PINE64
Hi. Please inform me with your knowledge. =) - Printable Version

+- PINE64 (https://forum.pine64.org)
+-- Forum: PinePhone (https://forum.pine64.org/forumdisplay.php?fid=120)
+--- Forum: General Discussion on PinePhone (https://forum.pine64.org/forumdisplay.php?fid=127)
+--- Thread: Hi. Please inform me with your knowledge. =) (/showthread.php?tid=9559)



Hi. Please inform me with your knowledge. =) - temp0rary - 04-01-2020

Hi! I love this, and i will buy your phone for sure! But i'm looking for the most secure OS you can run on this phone. Which one is it?
And... Can you run this OS on it? https://parrotlinux.org/ I would like that.

Can you run GrapheneOS on it? I have read it is secure. If not. Why not? I mostly want to know what the most secure OS would be on a pinephone braveheart, when it come to any kind of hacking attempt from hackers or the government or anyone. Out of curiosity. Thanks!


RE: Hi. Please inform me with your knowledge. =) - rico - 04-02-2020

Hey Temp0rary !
Welcome,



https://distrowatch.com/search.php?ostype=All&category=Privacy&origin=All&basedon=Debian&notbasedon=None&desktop=All&architecture=All&package=All&rolling=All&isosize=All&netinstall=All&language=All&defaultinit=All&status=Active#simple

The search example above show you Debian based distro Privacy oriented (because i think a secured OS is not really a pentest OS, privacy is a good starting point to search waht you're looking for)
It's a question of time to have that kind of 'out of the box' distro on PinePhone (even Pentest ones i hope)


RE: Hi. Please inform me with your knowledge. =) - temp0rary - 04-02-2020

(04-02-2020, 03:12 AM)rico Wrote: Hey Temp0rary !
Welcome,



https://distrowatch.com/search.php?ostype=All&category=Privacy&origin=All&basedon=Debian&notbasedon=None&desktop=All&architecture=All&package=All&rolling=All&isosize=All&netinstall=All&language=All&defaultinit=All&status=Active#simple

The search example above show you Debian based distro Privacy oriented (because i think a secured OS is not really a pentest OS, privacy is a good starting point to search waht you're looking for)
It's a question of time to have that kind of 'out of the box' distro on PinePhone (even Pentest ones i hope)
Thanks.
They have a home edition which is without security tools and pentesting. But a secure OS.
Does pine phone only run debian? What can it run and where can i learn more about it? 
This would be interesting also:
https://grapheneos.org/faq#device-support

Thanks


RE: Hi. Please inform me with your knowledge. =) - bcnaz - 04-02-2020

You are in Luck as they did just start taking pre-orders for for the Next Pinephone release Today !

Debian just by its design is a fairly secure Distro "Out of the Box"

The PURE OS does claim to be designed to be secure,  The Libreum5 phone is marketed as a secure phone.
   The users and Developers here have been working to port the Pure OS to the Pinephone.

BUT Ultimately the phones user/owner can make or break how secure the phone actually is when in use.

NOTE :  Perhaps I should have used the word 'Private'  instead of 'Secure'....
                Depends on your word definitions


RE: Hi. Please inform me with your knowledge. =) - wibble - 04-03-2020

I don't think we can do a verified boot with the hardware in the PinePhone, and without that it doesn't look like they'll consider a port. There's probably a similar requirement for a hardware keystore. Depending on your threat model those could be a deal breaker for you too. You could probably verify the boot media separately though, and the bootloader is immutable in silicon. If that's ok then look at the wiki or this forum for the list of OS ports being worked on.


RE: Hi. Please inform me with your knowledge. =) - temp0rary - 04-11-2020

Ok, thanks. Another thing im wondering about is the open hardware. Can you guys please inform or educate me on the topic of hardware. Links and such. Open vs closed hardware and secure hardware! I don't know anything about it, but i know what closed and open source code is, and i will choose open source code because it's tested. How do you all know there are backdoors or not in phones or computers?
NSA backdoors or google backdoors and so on.. They seem to be hard to detect!

https://www.technologyreview.com/2013/10/08/176195/nsas-own-hardware-backdoors-may-still-be-a-problem-from-hell/
https://arstechnica.com/information-technology/2017/04/nsa-backdoor-detected-on-55000-windows-boxes-can-now-be-remotely-removed/

Someone on reddit wrote this:
"The Librem 5 and Pinephone are entirely closed hardware with closed source firmware
There are no available open hardware phones, you've fallen for misinformation propagated by clueless people on places like Reddit
Even if there was open hardware (which there isn't) I don't know how you think that would protect against hardware backdoors
Also, the Pinephone is missing tons of the expected security features among other things
Read all of https://grapheneos.org/faq#device-support and in the future make sure to check the FAQ before asking questions
"

So.. How secure is the pinephone compared to google pixel and so on? Thanks

edit: I want something like this! Open hardware
https://www.youtube.com/watch?v=GDaU_H2bOd0


RE: Hi. Please inform me with your knowledge. =) - wibble - 04-12-2020

How puritanical do you want to get? If you look hard enough there's always something that's not open. A bit of web searching will give you the details about various interpretations of open hardware, but the general idea it that it should make available everything you need to buy the commodity materials and build it yourself. It doesn't necessarily require that the commodity bits are 'open' though - the arduino is generally considered pretty open, but the FTDI and AVR chips on it are anything but, and you'll probably have a hard time proving whether the ones you bought are genuine or fake, or what they're doing internally.

Anything with legal radio transmitters in will almost certainly be partly closed. Pretty much every country on the planet has regulatory requirements around radio transmission, and the regulators generally don't like the idea of anyone altering transmission characteristics, so they tend to require that end users don't get to mess with any software that's built in to radio devices. Not long back the FCC were seriously considering forcing wifi device manufacturers to lock the bootloaders to prevent things like openwrt being possible. Another problem is that the radio communications standards are usually full of patented stuff and trade secrets with multiple layers of licensing and non-disclosure terms. Then there's the problem of manufacturers who won't even talk to you unless you're ordering in the tens of thousands of parts. Most of them seem not to care about open source.

The radio parts are probably what the reddit post was talking about - closed radio modules with closed firmware. For the rest of the PinePhone we have schematics and source, but not gerbers or design files for the PCB, or solid models for any parts but the back cover. People have grumbled about GPL-violating stuff from Allwinner, but that's not being used. Instead the reverse engineered open code from Sunxi is used in both the uboot bootloader and the linux kernel. The only blob used so far as I'm aware is the firmware for the BT/WiFi device which is pretty much inevitable for the reasons above.

Secure hardware is another matter. We know we can't trust the radio modules, so we communicate with them over connections with limited capabilities (no memory access!) and have some control over their power supply via hardware switches. The reddit user is correct about lack of verified boot as I pointed out before, and lack of a TPM or similar. Note that several TPMs have subsequently been found not to be trustworthy because of bugs.

Is the PinePhone fully open? No, although I don't think it's been claimed to be. It's not quite as open as the Openmoko GTA01 or GTA02, or Goldendelico's GTA04, but it's not far off. Openmoko were using a near-obsolete radio chipset from Texas Instruments, and that still had closed firmware and an NDA that meant they couldn't release that bit of the schematic. The Atheros WiFi module had its closed firmware on a ROM which made the FSF happy, but meant we couldn't update it when the inevitable bugs were found. IIRC the GTA04 used a modem module similar to the Quectel on the PinePhone.

Is it more or less secure than hardware from Google? Depends on your threat model, and who you trust. Google have verified boot, but they've also got a tightly integrated radio solution from Qualcom that may well have direct access to memory, and we really don't know what's in the part with the TPM functionality. On some of the Chromebooks the equivalent sits on the CPU's JTAG lines IIRC.
[url=https://linux-sunxi.org/A64][/url]