There are not that many phone manufacturers that even allow you to change the trust anchor (which makes any of this even remotely possible). For example, Samsung uses e-fuses to burn in their signing key, rewriting recovery will permanently trip their attestation (Knox); other manufacturers use similar practices. Pixels are one of the only currently available phones with user-controlled trusted boot in mind.
Yea. It's bullshit. You can't install something like Magick and then relock the bootloader with a new signature.
A PC with UEFI (except for a few of those which Microsoft locked down) lets you turnoff secure boot, and install your own keys, and turn it back on. So you actively delete the stock keys that boot stock Microsoft/Ubuntu/Redhat, and then custom sign your Grub bootloader or UEFI-Stub Kernel, add that cert to SecureBoot and turn it back on.
You can argue device security all day long, but if manufactures can't update Android security patch sets as they come out, then you have gaps in your device security anyway.
Google controls ASOP. They could literally force manufactures to be compliant, have UEFI or devicetree as a standard, demand every device allow a stock reinstall just like Windows and even create shims to fix the broken Linux driver ABI. But there is more money in planned obsolescence. Gotta throw out that phone after two years and just buy a new one.
I'm currently using Galaxy S9 and it is the first phone I decided not to root. I've always rooted my phones since I was introduced to Android, but this time Samsung tied its crucial functionalities with Knox. And Samsung Pay was just too important to me. Too bad more manufacturers are doing this.
There are more devices supporting this than there used to be though. https://grapheneos.org/#device-support explains that it's going to support other devices. It doesn't support the Pixel 3a and Pixel 3a XL yet either. Supporting each device is a lot of work, and other devices will need to be carefully chosen. It would be harmful to make bad choices about device support and encourage people to buy insecure devices with too many issues that can't be fixed with another OS.
>So in order to get that is more secure and more independent from Google I have to buy a Google phone?
Yes, people find it ironic, but that's how it is. Google's hardware is always better than competition for security: not just in phones, but also look at chromebooks. However, not running proprietary google software is left as an exercise for the reader.
> It supports the Google Pixel range of phones only so far.
See https://grapheneos.org/#early-stage-of-development and https://grapheneos.org/#device-support. There's barely any content on the site, since it's so new, but this is covered pretty well. It does support other devices already. There's a difference between that and deciding to do all the work to provide official releases with seamless over-the-air updates covering all firmware, etc. along with porting all device-specific hardening work.
> So in order to get that is more secure and more independent from Google I have to buy a Google phone?
The goal is primarily implementing privacy and security improvements. It doesn't include Google services for privacy reasons, but that's not the purpose of the project. A project aiming to project AOSP with the baseline privacy/security intact and work to fill in gaps left by not having Play Services would be useful, but that's a tiny subset of what GrapheneOS is about. It's primarily about the privacy/security research and development work.
You can see that the GrapheneOS Auditor project supports a large range of devices already:
That's because it's quite easy to add support for each device one-by-one once users submit attestation samples with the app. The main list is for devices with the stock OS. It also supports CalyxOS and GrapheneOS on all their supported devices and will happily include other operating systems with verified boot and the security model intact. There are now a bunch of devices supporting verified boot with alternate operating systems.
Exactly my question. I have seen a bunch of these OSs, all useless because there is no build for my phone and no described path for making one. I would love to get the T-Mobile spyware off my phone. What do i do?
If you have a phone with T-Mobile spyware then it almost certainly also has a locked bootloader with no official unlock method. What are you expecting people developing alternate OSes to do about that?
The obvious way to get a phone not running T-Mobile spyware is to not buy a phone from T-Mobile.
Not trying to be snarky here, I have one of these phones too. Though if you happen to have a T-Mobile Oneplus phone like I do it is possible to flash the international ROM and replace the T-Mobile spyware with Chinese spyware.
To clarify, some of the phones you can buy directly from T-Mobile can also be bought "unlocked" in the open market.
In general, if you want any hope of unlocking your phone (either for use on other carriers or unlocking the bootloader) then you should NOT buy from the carriers' online or brick & mortar stores.
See https://grapheneos.org/#device-support. The goal of the project is not to bring security to people's existing devices. It will have official releases with all the device-specific hardening for non-Pixel phones, but they'll be devices with solid security. They probably won't be quite on the same level as Pixels, but they'll still be ones with proper security support, verified boot support for alternate operating systems, etc.
Unfortunately all you can really do is pick up a different phone. Luckily finding an old unlocked Nexus 5 or OnePlus One on ebay is pretty easy and relatively cheap.