Is there any privacy or security advgantage to building GrapheneOS yourself?

AdelCraft

Is there any privacy or security advgantage to building GrapheneOS yourself? Also, can you relock the bootloader out-of-the-box with the public and official build or you need your own private build for that?

userofgos

AdelCraft Also, can you relock the bootloader out-of-the-box with the public and official build

Re-locking the bootloader is necessary to enable full verified boot for GrapheneOS to be secure. https://grapheneos.org/install/web#locking-the-bootloader

Locking the bootloader is important as it enables full verified boot. It also prevents using fastboot to flash, format or erase partitions. Verified boot will detect modifications to any of the OS partitions and it will prevent reading any modified / corrupted data. If changes are detected, error correction data is used to attempt to obtain the original data at which point it's verified again which makes verified boot robust to non-malicious corruption.

de0u

AdelCraft Is there any privacy or security advgantage to building GrapheneOS yourself?

It depends on your threat model (what you want to conceal/defend against whom). For most people (e.g., most people who are not in a position to audit the code), probably not.

Before going that route that I would recommend reading all of the material on the GrapheneOS web site (Features, Usage, FAQ).

Unknown-Phallus

AdelCraft You will be able to re-lock the bootloader with either.
There are no advantages in security or privacy when making your own build of GrapheneOS, only disadvantages to security and Privacy (Seamless updates via GOS servers etc.). HOWEVER these disadvantages could be outweighed by advantages if your focus was not strictly security and privacy (eg. building a release build that hides, shrouds, and makes it DAMN NEAR Impossible for apps installed to decipher, infer, figure out, or see that they're running on an emulator). 😁😁🧐🐥🖖

traveller

Unknown-Phallus building a release build that hides, shrouds, and makes it DAMN NEAR Impossible for apps installed to decipher, infer, figure out, or see that they're running on an emulator

What do you mean running on an emulator? Did you mean "Running on a non-original OS"?

traveller

I am wondering about privacy/security disadvantages of running a manually-built Graphene.
From what I understand, the autoupdate system will not work in any form at all, so the device would need to be periodically manually re-flashed with a newly built Graphene to apply latest security patches (that includes losing all the data of course).

Are there other hidden implications though?

de0u

traveller I am wondering about privacy/security disadvantages/implications of running a manually-built Graphene.

From what I understand, the autoupdate system will not work in any form at all, so the device would need to be periodically manually re-flashed with a newly built Graphene to apply latest security patches (that includes losing all the data of course).

Not at all.

If the build directions are followed, including management of the signing keys, it is possible to apply so-called OTA updates safely via USB -- or to run a personal update server.

I recommend that interested parties read material on the GrapheneOS web site (Features, Usage, FAQ) -- also the build directions.

traveller

de0u I recommend that interested parties read material on the GrapheneOS web site (Features, Usage, FAQ) -- also the build directions.

thanks, will do! Been planning to try building Graphene for quite a while now :)

Unknown-Phallus

traveller My Namesake referring to a Virtual Machine, a VM, something akin to VirtualBox, VMware, Bluestacks, UTM, QEMU, Android Studio AVD etc. Where you make a virtual pixel device and then install Android on that virtual pixel phone and That virtual pixel phone is on your computer.