Documentation on rejected hardware alternatives

GarfieldOS

With the recent discussions on a potential partnership with a new OEM, I've seen a lot of threads on this forum and on Mastodon requesting support for x and y OEM. The GrapheneOS team has sometimes responded, typically for Fairphone, and explained why they wouldn't be a good fit (missing security features, delay in updates, short term support, ...).

I believe this analysis to be of high value and I was wondering if it would be possible to create a document where devices that have clearly been rejected can be written, and most importantly why. This could let users understand the reasons for the lack of support from GrapheneOS, help them in picking the best hardware solution if Pixel (and therefore GrapheneOS) and iPhone are not an option, and finally help OEM in knowing what they should change to enhance the security of their products. In theory, it could suffice to look at the device requirement page, but support for each of those requirement is hard to gather depending on the device. I know that such analysis is not trivial to perform, but it has already been done for some devices so I think there could be an opportunity to capitalize on this work.

de0u

GarfieldOS I believe this analysis to be of high value and I was wondering if it would be possible to create a document where devices that have clearly been rejected can be written, and most importantly why.

Sure! I think these days a lot of people host informational pages on GitHub. People could send pull requests to propose updates. Of course, lots of free/cheap hosting services exist.

GrapheneOS

GarfieldOS This is provided through the list of requirements at https://grapheneos.org/faq#future-devices. There aren't any available non-Pixel devices meeting these requirements. OEMs can determine what's missing from the list. We have no interest in exhaustively listing out which requirements are missing for a long list of devices.

No other device meets the update requirements so that alone is a simple reason they're ruled out without needing to get into the details of security features. It's easy for people to check the frequency / delay for security and OS version support along with how long OEMs support devices. That's enough to see there aren't currently viable options outside Pixels.

Lack of proper alternate OS support rules out most devices and the number of devices remaining after applying that constraint is very low. The remaining devices are missing required security features.

We already list the requirements. We don't need to take time away from OS development and start purchasing devices we know don't meet the requirements to exhaustively check what's missing.

schweizer

GarfieldOS finally help OEM in knowing what they should change to enhance the security of their products.

@GrapheneOS I think the emphasis should lie on the above. Especially I do not understand why Fairphone is refusing to take security seriously. It cannot really be an issue with resources because GrapheneOS would be for free so it would actually free some of their ressources. Which they could use to provide timely driver updates.
A bigger deal breaker might be the security chip. Google does not sell the Titan M2 to other companies and developing an own chip might be too big a project for the small number of Fairphones sold. Maybe some other companies who do not produce their own phones could supply a chip? NXP?

For now I am happy with the bang-for-the-buck ratio of Pixel devices.

de0u

schweizer Especially I do not understand why Fairphone is refusing to take security seriously. It cannot really be an issue with resources because GrapheneOS would be for free so it would actually free some of their ressources. Which they could use to provide timely driver updates.

Lots of things get more expensive. A higher-end SoC is necessary, more work needs to be done on the bootloader. The cheapest Wi-Fi and Bluetooth chips are probably not the ones where the manufacturer works really hard on firmware security or quick updates, so those probably get more expensive. Plus, as mentioned, the secure element.

Parts get more expensive, and you need to hire something like two additional developers (not the cheapest ones). These costs are small when amortized across millions of phones, but much larger if it's only thousands of phones.

I'm not saying I think Fairphone should ignore security. But good security is actually hard and costs real money. Meanwhile, empirically, lots of people are fine without it (and in fact don't even know they don't have it).

DeletedUser622

schweizer A bigger deal breaker might be the security chip.

Why exactly? Wouldn't a long passphrase be enough?

GrapheneOS

schweizer Fairphones have atrocious security and pretend to provide a level of privacy, security, updates and long term support which they're not providing. They're closely partnered with a company that's scamming people, spreading misinformation about GrapheneOS and participating in harassment towards our team. We won't partner with Fairphone and have made that clear. We also already have an OEM partner. See https://discuss.grapheneos.org/d/24134-devices-lacking-standard-privacysecurity-patches-and-protections-arent-private for more information.

schweizer Fairphone doesn't do almost any of the work on the hardware, firmware or software for their devices. It's nearly entirely done by their ODM for them. Fairphone isn't capable of making a reasonably secure device and has made it clear they aren't interested in it. Regardless, we definitely won't be working with a company closely partnered with a company spreading misinformation about GrapheneOS and attacking our team. You can forget about us ever partnering with them, that's not happening. You should stop bringing them up.

I checked TPM security chips on mouser and it seems they cost around 2 $ each when you buy at least one reel. Usual margins are around 4x so a phone with a secure element would cost around 8 $ more than one without. For people concerned about security this should be a no brainer. They could save some money on memory and the 32 MP selfie cam imo.

TPM is a poorly designed legacy API used by desktops and shouldn't be around anymore. It's not relevant to meeting our requirements since it doesn't provide the required APIs.

de0u There's no need to talk to Fairphone about anything, we won't work with them.

schweizer

One of the purposes of the security chip is to store the "long passphrase" (cryptographic key) on a write only memory.

No, that's not at all how disk encryption works. The keys are not stored in a secure element. That's not secure. Legacy and insecure approaches used with the TPM API are not relevant to GrapheneOS.

The requirements for a security chip in terms of memory capacity are low because the keys stored there are single digit kb numbers. They are high in terms that it is not easy to produce a chip that is not readable even when soldered out.

That's wrong.

Those chips are not expensive they are in every credit card or in FIDO2 security keys (which are available in credit card format as well).

Our requirements are not for a bottom of the barrel secure element providing legacy APIs not relevant to AOSP. Our requirements are for the Android Open Source Project secure element APIs being provided, and it's implied that it's a decent implementation. You should read https://grapheneos.org/faq#future-devices which makes it clear we need specific functionality, not simply a secure element in general.

schweizer

de0u I see all your points. When we take figures, how much more would a well-supported wi-fi or bluetooth chip cost compared to a cheap-only one? Quite sure less than 1 $. Plus they sell the phones as durable so choosing hardware that will get bricked due to poor support does not really make sense even if they choose not to support GrapheneOS.

Fairphone has around 120 people hired. So even if they had to hire two additional devs to deal about the bootloader this is not an incredibly big number. And it might pay for them because if their phones would be more solid they might sell more. Fairphone is activly avoided by many at because of these concerns.

I checked TPM security chips on mouser and it seems they cost around 2 $ each when you buy at least one reel. Usual margins are around 4x so a phone with a secure element would cost around 8 $ more than one without. For people concerned about security this should be a no brainer. They could save some money on memory and the 32 MP selfie cam imo.

de0u

schweizer When we take figures, how much more would a well-supported wi-fi or bluetooth chip cost compared to a cheap-only one? Quite sure less than 1 $.

Personally I haven't priced Wi-Fi or Bluetooth chips, but it would be possible for somebody who has done so to post some prices here.

schweizer Plus they sell the phones as durable so choosing hardware that will get bricked due to poor support does not really make sense even if they choose not to support GrapheneOS.

Hardware getting "bricked" is not the issue; the issue is whether the people hired to write firmware for the chip were security-conscious (which costs extra) -- and then, whether or not when security bugs in the firmware are reported there are still people familiar enough with the chip to fix the security bugs (this definitely costs extra).

schweizer I checked TPM security chips on mouser and it seems they cost around 2 $ each when you buy at least one reel. Usual margins are around 4x so a phone with a secure element would cost around 8 $ more than one without.

Do those TPMs support generating and managing wrapped storage keys? Do they include robust hardware throttling of key-derivation attempts?

schweizer Fairphone has around 120 people hired. So even if they had to hire two additional devs to deal about the bootloader this is not an incredibly big number. And it might pay for them because if their phones would be more solid they might sell more.

Perhaps a conversation with somebody in management at Fairphone might shed light on their estimate of the costs and the benefits.

schweizer

DeletedUser622
Yes and no. You could use a long passphrase as an unlock method. But that is not user friendly at all. One of the purposes of the security chip is to store the "long passphrase" (cryptographic key) on a write only memory. And allow a four to six digit PIN to access it. Because there are only 10000 possibilities (4 digits) or 1000000 (6 digits) possibilities the chip must enable throttling otherwise the PIN could be bruteforced within a few seconds.

The requirements for a security chip in terms of memory capacity are low because the keys stored there are single digit kb numbers. They are high in terms that it is not easy to produce a chip that is not readable even when soldered out.

Those chips are not expensive they are in every credit card or in FIDO2 security keys (which are available in credit card format as well).