| ▲ | revolvingthrow 12 hours ago | |||||||
Is it possible to dual-boot on android? It sounds defeatist but I no longer believe it’s possible to change course - the increasingly authoritarian governments, google and most moneyed interests are all on the same side, so it’s just a matter of when. Being on the palantir-approved google ranch for the few Apps You Need + graphene (or some other alt OS) for everything else would be quite inconvenient, but still better than carrying two phones, which nobody wants to do. | ||||||||
| ▲ | strcat an hour ago | parent | next [-] | |||||||
Dual booting would sacrifice a lot of the hardware-based security feature integration and would be much further from passing attestation checks. GrapheneOS fully supports hardware-based attestation but Google doesn't permit it in the Play Integrity API. Directly booting the fully unmodified stock OS is required to pass the hardware attestation checks for the stock OS. GrapheneOS appears as GrapheneOS in the attestation metadata and a dual boot setup would appear as that specific dual boot setup. Since it would have a bunch of security sacrificed for it, it would be far harder to convince services to permit that. It would be counterproductive. GrapheneOS has near perfect app compatibility other than the Play Integrity API banning it from the overall tiny number of apps using it. It has per-app compatibility toggles for privacy and security features which trip other anti-tampering checks, find memory corruption bugs in apps, etc. There are a couple known compatibility issues from anti-tampering checks from the secure spawning feature but it has a toggle. The stock OS isn't what's needed but rather directly booting it from the firmware with 0 modifications. Dual booting would require booting something else and major modifications to deal with hardware APIs not designed for multiple operating systems using them at the same time. Secure element / TEE APIs including the hardware keystore and attestation, etc. are not designed for dual boot. A/B updates, verified boot, firmware updates, etc. would need to be dealt with by the bootloader system. It would be complex and messy. The end result would not be a hardened device or one compatible with standard attestation checks. | ||||||||
| ▲ | 2 hours ago | parent | prev | next [-] | |||||||
| [deleted] | ||||||||
| ▲ | nout 3 hours ago | parent | prev | next [-] | |||||||
Some retrogaming devices have multi-boot options where you can pick between android and linux (e.g. Anbernic RG353V). | ||||||||
| ▲ | vegenaise 3 hours ago | parent | prev | next [-] | |||||||
i cannot speak to the current situation, but years and years ago, it was a thing. i had a crappy motorola razr smartphone in like 2012 that i set up dualboot on, and i think i also had dualboot on my google nexus 5, though i could be mistaken about that. it was a thing though. | ||||||||
| ▲ | palata 10 hours ago | parent | prev | next [-] | |||||||
Well, authoritarian governments don't like to be at the mercy of another country. So even for authoritarian governments it would make a lot of sense to allow open source alternatives like GrapheneOS instead of depending entirely on US monopolies. | ||||||||
| ▲ | zb3 6 hours ago | parent | prev [-] | |||||||
GrapheneOS said that's not possible, but I'd actually want to see some expanded explanation. TEE attests that the OS is booted with a given AVB key, OS version and the bootloader unlock state.. But I know that vbmeta is per-slot, so I guess the whole chain is.. I also read that if you flash "custom_avb_key", the original AVB key is also permitted.. Could this mean we could theoretically dual-boot while being able to flash the OS manually using fastbootd? Credential Encrypted userdata would be unaccessible though, I'm not sure if the second OS could mount that partition at all. But I'd like someone more competent to address all this. | ||||||||
| ||||||||