DivestOS: long term device support with enhanced privacy and security

SkewedZeppelin · June 12, 2020, 8:29pm

I am releasing DivestOS.
It is an aftermarket system for many devices.
Based on LineageOS with many security and privacy features.
Unmodified F-Droid is included.

Site: https://divestos.org
Source: DivestOS Mobile · GitHub (also mirrored on GitLab)
Credits: About - DivestOS Mobile

Any and all feedback is much appreciated.
Thanks!

anon88801960 · June 12, 2020, 9:53pm

This looks really good! Sadly my device is not supported and I don’t have the knowledge to build one.
The only bad thing is that in LineageOS 17 they removed Privacy Guard, it was really useful for me

alaskalinuxuser · June 13, 2020, 12:26pm

If you would ever like to learn, I have an entire YouTube channel with over 24 hours of video dedicated to how to do that:

https://m.youtube.com/channel/UCnGqG_jyyXmTzdamBpKfeHA

All the videos are under the creative common license and also available at my gitlab if you don’t use YouTube.

As for DivestOS, it looks really good. Might have to give it a try myself…

anon88801960 · June 14, 2020, 7:18am

I’ll take a look at that, thanks.

m999 · June 14, 2020, 1:03pm

How can I check a downloaded file from divestos.org?
I cannot find a checksum or PGP signature.

SkewedZeppelin · June 14, 2020, 1:17pm

Signatures are not yet available, but there are checksums for all files.
Both .md5sum and .sha512sum

eg. https://divestos.org/builds/LineageOS/angler/divested-15.1-20200510-dos-angler.zip.sha512sum

edit: checksums are broken and will require manual editing until next builds
see Fixup broken checksum generation · Divested-Mobile/DivestOS-Build@5b9e447 · GitHub

m999 · June 14, 2020, 1:46pm

Thanks, it would be helpful to put the checksums directly on the download page.
But I cannot find a checksum for the recovery file.

SkewedZeppelin · June 14, 2020, 2:32pm

Links have been added.

m999 · June 14, 2020, 7:12pm

That’s good, thank you.

anon46495926 · June 17, 2020, 5:32pm

I like the info’ on the site, the smaller number of default installed apps, hosts file blocking, and minimal microG/UnifiedNLP/location setup. There’s a lot more features I don’t know enough to fully appreciate. I’d prefer Orbot included in VPN mode from the start, but I could always download to PC and local install that apk before turning on cell and wifi. No offense to f-droid, but I don’t usually install the privileged extension.

On Nexus 6 shamu (listed as Untested), microphone does not work when making a call. This is a show stopper for a phone obviously. Simple voice recorder from f-droid records voice OK. Phone permissions settings show phone Microphone as “never accessed”. I rebooted a couple times as suggested some places but no luck so far. Oddly there is a voice “echo” in the earpiece or speaker, but no voice is heard at the other phone in a call. Lineage 17.1 was working.

Comment/Question on bootloader relocking: Post-install instructions say “Relock your bootloader. This is an absolute necessary for maximum security. Be sure to flash our recovery first!” This is to prevent “recurring” system modifications from malicious apps or remote or local attacks, if I understand correctly. However, soon after startup F-droid auto-runs and checks for updates. So I’m trusting a few things before I have time to get the bootloader relocked? Oh well, if I can’t trust f-droid, who can I trust?!

SkewedZeppelin · June 17, 2020, 5:50pm

Relocking your bootloader cannot protect from apps, Verified Boot will however protect against that on devices where it is supported/enabled.
It however for example can protect against someone with physical access from flashing a modified keyguard that saves your password or other nefarious things.

As for the microphone on shamu, that is likely broken by the deblobber.
For shamu it removes libmotaudioutils.so and libspeakerbundle.so
Can you post the output of:
abd logcat -b all -d | grep -i -e dlopen -e .so

SkewedZeppelin · June 17, 2020, 5:53pm

GPG signatures are now available in all .sha512sum files.
Fingerprint: B874 4D67 F9F1 E14E 145D FD8E 7F62 7E92 0F31 6994
Key (2020 #1):

anon46495926 · June 17, 2020, 6:09pm

adb^… gives 919 lines, which is a lot to post here. Any other way? To be clear I did not install the “extra” deblobber because it was shown as “broken”. Only recovery and ROM.

SkewedZeppelin · June 17, 2020, 6:22pm

sorry the \ was clobbered to escape the .
abd logcat -b all -d | grep -i -e dlopen -e \.so

the extra firmware deblobber zip is there for archival purposes and shouldn’t be used. you are correct there.

anon46495926 · June 17, 2020, 6:59pm

logcat-b-all-d-so-quoted.txt.gz.zip (3.8 KB)

The file is really gzip format… grep -i dlopen gave no results. This is from grep -i “\.so”. Let me know if you really need the unquoted version. It’s about 1k lines versus 200. HTH.

SkewedZeppelin · June 17, 2020, 7:33pm

There is a new version uploaded for shamu with a potential fix.
You can install the incremental via the updater.

anon46495926 · June 17, 2020, 7:59pm

Success! And incremental update worked too.

anupritaisno1 · June 18, 2020, 5:53am

BTW there’s already a project called glassrom that does this

How is yours different

Full disclosure: I’m the lead developer of glassrom

We’re already implementing most of your features
Deblobbed: we don’t ship DRM and other such blobs

Increase security: glassrom ports 90% of the grapheneos security patch set. Also glassrom fixes anywhere from 23k-63k security vulnerabilities per device (see past and current work)

Privacy: we disable analytics but otherwise let users decide on the hosts file

Free space eraser: not implemented. Instead glassrom uses hardware based data destruction, memory poisoning and key wrapping which are much better ways than free space wiping and can even resist cold boot and forensic based attacks

Malware scanner: not implemented and will never be

Browser: glassrom ships a modified version of bromite with the vanadium hardened patch set. It does not send any data to google and is significantly more secure than Firefox, protecting against non linear buffer overflows which even official chromium doesn’t

Fdroid privileged extension and a heavily cleaned and updated unifiednlp is shipped

SkewedZeppelin · June 18, 2020, 3:52pm

Deblobbed: we don’t ship DRM and other such blobs

I was unable to find your source code that does so.
#!OS also claims to do the same, but I too didn’t find their source for deblobbing.
Here is the DivestOS deblobber with ~800 blobs.

github.com

Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Deblob.sh

#!/bin/bash
#DivestOS: A privacy focused mobile distribution
#Copyright (c) 2017-2022 Divested Computing Group
#
#This program is free software: you can redistribute it and/or modify
#it under the terms of the GNU General Public License as published by
#the Free Software Foundation, either version 3 of the License, or
#(at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program.  If not, see <https://www.gnu.org/licenses/>.
umask 0022;
set -uo pipefail;
source "$DOS_SCRIPTS_COMMON/Shell.sh";

This file has been truncated. show original

23k-63k security vulnerabilities per device

You are going to need to provide strong evidence to back such a claim up.
I only know of a few auto-patchers, and mine has the most patches. And at most it can patch ~400 per device.

hardware based data destruction

Do you mean discard/continuous trim? DivestOS does that too

github.com

Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L456


      
          	find device -maxdepth 3 -name "lineage*.mk" -type f -exec sh -c "awk -i inplace '!/BUILD_FINGERPRINT/' {}" \;
          	find device -maxdepth 3 -name "lineage*.mk" -type f -exec sh -c "awk -i inplace '!/PRIVATE_BUILD_DESC/' {}" \;
          	echo "Removed stock build fingerprints";
          }
          export -f removeBuildFingerprints;
          
          removeUntrustedCerts() {
          	cd "$DOS_BUILD_BASE/system/ca-certificates/files";
          	rm -fv 7c302982.0 c2c1704e.0 d0cddf45.0; #TrustCor
          	rm -fv cb156124.0; #E-Turga
          	cd "$DOS_BUILD_BASE";
          	echo "Removed untrusted certificate authorities";
          }
          export -f removeUntrustedCerts;
          
          compressRamdisks() {
          	if [ -f BoardConfig.mk ]; then
          		echo "LZMA_RAMDISK_TARGETS := boot,recovery" >> BoardConfig.mk;
          		echo "Enabled ramdisk compression";
          	fi;
          }

decide on the hosts file

How are you replacing the HOSTS file? Do you read it from /data instead of /system?

memory poisoning

DivestOS also does this via both via command line and GrapheneOS patches where possible

github.com

Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L467


      
          	echo "Removed untrusted certificate authorities";
          }
          export -f removeUntrustedCerts;
          
          compressRamdisks() {
          	if [ -f BoardConfig.mk ]; then
          		echo "LZMA_RAMDISK_TARGETS := boot,recovery" >> BoardConfig.mk;
          		echo "Enabled ramdisk compression";
          	fi;
          }
          export -f compressRamdisks;
          
          smallerSystem() {
          	echo "BOARD_SYSTEMIMAGE_JOURNAL_SIZE := 0" >> BoardConfig.mk;
          	echo "PRODUCT_MINIMIZE_JAVA_DEBUG_INFO := true" >> device.mk;
          	echo "EXCLUDE_SERIF_FONTS := true" >> BoardConfig.mk;
          	echo "SMALLER_FONT_FOOTPRINT := true" >> BoardConfig.mk;
          	#echo "MINIMAL_FONT_FOOTPRINT := true" >> BoardConfig.mk;
          	sed -i 's/common_full_phone.mk/common_mini_phone.mk/' *.mk &>/dev/null || true;
          	echo "Set smaller system args for $PWD";
          }

https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/LineageOS-17.1/CVE_Patchers/android_kernel_google_marlin.sh

key wrapping

The thing Android already does? Or something else?

Browser

This browser? GitHub - GlassROM-Archive/browser: Browser for glassrom. No compilation help. No documentation. Just the source dumped from the build machine. Good luck
Code over the wall.

significantly more secure than Firefox

Chromium is indeed more secure then Gecko-based browser and it is explicitely mentioned on our site.
https://divestos.org/index.php?page=browsers

heavily cleaned and updated unifiednlp

Source? Oh wait this “Android Studio automatic cleanup”?

What even is this?

github.com

GlassROM-Archive/glassrom-landing/blob/master/patch-glassrom.bash#L181


      
           
                   <activity
                       android:name=".UpdatesActivity"
          diff --git a/res/values/strings.xml b/res/values/strings.xml
          index 34f2fd3..7abb8f5 100644
          --- a/res/values/strings.xml
          +++ b/res/values/strings.xml
          @@ -32,7 +32,7 @@
                     {type} - Build type
                     {incr} - Incremental version
               -->
          -    <string name="updater_server_url" translatable="false">https://download.lineageos.org/api/v1/{device}/{type}/{incr}</string>
          +    <string name="updater_server_url" translatable="false">http://127.0.0.1:8001/updates.json</string>
           
               <string name="verification_failed_notification">Verification failed</string>
               <string name="verifying_download_notification">Verifying update</string>
          diff --git a/res/xml/network_security_config.xml b/res/xml/network_security_config.xml
          new file mode 100644
          index 0000000..8ce94ff
          --- /dev/null
          +++ b/res/xml/network_security_config.xml

Going through your sparse sources, the biggest difference is that DivestOS attempts to apply all of its changes automatically to any given device of any Android version. Because 5 years ago when I was supporting a handful of devices it got too tedious, and I ended up automating as much as possible.

anupritaisno1 · June 18, 2020, 6:41pm

Memory poisoning is a fairly new feature that just recently dropped in the 4.14 common kernel

I doubt you have a device that uses this

Also you are enabling kernel lockdown when selinux already does that

Same for page alloc shuffle, init_on_free/alloc. I don’t think tuna has a port of any of those on 3.10

The arm/arm64 kernel argument is kpti=on yet you also specify pti=on. Why?

Slub_debug=Z and init_on_alloc/free conflict with each other yet you enable them

You’re just sticking in flags that are NOPs

No I don’t ship a hosts file nor do I read it from /data. The hosts file is not meant for adblocking. Userspace applications like pdnsf are much more user friendly and handle this better

You can check the current glassrom kernel sources for those patches. There’s no automated “black magic” cve patcher

The patch to updater is just to allow developers to test updater functionality without running a full updater server