on this, but I believe such an attacker likely can't access the TEE, thus not the secure element. I would expect an at-rest user profile would be safe. I believe VM internals are expected to be protected as well, hence the interest on the part of Google and the GrapheneOS team in virtualization.