Inferencium/website
1
0
Fork 0
Code Issues Activity

Add sources. Improve text.

Browse Source
This commit is contained in:
inference 2022-11-03 00:11:16 +00:00
parent 28150d1025
commit c0e2332b7c
1 changed files with 34 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
about.html
View File

@ -52,24 +52,29 @@
<br>
Google Pixel 6</td>
<td>Google Pixel devices are the best Android devices available on
the market for security and privacy.<br>
the market for
<a class="table-link" href="https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html">security and privacy</a>.<br>
<br>
They allow locking the bootloader with a custom Android Verified Boot (AVB)
key in order to preserve security and privacy features when installing a custom
operating system, such as verified boot which verifies that the OS has not been
corrupted or tampered with, and rollback protection which prevents an adversary
from rolling back the OS or firmware version to a previous version with known
security vulnerabilities.<br>
They allow locking the bootloader with a
<a class="table-link" href="https://android.googlesource.com/platform/external/avb/+/master/README.md#pixel-2-and-later">custom Android Verified Boot (AVB)
key</a> in order to preserve security and privacy features when installing a custom
operating system, such as
<a class="table-link" href="https://source.android.com/docs/security/features/verifiedboot/">verified boot</a>
which verifies that the OS has not been corrupted or tampered with, and
<a class="table-link" href="https://source.android.com/docs/security/features/verifiedboot/verified-boot#rollback-protection">rollback protection</a>
which prevents an adversary from rolling back the OS or firmware version to a
previous version with known security vulnerabilities.<br>
<br>
They also include a hardware security module (Titan M2) which is extremely resistant
to both remote and physical attacks due to being completely isolated from
the rest of the system, including the operating system. Titan M2 ensures that
the device cannot be remotely compromised by requiring the side buttons of the
device to be physically pressed for some sensitive operations. Titan M2 also
takes the role of Android Strongbox keystore, containing sensitive user keys which
are unavailable to the OS or apps running on it without authorisation from Titan M2
itself. Insider attack resistance ensures that Titan M2 firmware can be flashed only
if the user PIN/password is already known, making it impossible to backdoor the device
They also include a hardware security module
(Titan M2, improving on the first generation <a class="table-link" href="https://security.googleblog.com/2018/10/building-titan-better-security-through.html">Titan M</a>)
which is extremely resistant to both remote and physical attacks due to being
completely isolated from the rest of the system, including the operating system.
Titan M2 ensures that the device cannot be remotely compromised by requiring the
side buttons of the device to be physically pressed for some sensitive operations.
Titan M2 also takes the role of Android Strongbox keystore, containing sensitive user
keys which are unavailable to the OS or apps running on it without authorisation from
Titan M2 itself. Insider attack resistance ensures that Titan M2 firmware can be flashed
only if the user PIN/password is already known, making it impossible to backdoor the device
without already knowing these secrets.<br>
<br>
Google Pixel device kernels are compiled with fine-grained, forward-edge control-flow
@ -119,8 +124,8 @@
apply includes stack protection, signed integer overflow wrapping, and GrapheneOS'
hardened_malloc memory allocator.<br>
<br>
You can find my personal Gentoo Linux configuration
<a class="table-link" href="https://git.inferencium.net/inference/cfg/">here</a>.</td>
You can find my personal Gentoo Linux configuration in my personal
<a class="table-link" href="https://git.inferencium.net/inference/cfg/">configuration respository</a>.</td>
<td>Open source<br>
<br>
(GPLv2-only)</td>
@ -170,9 +175,15 @@
codebase. Its hardening includes closing gaps for apps to access sensitive
system information, a secure app spawning feature which avoids sharing address
space layout and other secrets AOSP's default Zygote app spawning model would
share, GrapheneOS' own hardened memory allocator (hardened_malloc) to protect
against common memory corruption vulnerabilties, hardened Bionic standard C library,
and local and remote hardware-backed attestation (Auditor) to ensure the OS has
share,
<a class="table-link" href="https://github.com/GrapheneOS/kernel_gs-gs101/">hardened kernel</a>,
hardened memory allocator
(<a class="table-link" href="https://github.com/GrapheneOS/hardened_malloc/">hardened_malloc</a>)
to protect against common memory corruption vulnerabilties,
<a class="table-link" href="https://github.com/GrapheneOS/platform_bionic/">hardened Bionic standard C library</a>,
<a class="table-link" href="https://github.com/GrapheneOS/platform_system_sepolicy/">stricter SELinux policies</a>,
and local and remote hardware-backed attestation
(<a class="table-link" href="https://attestation.app/">Auditor</a>) to ensure the OS has
not been corrupted or tampered with. GrapheneOS only supports devices which receive
full support from their manufacturers, including firmware updates, long support
lifecycles, secure hardware, and overall high security practices.<br>
@ -196,8 +207,8 @@
compilation by default, stubbing out the battery status API to prevent abuse of it,
and always-on Incognito mode as an option.<br>
<br>
Vanadium's source code repository, including its Chromium patchset, can be found
<a class="table-link" href="https://github.com/GrapheneOS/Vanadium/">here</a>.</td>
Vanadium's source code, including its Chromium patchset, can be found in its
<a class="table-link" href="https://github.com/GrapheneOS/Vanadium/">official repository</a>.</td>
<td>Open source<br>
<br>
(GPLv2-only)</td>