← Back to context

Comment by transpute

1 year ago

Sadly unsupportable by GrapheneOS, https://discuss.grapheneos.org/d/11655-install-gos-on-onyx-b...

> it's far from meeting the security requirements. It has a Snapdragon 662 with Android 11 firmware/software. See https://grapheneos.org/faq#future-devices for the list of requirements. No particular reason someone can't make a secure e-ink device but the existing ones are awful in this regard.

Pixel Tablet is relatively affordable, supported by GrapheneOS, with 8GB RAM, MTE, pKVM nested virt that can run standard Linux VMs alongside Android, Titan RoT, Tensor TPU, UWB precision location tracking and WiFi6.

7 comments

transpute

Reply
wilsonnb3  1 year ago

> Pixel Tablet is relatively affordable, supported by GrapheneOS, with 8GB RAM, MTE, pKVM nested virt that can run standard Linux VMs alongside Android, Titan RoT, Tensor TPU, UWB precision location tracking and WiFi6.

It's also not phone sized or e-ink, which make it basically entirely different than the Boox Palma

  • transpute  1 year ago

    Pixel is supported until June 2028.

    Palma is running a closed fork of Linux with non-upstream drivers, https://old.reddit.com/r/Onyx_Boox/comments/1btqzoa/palma_is...

      - Palma was released at August, 2023.
  - It's operating system was Android 11
  - 05 Feb 2024 security supports was ended for Android 11

  If you compare these dates: August, 2023 and 05 Feb 2024. It is only 7 months of lifetime - between release and end of security support.. Somebody in Onyx decided to use Android 11 instead of 13 that was released 15 Aug 2022 - 1 year before Palma release.

    Small size and e-ink screen.. for 7 months.

tarasglek  1 year ago

Does graphene actually setup nested virt? From my research nested virt on android never got any community traction. no usable soluons.Am I wrong?

  • transpute  1 year ago

    > Does graphene actually setup nested virt?

    Nested virt with pKVM is the way forward to balance the competing goals of security, usability, freedom, individuals, and corporate supply chains. pKVM is sill in development for GrapheneOS. It's present and running, but VM features are not yet actively used.

    AVF (pKVM for Pixels or gunyah for Qualcomm) is enabled and usable by developers on stock Android 11+, https://android.googlesource.com/platform/packages/modules/V...

    > From my research nested virt on android never got any community traction

    It will take time before mobile nested virt is easily accessible to end-users, but pKVM was upstreamed to mainline Linux and AVF was shipped on Android two years ago, so nested virt is here for the long haul and can incrementally reduce dependence on TrustZone.

    Nested virt has been available on x86 for a decade (KVM, Bromium vSentry / HP SureClick, Microsoft Defender App Guard), on Apple Silicon since M2, MacOS since M3 and iPadOS since M4 (Secure eXclave VM). On mobile, it can sidestep some business model conflicts which torpedoed Nokia, RIM, Maemo, Meego, Tizen, etc.

ghostly_s  1 year ago

Not sure I could care less about the security of my e-reader.

  • wonnage  1 year ago

    Many people end up logging into Google for the play store which puts a pretty sensitive credential on an untrusted device.

  • transpute  1 year ago

    Secure, offline, handheld e-ink Android device with pKVM VMs could be used for more than e-reading.