KindnessInfinity

Changes in version 92:

• update max supported version of Play services to 24.02
• update max supported version of Play Store to 39.2

A full list of changes from the previous release (version 90) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 121.0.6167.71.0:

• update to Chromium 121.0.6167.71

A full list of changes from the previous release (version 120.0.6099.230.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 120.0.6099.230.0:

• update to Chromium 120.0.6099.230

A full list of changes from the previous release (version 120.0.6099.210.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024011600-redfin (Pixel 4a (5G), Pixel 5)
• 2024011600 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024011300 release:

• work around upstream Android bug causing system_server crash due to failed security-related assertion by denying the action without crashing system_server, which avoids turning a buggy security check into a denial of service issue
• add workaround for upstream Android crash reporting bug recording clean f2fs filesystem check results as errors which is resulting in many users receiving filesystem check error reports on GrapheneOS due to our user-facing notifications for serious errors/crashes
• add workaround for upstream Android crash reporting bug causing old crashes to be reported again
• add workaround for upstream Android crash reporting bug wrongly attributing certain app crashes to system_server
• only show kernel crashes when the user opts into showing all system crashes as notifications since there are many false positives caused by hardware issues such as some users having devices which sometimes fail to resume from sleep while idle
• only show report button in log viewer for system_server Java/native crashes, MTE crashes and filesystem check errors (which now have non-error results properly filtered out) due to receiving too many reports about upstream bugs and hardware issues
• hide specific system apps and also sandboxed Google Play from Aurora Store so users don't try to update them through it and receive errors
• Log Viewer: explicitly set status bar color to fix light mode icon colors
• kernel (Pixel 4a (5G), Pixel 5, Pixel 5a): add missing kernel changes from the past 2 releases

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024011300-redfin (Pixel 4a (5G), Pixel 5)
• 2024011300 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, emulator, generic, other targets)

Changes since the 2024010400 release:

• replace auto-reboot implementation with a new more hardened implementation based on a timer in the init process which also avoids rebooting when the device hasn't been unlocked since boot
• reduce default auto-reboot timer from 72 hours to 18 hours
• add log viewer available at Settings > System > View logs to avoid needing developer options for making useful bug reports and inspecting the device for issues
• reimplement our user-facing crash reporting infrastructure with our new log viewer app
• Settings: add links to log viewer in app info and system settings
• show report button in sandboxed Google Play crash report UI
• adevtool: integrate support for Pixel Camera Services (currently provides Night mode for GrapheneOS Camera and other apps on Pixel 6 and later)
• adevtool: improve and clean up infrastructure for device support
• adevtool: drop devices not supported with Android 14
• adevtool: remove unused default permissions configuration
• Contact Scopes: add handling of malformed contact data subtype names to avoid crash
• show notification after hardened_malloc detects memory corruption via a direct check (does not cover memory corruption detected via memory protected address space)
• kernel: disable sysrq by default rather than waiting for init to disable it
• kernel: disable unused sysrq serial support
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.206
• kernel (Pixel 8, Pixel 8 Pro, Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.145
• kernel (Generic 6.1): update to latest GKI LTS branch revision including update to 6.1.69
• GmsCompatConfig: update to version 91
• Vanadium: update to version 120.0.6099.210.0
• System Updater: use sentence case for notification channel names

We've recently reported firmware vulnerabilities that are being exploited by forensic companies to obtain data from devices that are not at rest. If device is at rest, it isn't relevant and data is safe. Our auto-reboot feature is there to get devices back at rest automatically.

We've currently reported these issues for Pixels and will be filing similar issues with Samsung. We don't have as much leaked information about how they're doing it for Galaxy phones, but we can propose the same generic mitigations eliminating the main classes of vulnerabilities.

Secure element throttling is crucial to secure typical lock methods like a random 6 digit PIN or even a typical passphrase. Non-Pixel/non-iPhone devices are mostly missing it so data isn't safe even at rest for typical lock methods (much less than 7-8 random diceware words).

Pixels have used a secure element for this since the Pixel 2, but the NXP and ARM secure core Titan M1 had a fair number of vulnerabilities. Pixel 6 substantially improved this, so there's more focus than ever at exploiting the OS / firmware while the device isn't at rest.

For nearly any current generation secure element, there will likely eventually be a firmware vulnerability discovered. If you want to completely rule out a brute force, use a strong random passphrase. Can take good advantage of each user profile having separate encryption keys.

GrapheneOS has been heavily focused on securing against remote attacks and also providing privacy/security from apps. Those features make physical exploits harder, but we plan to add more features focused on it alongside auto-reboot and blocking new USB peripherals while locked.

Many apps and operating systems implement insecure duress features which can be bypassed. They do a standard wipe via reboot to recovery, which can be easily interrupted. Our implementation avoids this and will be shipped soon. However, we also proposed it to Android for the API.

Android 12 device admin API for disabling USB data is disappointing, since it's similar to what we already did and doesn't disable data lines.

Our default auto-reboot timer will be reduced from 72 hours. We also plan to add more attack surface reductions and other mitigations.

Our latest release reduced the default auto-reboot timer from 72 hours since last unlock to 18 hours since last unlock:

https://grapheneos.org/releases#2024011300

We also improved the implementation by moving it from system_server to init to make it robust against system_server bugs like crashes.

Our new implementation also avoids rebooting when the device is already at rest (Before First Unlock). This makes setting a very low timer such as 10 minutes much more usable. Alarms work before first unlock via included Clock app but most apps don't implement support for this.

Our main proposal to them was that Pixels should zero memory in firmware for every reboot/shutdown and perhaps even for every boot.

GrapheneOS zeroes freed memory for malloc and the kernel slab/page allocators which helps, but firmware cooperation is needed for completeness

Changes in version 120.0.6099.210.0:

• update to Chromium 120.0.6099.210

A full list of changes from the previous release (version 120.0.6099.193.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 91:

• update max supported version of Play services to 23.50
• update max supported version of Play Store to 39.1
• update Android Gradle plugin to 8.2.1

A full list of changes from the previous release (version 90) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Pixel 4a (5G) and Pixel 5 are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

• 2024010400-redfin (Pixel 4a (5G), Pixel 5)
• 2024010400 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)

Changes since the 2023123100 release:

• full 2024-01-01 security patch level
• full 2024-01-05 security patch level
• rebased onto UQ1A.240105.004 Android Open Source Project release
• Sandboxed Google Play compatibility layer: stop hiding Android Auto from the Play Store since it breaks Play Store dependent functionality
• Sandboxed Google Play compatibility layer: mark Android Auto as owned by our app repository client to stop the Play Store from updating it
• Sandboxed Google Play compatibility layer: add Network permission to baseline permissions needed for wireless Android Auto
• Sandboxed Google Play compatibility layer: add list of requirements for Android Auto voice commands
• Sandboxed Google Play compatibility layer: add back dedicated name for Sandboxed Google Play crash notification channel
• Sandboxed Google Play compatibility layer: skip Android Auto crash reports when it lacks baseline permissions and show a dedicated notification about the problem instead
• Keyboard: add workaround for multi-locale spell checking and remove our attempt at implementing it properly in the keyboard itself for now
• AppCompatConfig: update to version 3
• Vanadium: update to version 120.0.6099.193.0
• adevtool: remove unused permission configuration

Changes in version 120.0.6099.193.0:

• update to Chromium 120.0.6099.193

A full list of changes from the previous release (version 120.0.6099.144.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

We've added documentation for the hardware memory tagging implementation in hardened_malloc:

https://github.com/GrapheneOS/hardened_malloc?tab=readme-ov-file#memory-tagging

GrapheneOS on Pixel 8 / Pixel 8 Pro is the first platform using ARM MTE in production. Stock Pixel OS has it as a hidden development option requiring using ADB.

GrapheneOS uses hardened_malloc as the system allocator and enables memory tagging by default. MTE is enabled for all base OS apps and nearly all executables. It's only temporarily disabled for surfaceflinger (due to upstream bug in Android 14 QPR1) and a few vendor executables.

For user installed apps, we enable MTE by default for apps without bundled native libraries and apps marked as compatible. We give users the option to enable MTE for all user installed apps in Settings > Security and users can then toggle it off for specific incompatible apps.

We added a user-facing notification for crashes caused by MTE detecting memory corruption. It makes it easy for users to copy the traceback for reporting the bug to app developers. This also means users don't need to guess when the toggle to disable MTE for an app is relevant.

Our Vanadium browser is also the first browser using MTE in production. In Vanadium, we enable Chromium's PartitionAlloc MTE implementation. PartitionAlloc's implementation isn't nearly as good as hardened_malloc, but we intend to improve PartitionAlloc's security in the future.

Chromium marks itself as compatible with MTE but then disables it as runtime, so other Chromium-based browser have MTE disabled even when the OS has it enabled. We found a bug in Chromium's MTE integration which we had to fix to avoid WebView crashes. It works smoothly for us.

We're also planning on enabling Clang's stack allocation MTE support but it currently breaks Chromium's C++ garbage collection integration along with apps doing in-process unwinding via libunwind. We want MTE for the Linux kernel too, but it integrates it as a debugging feature.

hardened_malloc's MTE implementation is already best in class, but there are some improvements to consider. It currently statically reserves a value for free slots, which reduces the random choices from 15 to 14. It may make sense to use the default 0 tag for free data instead.

MTE obsoletes hardened_malloc's canary and write-after-free check features, so we disable them when it's enabled. However, we haven't figured out an approach to save the memory reserved for canaries yet due to Android supporting dynamically toggling MTE at runtime which is messy.

hardened_malloc uses MTE for all slab allocations, which are all the allocation size classes from 16 bytes through 128k bytes with statically reserved regions for each one. It doesn't need MTE for any metadata since all metadata is in a statically reserved region solely for that.

For allocations beyond the max slab allocation size (128k), there are randomly sized guards placed before/after each allocation along with an address space quarantine on free. MTE would still be valuable for large/arbitrary overflows and use-after-free beyond the quarantine.

We need to investigate the cost of tagging the large allocations above 128k by default.

For non-MTE-capable hardware, we could consider reserving a huge region for allocations above 128k with our own best-fit implementation in userspace to separate them from non-malloc mappings.

Changes in version 3:

• revert to default behavior of allowing dynamic code execution from storage for Android Auto

A full list of changes from the previous release (version 2) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.