KindnessInfinity

Our latest release improves our hardware-based USB-C port attack surface reduction. Our previous software-based feature has been extended and merged into it as a 2nd layer of enforcement. We've also extended it to disable pogo pins data at a hardware level on the Pixel Tablet.

Our previous feature is now fully obsolete and has been removed on devices with the newer approach, which is a nice simplification. We've rewritten the documentation here:

https://grapheneos.org/features#usb-c-port-and-pogo-pins-control

Older approach is now only used on the Pixel 5a and earlier end-of-life devices.

Our documentation explains why our approach is much better than the standard Android USB HAL toggle available to device admin apps since Android 12. Standard approach only disables USB connections in the OS. It leaves USB-C and pogo pins enabled at both the OS and hardware level.

The standard approach also can't block new USB connections without ending existing USB connections. It has no distinction between those things. It forces a choice between ending existing USB connections when locking or delaying using it at all until the last USB connection ends.

Several operating systems previously included a port of our legacy software-based approach and mistakenly moved to the less secure approach of disabling USB via the standard USB HAL after the last USB connection ends. It's less secure than simply extending our legacy feature...

Since Android 14 QPR3 is a major release, the end-of-life Pixel 4a (5G) and Pixel 5 receiving extended support releases from GrapheneOS will need to be ported to it with additional work in a future release, which is done as a low priority. Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024062000 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024061400 release:

• remove our USB peripheral security setting on devices supporting our much better USB-C port mode (Pixel 6 and later)
• extend USB-C port setting to also handle pogo pins on the Pixel Tablet
• kernel (5.10, 5.15, 6.1, 6.6): replace our deny_new_usb feature with a new deny_new_usb2 feature also disabling USB gadgets
• extend USB-C port setting to enable deny_new_usb2 as a second layer of defense disabling new USB connections in the kernel (the existing implementation disables new connections and USB data at a hardware level via the USB controller, which disables more attack surface, but we want to keep around the higher level kernel approach too)
• Files: fix upstream null pointer exception triggered on resuming activity
• Settings: require user authentication for changing auto-reboot, USB peripheral and USB-C port security settings
• Settings: avoid prompting for user authentication when selecting the same value as before for GrapheneOS settings requiring it
• temporarily add back memory tagging exception for Pixel wifi_ext service
• simplify implementation of our auto-reboot feature and properly handle the first lock after the user first sets up a lock method
• avoid resetting USB-C port after first unlock if it was already connected Before First Unlock (fix for regression caused by upstream changes)
• add GrapheneOS Linux kernel port to the 6.6 GKI LTS branch
• kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.215
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.87
• kernel (6.1, 6.6): add script for building emulator kernel
• kernel (6.1, 6.6): enable forced module signing for x86_64 (emulator builds)
• System Updater: increase update check interval to 6 hours from 4 hours
• Vanadium: update to version 126.0.6478.110.0
• GmsCompatConfig: update to version 118
• GmsCompatConfig: update to version 119
• fix cast in GrapheneOS package management infrastructure needed for upcoming App Communication Scopes work

Changes in version 119:

• add stub for WifiManager.getSoftApConfiguration()

A full list of changes from the previous release (version 118) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 126.0.6478.71.0:

• update to Chromium 126.0.6478.110

A full list of changes from the previous release (version 126.0.6478.110.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 118:

• update max supported version of Play services to 24.23
• update max supported version of Play Store to 41.4
• update Android Gradle plugin to 8.5.0

A full list of changes from the previous release (version 117) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Pixel 6 and later use the open source Trusty OS for the Trusted Execution Environment (TrustZone) and secure core firmware.

Starting with this month's quarterly release (Android 14 QPR3), Trusty sources and baseline applets are part of the Android Open Source Project in trusty/.

Not everything is published, particularly Tensor specific portions. It'd be helpful to publish the rest to make it easier to audit and propose improvements.

They still need to publish the Titan M2 fork of OpenTitan too, which they committed to eventually doing several years ago.

OpenTitan was created to replace their secure elements based on ARM secure cores with a custom RISC-V design across their servers, Chromebooks and Pixel phones/tablets. Pixel 6 and later have a RISC-V secure element (Titan M2), but they still need to publish Pixel specific code.

Upstream OpenTitan project is currently focused on implementing the TPM specification for desktop/server use. TPM is a horrible secure element API. It isn't what's used on Pixels where they got to design APIs for usage by the Android Open Source Project based on what it needs.

This is closely related to publishing the rest of the Trusty code used for Pixels, since they implement communication using authenticated encryption between the SoC secure core and the standalone secure element. Non-Pixel Android ecosystem could benefit a lot from all this code.

Tags:

• 2024061400 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024061300 release:

• revert upstream refactoring of the device association code in Android 14 QPR3 due to it introducing a chain crash bug at boot in edge cases with associated devices such as paired Android Wear devices
• kernel (5.10): update to latest GKI LTS branch revision Vanadium: update to version 126.0.6478.71.0

Owner has not been active in over 7 months. I can help with moderating when anything comes up and helping grow the community.

We've found a serious bug in Android 14 QPR3 which can lead to devices getting stuck in a crash loop on boot after adding a device association such as a WearOS pairing. This impacts both stock Pixel OS and AOSP. Google is aware and reverted the broken change in Android 15 Beta 2.

Today, we plan to do a release fixing this serious issue and the AOSP Bluetooth module regression breaking pairing with the Galaxy Watch6 device we purchased for testing due to previous Bluetooth regressions in Android 14 QPR2 breaking it. Today's release should reach Stable.

If you don't depend on Bluetooth, you might as well update to the current OS release in the Beta channel and then switch back to Stable. Only reason it's not in the Stable channel yet is these 2 issues. There's another minor upstream Settings UI style issue which doesn't matter.

Changes in version 126.0.6478.71.0:

• update to Chromium 126.0.6478.71
• set default toolbar shortcut to new tab

A full list of changes from the previous release (version 126.0.6478.50.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

We've found at least one new issue with the Android Open Source Project 14 QPR3 Bluetooth module and are already working on resolving it. We'll have a quick follow-up release fixing the Bluetooth regression and other issues discovered during public Alpha testing.

Tags:

• 2024061300 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)

Changes since the 2024061200 release:

• fix upstream Android 14 QPR3 regression which breaks updating certain apps with our app repository client
• fix boot-time optimizing apps progress UI with Android 14 QPR3 and enable it again
• fix regression in our Android 14 QPR3 port resulting in PIN scrambling in secondary users being determined by the Owner user setting
• revert major upstream Android 14 QPR3 Internet quick tile overhaul since it broke the functionality in secondary users
• temporarily add back disabling memory tagging and hardened_malloc for surfaceflinger since Android 14 QPR3 didn't fix it as expected
• disable temporary unconditional system crash notifications since we've gotten the initial feedback we needed via the previous release
• add additional null check for eSIM wiping done as part of the duress PIN/password wipe implementation to avoid harmless exception
• Settings: remove blank illustration from "Screen resolution" screen
• Vanadium: update to version 126.0.6478.50.1
• make duress PIN/password tests faster and more reliable

Chromium v126 broke support for the built-in password manager on Android. We've fixed it in Vanadium 126.0.6478.50.1:

https://grapheneos.social/@GrapheneOS/112609618525601248

We'll be filing a Chromium issue. We've had success reporting similar regressions for Android operating systems without Google Play.

We'd greatly appreciate if more GrapheneOS users helped with the Alpha/Beta testing of Vanadium releases. Can enable the Alpha/Beta channel by selecting Vanadium in the app repository client (Apps) and changing release channel with the menu. We might need to make it more visible.

If you decide to help with testing for our apps or the OS, please join our Alpha/Beta testing chat room and report regressions there right away. See https://grapheneos.org/contact#community-chat for details. Can use Matrix, Discord, Telegram or even IRC (libera.chat) since it's bridged.

There are a lot of people helping with testing the OS releases in the Alpha and Beta channels, but very few people helping with the apps. We expect most people aren't aware there are Alpha and Beta channels for the app repository too, since it's tucked away in the Apps menu.