KindnessInfinity

In the latest release of GrapheneOS, you can now enable hardware memory tagging for all user installed apps on the Pixel 8 and Pixel 8 Pro to make them substantially harder to exploit. This is particularly useful for apps like Signal and WhatsApp.

Everyone on GrapheneOS has hardened_malloc and our other baseline exploit protections. hardened_malloc has great support for hardware memory tagging to provide a form of memory safety for memory unsafe code with a mix of deterministic guarantees and randomized general protection.

We've also replaced the Linux kernel version on the Pixel 8 and Pixel 8 Pro. AOSP and the stock Pixel OS use 5.15.110 while GrapheneOS is now using 5.15.137 and will be closely following along with kernel.org LTS releases after they go through appropriate testing.

We mentioned Signal/WhatsApp because despite having end-to-end encryption, they both have a massive amount of remote attack surface, use tons of memory unsafe code for handling media, voice/video calls, etc. along with not using sandboxing. E2EE does no good if app is exploited.

GrapheneOS now has near full coverage for using memory tagging to defend against heap memory corruption outside the Linux kernel.

Future work will be converting Linux kernel's MTE-based debugging into hardening and enabling Clang stack allocation tagging for userspace/kernel.

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of most security patches for firmware and drivers. We're currently supporting them via a legacy Android 13 branch separate from these mainline GrapheneOS releases. We're considering porting them to Android 14 to continue providing extended support longer than initially planned to keep them as a way to preview the current version of the OS.

Tags:

• 2023112600 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
• 2023112600-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023111500 release:

• improve existing infrastructure and settings for per-app hardening control
• add new infrastructure for dynamic SELinux flags for apps
• replace static SELinux policy disabling dynamic native code generation for base system apps with dynamic SELinux flag
• replace YAMA LSM with dynamic SELinux flag for ptrace access
• add per-app toggle for native debugging
• add global toggle to disable native debugging for user installed apps by default
• add per-app memory tagging toggle for user installed apps
• add global toggle to enable memory tagging for user installed apps by default
• add logging infrastructure for dynamic GrapheneOS SELinux flags
• raise post-boot audit message rate limit from 5 to 50 per second
• add more infrastructure and tests for per-app hardening control
• Pixel 8, Pixel 8 Pro: migrate to using our standard 5.15.137 GKI LTS kernel as the base with reverts for changes that are not compatible with the driver tree yet
• include more info about Java and native crashes, ANRs, low memory conditions. kernel crash logs and filesystem check errors in bug report zips manually captured by users which on the stock OS is uploaded by Play services
• Sandboxed Google Play compatibility layer: allow compatibility layer to show the error report UI
• GmsCompatConfig: update to version 84
• Vanadium: update to version 119.0.6045.163.2

Our site's chat room information now provides Discord and Matrix as the 2 options:

https://grapheneos.org/contact#community

We're not listing Telegram because it's a much worse experience than Discord.

IRC is available but too limited especially with most people using Matrix and Discord now.

We added https://grapheneos.org/discord as a redirect to a permanent Discord invite link to make it easy to remember and share.

For Matrix, joining #community:grapheneos.org provides a list of all our non-archived rooms. 2 main rooms are regrowing after recently being bricked.

The software we use for bridging our chat rooms across platforms recently added support for Telegram's topics feature. We've merged our Telegram groups into a unified https://t.me/GrapheneOS group. It improves the user experience on Telegram but Discord still works much better.

There's a bug in the fwupd service that's causing the fastboot claim interface failure for our web installer and also similar failures for CLI fastboot:

https://github.com/fwupd/fwupd/issues/6437

You can work around this by stopping fwupd such as with systemctl stop fwupd.service.

This issue has unfortunately stopped MANY Linux users from successfully installing GrapheneOS. They've had to run the web installer on Windows, macOS or a Linux distribution without this issue such as ChromeOS or Android. Users on an OS like Arch Linux will often have added it.

There was also a similar bug in GVFS which appears to be resolved now. Many distributions freeze their packages for months or even years with only security bugs with a CVE assignment getting patched. These bugs have hindered adoption of GrapheneOS. It's hard to know how much.

Pixel 8 providing hardware memory tagging support is a massive security advance for GrapheneOS. This hardware feature only helps if the OS uses it like GrapheneOS, and the security it provides entirely depends on how it's used. We have a great implementation in hardened_malloc.

GrapheneOS on the Pixel 8 and Pixel 8 Pro is the first platform with this feature. At the moment, we enable it for most of the base OS. We fixed some issues with the Chromium PartitionAlloc implementation with the latest release of Vanadium so it can now work for Vanadium too.

In the upcoming release of GrapheneOS, we've added a toggle for force enabling memory tagging for every user installed app along with a per-app toggle in case you run into an app where it doesn't work. If you enable this, you'll have memory tagging for nearly everything!

GrapheneOS already provided substantially better exploit protections than the stock Pixel OS. Difference between GrapheneOS with and without memory tagging is comparable. It's such a huge advancement we've made the rare decision to consider this new feature mandatory right away.

Alongside the new per-app and global default memory tagging toggles for user installed apps, we've also replaced the global native debugging toggle with a similar system. Many users who disabled this ran into some banking apps, games, etc. using this for weak anti-tampering.

We've also added notifications for when apps are killed due to a memory tagging violation or trying to use native debugging (ptrace).

We don't provide a toggle for memory tagging with the base OS since it works well and any issue that's found should be fixed or worked around.

If users choose to use memory tagging for user installed apps not marked as being compatible by the developers, it will be up to users to choose if they want to disable. We recommend not disabling it unless it causes frequent crashes and considering using a different app instead.

If apps bundle standalone executables run separately from their app processes, those won't have memory tagging yet unless the app developers build them with it enabled. Examples are apps running Tor as an executable. WireGuard doesn't matter since the executable made in Go not C.

Chromium barely uses the system allocator. It marks itself compatible with memory tagging but disables it by default. Latest release of Vanadium enables memory tagging, and we're going to improving it. This creates a much larger security gap between Vanadium and other browsers.

Most apps use the WebView library to handle web content. On GrapheneOS, the WebView library is Vanadium and memory tagging works for it. Some browser apps use the WebView rather than forking Chromium, so they get memory tagging protection but lack per-site sandboxing right now.

Browsers based on Chromium like Brave and Chrome need to enable memory tagging themselves. They also don't enable strict site sandboxing or CFI yet.

Browsers based on Firefox lack a content sandbox on Android, not just site isolation. They're also missing CFI and memory tagging.

Desktop Firefox has a content sandbox, but it's much weaker than the Chromium sandbox and lacks a complete implementation of site isolation. They use a fork of Chromium sandbox on Windows but in a lower security mode. On Android, they haven't enabled any form of sandboxing yet.

Changes in version 119.0.6045.163.2:

• enable enforcing memory tagging for all processes when available
• fix upstream bug in memory tagging implementation by not trying to re-enable it since it breaks in apps with memory tagging disabled

A full list of changes from the previous release (version 119.0.6045.163.1) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 84:

• update max supported version of Play services to 23.45
• update max supported version of Play Store to 38.4

A full list of changes from the previous release (version 83) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Due to our Matrix rooms getting bricked yet again by Matrix state resolution bugs, we've decided to add Discord as a more robust and widely accessible option:

https://discord.gg/GE6r8YYrnM

Our Matrix, IRC, Telegram and Discord rooms are bridged together but we were focused on Matrix.

IRC rooms on libera.chat:

#grapheneos #grapheneos-offtopic #grapheneos-testing #grapheneos-dev #grapheneos-media #grapheneos-infra #grapheneos-releases

Telegram:

https://t.me/GrapheneOS https://t.me/GrapheneOS_Offtopic https://t.me/GrapheneOS_Testing

Could add other rooms on TG.

The new Matrix rooms replacing the rooms bricked by the state resolution bugs yet again are #general:grapheneos.org (main room) and #offtopic:grapheneos.org. It will take a long time for people to move over and some people will switch to IRC, Discord, etc.

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of most security patches for firmware and drivers. We're currently supporting them via a legacy Android 13 branch separate from these mainline GrapheneOS releases. We're considering porting them to Android 14 to continue providing extended support longer than initially planned to keep them as a way to preview the current version of the OS.

Tags:

• 2023111500 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
• 2023111500-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023110700 release:

• Sandboxed Google Play compatibility layer: replace cross-user intent broadcasts with user-local ones to avoid occasional background service crashes
• fix upstream bug causing crash for previewing live wallpapers
• kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision
• Seedvault: update to latest revision (will be replaced with a better backup implementation in the future)
• Vanadium: update to version 119.0.6045.134.0
• Vanadium: update to version 119.0.6045.163.0
• Vanadium: update to version 119.0.6045.163.1
• GmsCompatConfig: update to version 83
• Camera: update to version 64
• Auditor: update to version 77

Changes in version 119.0.6045.163.1:

• fix handling of the ACTION_WEB_SEARCH intent added by GrapheneOS which regressed from upstream changes
• restore standard WebView client hint behavior to avoid potential compatibility problems and because it can't improve privacy there yet due to the user agent not being minimized in the same way as the browser so it only adds a way to fingerprint it (we plan to provide a toggle for minimized WebView user agent and client hints)

A full list of changes from the previous release (version 119.0.6045.163.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 119.0.6045.163.0:

• update to Chromium 119.0.6045.163
• disable high entropy client hints

A full list of changes from the previous release (version 119.0.6045.134.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Notable changes in version 64:

• add support for hardware camera capture and zoom buttons
• improve video recording user experience when audio permission isn't granted, which isn't needed with include audio disabled
• improve error handling for video recording by distinguishing between errors where the video is still saved and errors preventing it from being usable
• fix error message for reporting broken camera showing wrong camera (front/rear reversed)
• update SDK to 34 (Android 14)
• update target API level to 34 (Android 14)
• update Android build tools to 34.0.0
• update Material Components library to 1.10.0
• update CameraX library to 1.4.0-alpha02
• update zxing library to 3.5.2
• update Gradle to 8.4
• update Android Gradle plugin to 8.1.1
• update Kotlin to 1.9.20
• update NDK version to 26.1.10909125 instead of using the older default set by the Android Gradle plugin
• improve code quality

A full list of changes from the previous release (version 63) is available through the Git commit log between the releases.

This app is available through the Play Store with the app.grapheneos.camera.play app id. Play Store releases go through review and it usually takes around 1 to 3 days before the Play Store pushes out the update to users. Play Store releases use Play Signing, so we use a separate app id from the releases we publish ourselves to avoid conflicts and to distinguish between them.

Releases of the app signed by GrapheneOS with the app.grapheneos.camera app id are published in the GrapheneOS app repository and on GitHub. You can use the GrapheneOS app repository client on Android 12 or later for automatic updates.

Releases are initially pushed out through the Beta channel for both the Play Store and our app repository and then get moved to the Stable channel.

GrapheneOS users must obtain GrapheneOS app updates through our app repository since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.