KindnessInfinity

Tags:

• 2024030700 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024030600 release:

• Pixel 6, Pixel 6 Pro, Pixel 6a: fix USB-C mode control issue introduced by QPR2 port which prevented pushing out the last release
• Gallery: work around crashes caused by QPR2 R8 changes resulting in code used via reflection being removed
• Settings: enable Battery information screen in Settings > About device for QPR2 including Manufacture date, Date of first use and Cycle count
• Settings: make the style for settings consistent between Compose and non-Compose settings
• fixes for certain GrapheneOS notifications in QPR2

We're working on a revised release based on Android QPR2 with fixes for various regressions found by the early Alpha channel testers. We didn't keep the initial release in Alpha for long due to an issue impacting USB functionality on 6th gen Pixels.

https://grapheneos.social/@GrapheneOS/112051798319273743

New 2024030700 is currently building across our 3 official build machines and will be available soon. The new release should be able to make it through Alpha channel testing to the Beta channel. If there are no serious issues after 24h of Beta testing, we'll move it to Stable.

USB HAL was significantly changed in QPR2. A major part of of the port was porting our recently added USB-C control feature providing the ability to truly disable USB at a hardware level. Android 12+ USB HAL toggle being used elsewhere only disables high level USB features in OS.

We've disabled USB peripherals while locked since June 2016. Android itself has USB gadget functionality (MTP, PTP, MIDI, Webcam, ADB, etc.) disabled by default. Standard Android USB toggle disables these, not USB data itself. There's also now DisplayPort alternate mode too.

Our USB-C port control feature is not possible through generic Linux kernel code. It requires device specific integration into the USB-C controller driver and USB HAL. It's an extremely valuable feature and supporting a small set of very secure hardware allows us to work on this.

This is the first release of GrapheneOS based on Android 14 QPR2. Android 14 QPR2 is the first Android release following the new development model where quarterly releases follow the development branch. This release is a massive overhaul of the OS almost as large as the migration from Android 13 QPR3 to Android 14 despite fewer user facing changes. This release includes a large part of the migration to Android 15. The new development model will be very beneficial for GrapheneOS by spreading out the porting process throughout the year between major releases as part of the 3 quarterly releases between the yearly major releases.

Since this is a major release, the Pixel 4a (5G) and Pixel 5 have not been ported to Android 14 QPR2 as part our initial release. We need to determine whether it makes sense to move these end-of-life devices to Android 14 QPR2 or keep them on a legacy extended support release branch based on the last Android 14 QPR1 release.

Tags:

• 2024030600 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024030300 release:

• full 2024-03-05 security patch level
• rebased onto AP1A.240305.019.A1 Android Open Source Project release, which is the 2nd quarterly maintenance/feature release for Android 14 (QPR2)
• continue to allow disabling cell broadcast extreme alerts with all carriers contrary to QPR2 change
• Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a: add back launcher app pinning to potentially work around launcher bugs
• Vanadium: update to version 122.0.6261.105.0
• Pixel 6 Pro: remove unnecessary product name, model and brand overrides for attestation since we use the official ones
• System Updater: fix typo in error message
• System Updater: fix typo in error message System Updater: update summary for check for updates button now that it always checks immediately

Changes in version 122.0.6261.105.0:

• update to Chromium 122.0.6261.105

A full list of changes from the previous release (version 122.0.6261.90.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

This month's Android release is the first one based on the new development model heavily centered around quarterly releases. It's essentially an early variant of Android 15 with many of the features disabled via feature flags. We're essentially doing a major yearly release port.

We were aware this was going to be the case, but it's still going to take a bit longer than usual. This port should be the hardest one since it's the first one. Future quarterly and yearly releases should be much smaller than this one. It should make the yearly ports much easier.

There's going to be a temporary disruption for us from moving to the first quarterly release under the new model. We didn't treat it as a yearly release with lots of preparation but we'll try to get it as done as quickly as the Android 14 release where we prepared for months.

Despite causing a lot of pain for us for this first migration, the new release model should be a substantial benefit to us. It will mean the changes are spread out throughout the year in quarterly releases and many will get shipped disabled via feature flags so we can port early.

In the very short term, this is a massive pain and disruption for us where we need to put in similar work this month as we did for the yearly Android 14 and Android 13 ports. Going forward, things should be easier. It may also help mitigate the issues caused by mainline modules.

Nearly all our changes are ported and we have builds running in the emulator. There's a lot of work remaining to fix regressions and get device support working. If we aren't done by the end of the day, we can do a security backport release. We'd prefer avoiding an extra release.

We're likely going to need to move the end-of-life Pixel 4a (5G) and Pixel 5 from extended support to legacy extended support. This is a major release with a similar level of changes as Android 13 QPR3 to Android 14, and we don't want to waste our resources on insecure devices.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024030300-redfin (Pixel 4a (5G), Pixel 5)
• 2024030300 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024022800 release:

• System Updater: ignore configured constraints for user-initiated update checks
• System Updater: avoid automatic retry for user-initiated update checks
• Settings: migrate to new Compose-based Settings infrastructure in preparation for Android 14 QPR2
• improve GrapheneOS infrastructure for per-app notifications
• Setup Wizard: improve wording for secondary user setup word
• adevtool: fix overlay parsing issues
• adevtool: include missing "Learn more" fingerprint setup text
• GmsCompatConfig: update to version 97

Changes in version 97:

• update max supported version of Play services to 24.08
• update max supported version of Play Store to 39.9
• update Android Gradle plugin to 8.3.0

A full list of changes from the previous release (version 96) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024022800-redfin (Pixel 4a (5G), Pixel 5)
• 2024022800 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024022600 release:

• Tensor Pixels: fix issue with the USB changes breaking recovery sideloading and the fastbootd flashing mode used by the web installer which blocked us being able to release the previous release to all users
• Settings: change "Charging only" to "Charging-only" for the USB-C port mode options to make the meaning clearer
• Vanadium: update to version 122.0.6261.90.0

Changes in version 122.0.6261.90.0:

• update to Chromium 122.0.6261.90

A full list of changes from the previous release (version 122.0.6261.64.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024022600-redfin (Pixel 4a (5G), Pixel 5)
• 2024022600 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024022300 release:

• Tensor Pixels: add new USB-C port mode setting to Settings > Security providing a high level of control over USB functionality with hardware-specific integration for disabling USB controller functionality including fully disabling the data lines. There are 5 modes: On (current default during testing), Charging-only when locked except before first unlock (likely near future default), Charging-only when locked, Charging-only and Off (which even disables charging while booted into the normal OS mode). The modes tied to lock state permit already connected devices to continue working after locking and disable the data lines at a USB controller level after disconnecting. This is much different from the existing USB features including the Android 12 USB HAL toggle which only disable high-level kernel functionality and leave all the low-level kernel driver, USB protocol and USB controller attack surface enabled.
• kernel (5.10, 5.15): add support for ignoring USB alt modes
• kernel (Tensor Pixels): extend max77759 USB-C controller driver used by Tensor Pixels with support for a sysfs node providing fine-grained control over the USB-C data path at the USB controller level
• Setup Wizard: fix crash for SIM locales not recognized by com.android.internal.app.LocalePicker

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024022300-redfin (Pixel 4a (5G), Pixel 5)
• 2024022300 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets

Changes since the 2024020500 release:

• completely new GrapheneOS Setup Wizard implementation for the initial setup of the device and secondary user profiles
• Theme Picker: update color schemes including adding the monochromatic colorscheme option
• Sandboxed Google Play compatibility layer: always apply PhenotypeFlag overrides to avoid regressions for some users
• Sandboxed Google Play compatibility layer: catch SecurityException from setApplicationEnabledSetting() instead of relying on PhenotypeFlag override
• Sandboxed Google Play compatibility layer: add support for Android Auto 11.3 by extending the wireless Android Auto and phone call handling toggles to also allow BluetoothAdapter#getActiveDevices
• Sandboxed Google Play compatibility layer: add developer functionality for updating Android Auto via the Play Store for testing
• Storage Scopes: avoid legacy apps using legacy storage crashing when trying to access the wallpaper
• remove legacy AOSP Search app now that Vanadium provides the global search intent in addition to the more common web search intent also implemented by other browsers including Brave
• fix upstream bug breaking package manager support for uninstalling apps only installed in other profiles from the Owner user
• Settings: improve strings for network connection toggles
• kernel (5.10, 5.15, 6.1): temporarily ignore sysrq_always_enabled to avoid sysrq being enabled on devices passing it on the kernel line unconditionally
• kernel (5.10): update to latest GKI LTS branch revision
• kernel (5.15): update to latest GKI LTS branch revision
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.75
• Pixel 4a (5G), Pixel 5: update to UP1A.231105.001.B2 vendor files
• Vanadium: update to version 121.0.6167.164.0
• Vanadium: update to version 121.0.6167.178.0
• Vanadium: update to version 122.0.6261.43.0
• Vanadium: update to version 122.0.6261.43.1
• Vanadium: update to version 122.0.6261.64.0
• GmsCompatConfig: update to version 94
• GmsCompatConfig: update to version 95
• GmsCompatConfig: update to version 96

We provide an official list of hardware requirements based on current generation devices:

https://grapheneos.org/faq#future-devices

These are the current hardware features we consider important enough to be listed as mandatory requirements. They're all current features, not planned/future ones.

Other than proper updates, the most important feature on the list is the ARMv9 Memory Tagging Extension (MTE) launched with the Pixel 8 and Pixel 8 Pro. MTE is currently exclusive to GrapheneOS since the stock Pixel OS only provides it as a development option with major caveats.

There are a lot of misconceptions about smartphone security including the widespread misconception that cellular radios aren't isolated. Cellular radio isolation is one of the features on this list which is near universally available rather than Pixel exclusive like MTE support.

Cellular radio isolation was implemented on the first two devices we supported (Nexus 5 and Galaxy S4). Since we started, nearly all of the weaknesses discovered with cellular radio isolation have been OS bugs where an attacker could exploit a driver/service to compromise the OS.

We've never supported a device without cellular radio isolation. On the other hand, before Pixels, the devices other than the Nexus 5X lacked Wi-Fi radio isolation and gave it access to all memory. That issue has been solved on most smartphones but remains on laptops/desktops.

There are several niche phones with a cellular radio connected via USB marketed based on falsely claiming mainstream devices lack cellular radio isolation. USB protocol has a massive amount of attack surface and also allows acting as a keyboard, mouse, display, speaker, etc.

In reality, connecting a poorly supported, less secure radio via USB is much worse than the status quo.

Also, Snapdragon having cellular, Wi-Fi, Bluetooth and GNSS integrated into the main SoC doesn't make it less isolated than Pixels using 3 separate radio chips from the SoC.

The only issues we have with Snapdragon are the lack of MTE support and their tendency to use their own proprietary approach to everything such as not using pKVM for virtualization, not using AOSP PSDS, not implementing SUPL in the OS, etc. Only the lack of MTE is a real blocker.