fryWringer AFAIK, there are no desktop devices that meet similar security standards as GrapheneOS has for its hardware. Is this a technological limitation on standard desktop architecture? Or is it just "no one's done it yet"?
Actually, I don't think desktop computers are that far behind. They have proper verified boot support (Secure Boot with custom keys), they have hardware that can be used to implement a weaver-like system for disk encryption complete with hardware throttling of login attempts and secure erase of data (TPM2), they have support for virtualization including mapping hardware devices into virtual machines. The only thing I haven't been able to find a corresponding security feature for is MTE, but it might exist too.
Now, no operating system are really using these security features, and that is the problem. As far as I know, no one is using Secure Boot to implement full verified boot. No one is implementing a weaver-like system for disk encryption. And so on. It doesn't seem to be so much a hardware issue as that no one is making use of the hardware that already exists in most consumer computers.
It is also hard to find desktop computer vendors that provide firmware updates for BIOS and hardware components for 5+ years, but this situation is not unique to desktop computers, it is basically only Google, Apple and Samsung that does it for phones.
fryWringer I'm aware that android has much better isolation between apps than desktop OSes do, but it seems that desktop hardware limitations would make a Qubes desktop less secure than a Pixel running GrapheneOS.
QubesOS offers way way more secure app isolation that GrapheneOS. QubesOS offers very good driver isolation too for radios and external ports, again better than GrapheneOS. QubesOS does not provide any verified boot functionality out of the box or as an option for regular BIOSes, and QubesOS does not have anything corresponding to weaver for disk encryption.
So I would say against remote attackers, QubesOS, if used right, is more secure than GrapheneOS, but against physical attackers, QubesOS does not offer much protection at all, while GrapheneOS is able to defend against very resourceful attackers.
fryWringer Are enterprise servers facing similar limitations as desktop? Or is there server hardware out there with better support for security, just out of the price range to be adapted to a consumer market?
raccoondad I can't speak for enterprise but the servers we have for our websites are not too much different than any other computer running a Linux kernel.
I'm sure true enterprise hardware has some fancy feature sets but most likely still running a standard problematic kernel like Linux.
I have briefly worked with modern cloud services, and it is very different from VPS servers. VPS servers are basically just Linux running in a virtual machine, and thus have the same issues as Linux desktop operating systems in general. But for the cloud service I worked with, you are basically building statically compiled Go apps, and pushing them to the cloud in Docker containers. It will spin up one or more instances at possibly geographically diverse locations to survive power failures or for faster response times. Your app providing an API is usually one read-only container. Any static website resources (including javascripts using your APIs) is in another read-only container. The database is in another container, which has a storage resource attached to it and so on. When you need to update an app, you just push the new version, and the server will repoint all new connections to new instances of the app, and spin down the old ones when all existing connections have finished.
So everything is memory safe, and even if one app is compromised, it cannot access any other parts of the server at all, including other apps, and cannot persist itself.
Somewhere there is of course a physical server and it of course runs some kernel that handles network packets and so on, but I do not know what they run. It might not be the Linux kernel, and I would assume they at the very minimum does what QubesOS do, and isolate the network driver from everything else. They of course also update and restart the servers frequently, which is easy as apps just gets migrated to another server in the meantime so no downtime.