Comment by Fire-Dragon-DoL
1 year ago
It's impossible because of hardware attestation. Until something is done for that (and "legal" seems the only way), there is no solution
1 year ago
It's impossible because of hardware attestation. Until something is done for that (and "legal" seems the only way), there is no solution
GrapheneOS is attempting to pursue the "legal" way: https://news.ycombinator.com/item?id=41119047
I'm aware, I'm really rooting for them
Android Virtualization Framework with pKVM on Pixel 7+ can technically allow unmodified Linux VMs to run in parallel with "official" VMs that pass hardware attestation. This feature is not yet exposed to end-users.
The point is that apps you need to run will only do so in the "official" VMs that pass hardware attestation and will intentionally fail in the unmodified Linux VMs.
If a banking app or DRM-encumbered streaming app can run in the official attested VM, what would be the benefit of running such closed apps in unmodified Linux VMs?
If banks and streaming vendors don't trust unmodified VMs, why would open-source Linux VMs trust closed apps with binary blobs?
One benefit of running open-source Linux VMs is access to the vast corpus of mature open-source software applications packaged by Debian, Fedora, etc.
6 replies →