PinePhone Security
#1
I'm wondering if PinePhone has any of the following or is planned to have any of the following:

1) Titan M-like security chip
2) Hardware-backed keystore
3) Verified boot
4) Wifi and Cellular Baseband Isolation IOMMU
5) Device-specific software hardening (like kernel CFI)

Thanks - and feel free to discuss!
  Reply
#2
It doesn't have 1-3 so far as I know, and I think verified boot would need a different cpu if I understand the boot process correctly. See https://linux-sunxi.org/BROM#A64
4 - my cursory understanding is that the cellular is pretty well isolated, with most connection being via USB, and not having memory access. WiFi connects via SDIO so might have DMA. I don't know about IOMMU on the A64. Schematics and A64 docs are in the wiki so you can dig deeper if you know what you're looking for.
5. I don't know what's been done on that front.
  Reply
#3
(02-20-2021, 02:06 PM)wibble Wrote: It doesn't have 1-3 so far as I know, and I think verified boot would need a different cpu if I understand the boot process correctly. See https://linux-sunxi.org/BROM#A64
4 - my cursory understanding is that the cellular is pretty well isolated, with most connection being via USB, and not having memory access. WiFi connects via SDIO so might have DMA. I don't know about IOMMU on the A64. Schematics and A64 docs are in the wiki so you can dig deeper if you know what you're looking for.
5. I don't know what's been done on that front.

Sounds like we have to choose between security & control still Sad
GrapheneOS: security
Pine64 / purism: you actually have access to your own equipment (which the GOS dev seems to think is impossible to have while maintaining security)

However, if #1-5 are fulfilled by a FOSS phone, then I would make the switch considering we cannot know what is hidden in Google's firmware (despite secure boot making it impossible to modify).
  Reply
#4
(03-12-2021, 05:48 AM)TurpentineOS Wrote: ...
However, if #1-5 are fulfilled by a FOSS phone, then I would make the switch considering we cannot know what is hidden in Google's firmware (despite secure boot making it impossible to modify).
I think the software for the pinephone is not trustworthy yet[0]. Even if we accept that the volunteers, who prepare the distros, are doing their best, this is still a general-purpose computer with many options set to undesirable defaults for people looking for "security out of the box". Still, I use it daily because I expect it to be more secure than some alternative, cheaper devices.

[0] I've just found that on my phone systemd-resolve is listening on a port facing the internet and had to fix its settings. I hope someday I will be able to just uninstall it. Smile
  Reply
#5
(03-13-2021, 03:41 AM)bosi564 Wrote:
(03-12-2021, 05:48 AM)TurpentineOS Wrote: ...
However, if #1-5 are fulfilled by a FOSS phone, then I would make the switch considering we cannot know what is hidden in Google's firmware (despite secure boot making it impossible to modify).
I think the software for the pinephone is not trustworthy yet[0]. Even if we accept that the volunteers, who prepare the distros, are doing their best, this is still a general-purpose computer with many options set to undesirable defaults for people looking for "security out of the box". Still, I use it daily because I expect it to be more secure than some alternative, cheaper devices.

[0] I've just found that on my phone systemd-resolve is listening on a port facing the internet and had to fix its settings. I hope someday I will be able to just uninstall it. Smile

if the internet is too dangerous for you, you always have the hardware switch to turn off networking, and play 2048 and chess with yourself
  Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Pinephone on Cricket Wireless (USA) no service acm006 38 3,388 4 hours ago
Last Post: calinb
Heart What native PinePhone application would you like to see in the near future? kern707 51 4,908 Yesterday, 01:47 PM
Last Post: p1trson
  Pinephone inexpensive carriers and free carriers linux_n 6 709 04-13-2021, 10:05 AM
Last Post: pagesix1536
  PinePhone can't make outbound calls rocketchik24 3 356 04-11-2021, 03:57 PM
Last Post: dukla2000
  PlayStation emulator on Pinephone PinePS1 2 1,184 04-08-2021, 01:43 AM
Last Post: naymeo
Question Pinephone mainboards on stock again somewhen? myxor 4 424 04-07-2021, 06:39 AM
Last Post: biketool
  UPDATED: 17-distro multi-boot image for Pinephone (incl. 3GiB variant) megous 132 78,073 04-06-2021, 05:22 AM
Last Post: Codenul
Lightbulb Next Pinephone should be smaller (imho) _kiwi 7 599 04-05-2021, 11:23 PM
Last Post: biketool
  Windows 10 (KVM) on PinePhone Danct12 5 2,359 04-04-2021, 09:05 AM
Last Post: nas
  pinephone 2 specs discussion - 5G WiFi6 BT5 NFC? - mitcoes 13 1,056 04-02-2021, 06:55 AM
Last Post: bitsandnumbers

Forum Jump:


Users browsing this thread: 1 Guest(s)