Meet NayuOS
NayuOS is an ongoing project at Nexedi: We are mainly using Chromebooks for our daily development work and wanted to have more customizable, secure and privacy-compliant devices - not running any proprietary software, because we love Free Software. A few experiments later NayuOS - our free alternative to Chrome OS - was born. NayuOS is currently on a good enough way to meeting most of our needs, so we decided to spread the word and share what we have done so far.
Shaking off some Chrome OS
Chromebooks are relatively cheap specific machines sold by latop manufacturers in collaboration with Google. They run a specific OS called Chrome OS. In non-developer mode the OS provides a Chrome Browser and that's pretty much it! Developer mode is not bloated either. There is a shell with some useful software (python2, ssh, tcpdump, ...) preinstalled.
Digging deeper, the cryptographic security mechanism is interesting: while booting, every step verifies the cryptographic signature of the next step with the first one consisting of Google Chrome OS's public key stored in the read-only part of the firmware and being used to verify the OS for non-developer images. This is why you see a scary screen when booting a non-Google image or when switching into developer mode.
Some other security mechanisms are also specific to this OS: the root partition is mounted read-only, there are sandboxes for isolating processes, ... all in order to mitigate attacks on the system or at least make them more difficult.
On Chrome OS, users' data is stored at Google, so the configuration of the browser and all data will be synchronized when switching from one machine to another. For us this meant a big privacy issue, so we decided to use only guest mode (users are not logged in and there is no synchronization).
Still, this left us the issue of Chrome OS not being Free Software and closed-source. Since we were planning to tinker quite a bit with the OS, we therefore switched to using Chromium OS giving us the necessary freedom to tweak the OS to our needs.
NayuOS - fast forward to now
We gave our fork of Chromium OS a new and fitting name: "NayuOS". Our inital goals were set to making guest mode usable enough for daily developer work while trying not to harm any security features and improving on privacy.
Using one of our NayuOS builds your will currently get:
Free Softwares
-
NayuOS is using a customized version of Chromium OS, that is fully Open Source on Chromebooks that have no proprietary BIOS (Coreboot for most devices),
-
The build process is Free (sources): modify and share your NayuOS-based systems as describe in the GPL licence,
-
The build process uses Free Software (SlapOS) so you can build it yourself!
Privacy Compliant OS
We are just using Guest mode, and no longer any Google account. Our devices are used as simple tools and our data are somewhere else (encrypted removable devices, servers or services that we are operating and trusting).
We also wanted cryptsetup command line utility to be able to easily manage encrypted partitions, that are on removable devices.
On top, only Free Software is being run: even if not sufficient, it is a necessary condition for privacy.
Developer Friendliness
We have added git, because this nice versioning control system was essential to us, and re6st (via Grandenet) to have IPv6 available even when ISP only provide IPv4 (beta). We also added node.js, however there are still some workarounds necessary for a proper npm support.
What's next?
We are currently working to further improve guest mode by adding a script that will enable users to run a WebDAV server. Then, JavaScript applications based on jIO will access the file system through this server. This will enable us to retrieve configuration files from WebDAV vs currently having to start from scratch on every system reboot.
A list of other issues to tackle on our way can be found on the project sources page.