Since we're on the topic of Cellebrite: #postmarketOS is NOT vulnerable.
Among devices that police seized from my friend was Xiaomi Poco F1 (xiaomi-beryllium) running postmarketOS build I pmbootstraped in late January 2024 (without LUKS2). Police seized the device 2 weeks after I gave it to said friend.
They tried to exploit it, but gave up. Mainline Linux kernel (6.6 at the time) did not have vulnerabilities in USB HID drivers.
To mitigate further against tools such as Cellebrite, we could enable USB authentication which prevents kernel modules from loading prior to user's consent.
Problem with that approach is that Desktop Environments have authentication implemented for Thunderbolt, but not for USB.
https://usbguard.github.io/
I really would like to see SELinux implemented as well, but it would be a Herculean effort because rules would need to be hand-written for Alpine.
Among devices that police seized from my friend was Xiaomi Poco F1 (xiaomi-beryllium) running postmarketOS build I pmbootstraped in late January 2024 (without LUKS2). Police seized the device 2 weeks after I gave it to said friend.
They tried to exploit it, but gave up. Mainline Linux kernel (6.6 at the time) did not have vulnerabilities in USB HID drivers.
To mitigate further against tools such as Cellebrite, we could enable USB authentication which prevents kernel modules from loading prior to user's consent.
Problem with that approach is that Desktop Environments have authentication implemented for Thunderbolt, but not for USB.
https://usbguard.github.io/
I really would like to see SELinux implemented as well, but it would be a Herculean effort because rules would need to be hand-written for Alpine.
Follow
@elly GNOME does have a USBGuard integration, though the last time I looked at it it would need some adjustments to work well on phones (it's clearly made for desktop use cases). All the needed building blocks are already there at least. USBGuard itself is used on the Librem 5 by default to not let the modem firmware impersonate another device, but it's not used for the USB-C port yet (though the user can add any rule they want, of course).
