From 8db774a40008521b08fe745f39585cabea803d3a Mon Sep 17 00:00:00 2001 From: inference Date: Mon, 7 Nov 2022 08:55:02 +0000 Subject: [PATCH 1/4] Improve link formatting. --- about.html | 84 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 47 insertions(+), 37 deletions(-) diff --git a/about.html b/about.html index 104cc79..01b2668 100644 --- a/about.html +++ b/about.html @@ -57,33 +57,35 @@ Google Pixel 6 Google Pixel devices are the best Android devices available on the market for - security and privacy.
+ security and privacy.

They allow locking the bootloader with a - custom Android Verified Boot (AVB) - key in order to preserve security and privacy features when installing a custom + custom Android Verified Boot (AVB) key in order to preserve security and privacy features when installing a custom operating system, such as - verified boot - which verifies that the OS has not been corrupted or tampered with, and - rollback protection - which prevents an adversary from rolling back the OS or firmware version to a + verified boot which verifies that the OS has not been corrupted or tampered with, and + rollback protection which prevents an adversary from rolling back the OS or firmware version to a previous version with known security vulnerabilities.

They also include a - hardware security module - (Titan M2, improving on the previous generation - Titan M) - which is extremely resistant to both remote and physical attacks due to being + hardware security module (Titan M2, improving on the previous generation + Titan M) which is extremely resistant to both remote and physical attacks due to being completely isolated from the rest of the system, including the operating system. Titan M2 ensures that the device cannot be remotely compromised by requiring the side buttons of the device to be physically pressed for some sensitive operations. Titan M2 also takes the role of - Android StrongBox Keymaster, - a hardware-backed Keystore - containing sensitive user keys which are unavailable to + Android StrongBox Keymaster, + a hardware-backed Keystore containing sensitive user keys which are unavailable to the OS or apps running on it without authorisation from Titan M2 itself. - Insider attack - resistance ensures that Titan M2 firmware can be flashed only if the user PIN/password + Insider attack resistance ensures that Titan M2 firmware can be flashed only if the user PIN/password is already known, making it impossible to backdoor the device without already knowing these secrets.

@@ -147,7 +149,8 @@ hardened_malloc memory allocator.

You can find my personal Gentoo Linux configuration in my personal - configuration respository. + configuration respository. Open source

(GPLv2-only) @@ -160,17 +163,21 @@ Chromium is a highly secure web browser which is often ahead of other web browsers in security aspects. It has a dedicated security team and a very impressive - security brag sheet. + security brag sheet. Chromium's security features include a strong - multi-layer sandbox, - strong site isolation, - Binding Integrity - memory hardening, and - control-flow integrity (CFI).
+ multi-layer sandbox, + strong site isolation, + Binding Integrity memory hardening, and + control-flow integrity (CFI).

You can learn more about Chromium by visiting its - official website - which provides extensive documentation. + official website which provides extensive documentation. Open source

(BSD 3-Clause) @@ -198,21 +205,23 @@ system information, a secure app spawning feature which avoids sharing address space layout and other secrets AOSP's default Zygote app spawning model would share, - hardened kernel, - hardened memory allocator - (hardened_malloc) - to protect against common memory corruption vulnerabilties, - hardened Bionic standard C library, - stricter SELinux policies, - and local and remote hardware-backed attestation - (Auditor) to ensure the OS has - not been corrupted or tampered with. GrapheneOS only supports devices which receive + hardened kernel, hardened memory allocator + (hardened_malloc) to protect against common memory corruption vulnerabilties, + hardened Bionic standard C library, + stricter SELinux policies, and local and remote hardware-backed attestation + (Auditor) to ensure the OS has not been corrupted or tampered with. + GrapheneOS only supports devices which receive full support from their manufacturers, including firmware updates, long support lifecycles, secure hardware, and overall high security practices.

For an extensive list of features GrapheneOS provides, visit its - official website - which provides extensive documentation. + official website which provides extensive documentation. Open source

(MIT) @@ -230,7 +239,8 @@ and always-on Incognito mode as an option.

Vanadium's source code, including its Chromium patchset, can be found in its - official repository. + official repository. Open source

(GPLv2-only) From 55196ecd562b63a1a0cd90df44dd85132b77250f Mon Sep 17 00:00:00 2001 From: inference Date: Mon, 7 Nov 2022 08:55:56 +0000 Subject: [PATCH 2/4] Change Auditor link target to Auditor about page. --- about.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/about.html b/about.html index 01b2668..e263a96 100644 --- a/about.html +++ b/about.html @@ -213,7 +213,7 @@ >hardened Bionic standard C library, stricter SELinux policies, and local and remote hardware-backed attestation - (Auditor) to ensure the OS has not been corrupted or tampered with. GrapheneOS only supports devices which receive full support from their manufacturers, including firmware updates, long support From a72348091d6d3c3a721aee8a1a1b2b1d724c8bbc Mon Sep 17 00:00:00 2001 From: inference Date: Mon, 7 Nov 2022 08:56:56 +0000 Subject: [PATCH 3/4] Change GrapheneOS official website link target to GrapheneOS features page. --- about.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/about.html b/about.html index e263a96..7a16c92 100644 --- a/about.html +++ b/about.html @@ -220,7 +220,7 @@ lifecycles, secure hardware, and overall high security practices.

For an extensive list of features GrapheneOS provides, visit its - official website which provides extensive documentation. Open source

From e6af096788191a34cc4bbc6280406c4eb2e87543 Mon Sep 17 00:00:00 2001 From: inference Date: Mon, 7 Nov 2022 09:04:09 +0000 Subject: [PATCH 4/4] Add hardened_malloc source to Gentoo Linux description. Add GrapheneOS device support source. --- about.html | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/about.html b/about.html index 7a16c92..4274929 100644 --- a/about.html +++ b/about.html @@ -146,7 +146,8 @@ I have focused on security hardening and privacy hardening, placing performance below those aspects, although my system is still very performant. Some of the hardening I apply includes stack protection, signed integer overflow wrapping, and GrapheneOS' - hardened_malloc memory allocator.
+ hardened_malloc memory allocator.

You can find my personal Gentoo Linux configuration in my personal stricter SELinux policies, and local and remote hardware-backed attestation (Auditor) to ensure the OS has not been corrupted or tampered with. - GrapheneOS only supports devices which receive + GrapheneOS only supports + high security and well-supported devices which receive full support from their manufacturers, including firmware updates, long support lifecycles, secure hardware, and overall high security practices.