Once Linux VM terminal and support is improved in upstream it could be useful to allow virtual machines that run other OSes other than Debian within GrapheneOS. Fedora is our target. Secureblue could also work if it ever gets built on ARM.
Has a horrible choice of base OS for security and they don't do any significant work to improve it. They do not do any significant hardening beyond application changes and trivial configurations you can do in other distros. A lot of the efforts for Linux kernel hardening on both Whonix and Kicksecure were halted and then undone when the developer responsible for most of it left the project, therefore, it got worse over the years...
Their developer also pushed misinformation about allocator hardening and dropped using hardened_malloc (hardened memory allocator used and created by GrapheneOS, a significant exploit protection). Their recommendations appear more out of software freedom movement dogmas than a security researcher perspective. Some tables on the wiki make comparisons seemingly out of imaginary scenarios or remove context to what they source.
The Whonix distribution routing everything to Tor has a valid point, but you're just using a non-hardened Debian OS routed through Tor. Qubes users are very reliant on the hypervisor to protect them when using it. The security of the operating systems in the VMs also matter.
Making an equivalent out of a distro like an immutable Fedora distribution or Arch would outclass it very quickly. There are projects that do a lot of great effort to start, like Secureblue:
https://secureblue.dev/features
It inherits a better base OS, has some components from GrapheneOS, including hardened malloc and a desktop Chromium based browser with a Vanadium patch set. Not comparable to the Linux kernel in GrapheneOS (and Android) which is extensively hardened.
Since Qubes' standard images are Fedora based, it could compliment it by being a template. Qubes developers already have that in their issue tracker.
Discussion
No replies yet.