I've confirmed that GrapheneOS boots on the HiKey 960 and provides a working adb shell and serial console. However, there's a serious issue with the graphics driver causing it to cycle the screen to black and back repeatedly. I expect it's yet another upstream use-after-free bug.
Conversation
I'm not currently interested in working on HiKey / HiKey 960 support, but it's set up with the basics working already if anyone wants to work on this. The next step would be disabling zero-on-free and the other use-after-free mitigations, or just testing with jemalloc instead.
5
This Tweet was deleted by the Tweet author. Learn more
Enabling support for verified boot within the OS wouldn't be enough since secure boot would also need to be enabled for the firmware, and chained from early firmware to late stage firmware and the OS. I don't know if the SoC is left in a factory state where this could be enabled.
Replying to
I also doubt that the documentation and tools for signing the images and enabling secure boot are published. It may be possible to do this, but I'm not sure it's worth the trouble. At the moment, HiKey and HiKey 960 also don't have either the traditional or modern update system.
1
Replying to
For production usage, it would also be important to provide full security updates by replacing the kernel with an actively maintained branch and keeping all the userspace driver components and firmware updated too. I'm unsure how realistic this would be but it might be doable.
1
Show replies