KindnessInfinity

Pixel 8 and Pixel 8 Pro are ARMv9 devices supporting hardware memory tagging. Stock OS currently has a very primitive experimental implementation available as a developer option. We're going to be deploying a more advanced implementation for hardened_malloc in production soon.

Hardware memory tagging is going to provide a massive increase to protection against remote exploitation for GrapheneOS users. It's the biggest security feature we'll be shipping since we started in 2014. We want to have it enabled by default in async (fast) mode for the base OS.

We can provide a toggle for choosing between asynchronous (fast) and synchronous (more secure).

Many user installed apps have latent memory corruption bugs so we aren't going to enable it for them initially. We'll provide a toggle for setting the default (disabled, async, sync).

There can be a per-app toggle for overriding the global default alongside the toggles we already provide for using the full 48-bit address space (enabled by default) and hardened malloc (enabled by default, requires 48-bit address space). This will be a security game changer.

ARM memory tagging support provides a limited form of memory safety for both memory unsafe languages (C, C++) and the small subset of unsafe code in memory safe languages (Rust, Java, Kotlin). hardened_malloc was designed to use memory tagging and will be making great use of it.

MTE uses 4 bit tags for each 16 bytes of memory. hardened_malloc will be using memory tagging for all small allocations, which means 128k and below by default. hardened_malloc already places random guards around large allocations and quarantines their address space on free.

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of most security patches for firmware and drivers. We're considering porting them to Android 14 to continue providing extended support longer than initially planned to keep them as a way to preview the current version of the OS despite them not being secure. It will be a significant effort to port them properly without lost functionality and we're looking for a new developer to fund rather than reassigning any developers from their existing work on the OS.

Tags:

• 2023102300 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)
• 2023102300-shusky (Pixel 8, Pixel 8 Pro)

Changes since the 2023101300 release:

• initial non-experimental release for Pixel 8 and Pixel 8 Pro support
• speed up skipping compilation of system packages with dexpreopt (precompilation to native code) to improve post-update boot time
• backport assorted dexpreopt fixes to make it work for more system packages again to improve verified boot security, free up wasted disk space and reduce post-update boot time
• use speed-profile compilation for user installed packages for first boot of an update to significantly improve boot time, then recompile with full speed optimization in the background with a progress notification and a notification when it's finished for respawning apps
• temporarily disable otapreopt (precompilation of apps in the background in update Finalizing step) due to it being broken in Android 14
• Gallery: remove optional dependency to fix dexpreopt (precompilation to native code)
• Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold: fix support for Widevine L1 on Android 14
• fix PIN scrambling for SIM PIN (regression from port to Android 14)
• handle new Android 14 network time code path for our feature making the automatic time toggle control whether network time connections are made
• remove standard special case enabling Android 14 auto-confirm PIN by default for 6 digit PINs
• allow system apps to make sticky notifications again (important for System Updater to avoid users missing the notice to reboot after update installation)
• System Updater: add option to require that the device is charging
• kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.134
• Apps: update to version 21
• Vanadium: update to version 118.0.5993.80.0
• GmsCompatConfig: update to version 79
• improve GrapheneOS system_server infrastructure

Our next release for the Pixel 8 and Pixel 8 Pro will have DisplayPort output enabled now that we've tested it. The next release for these will also no longer be considered experimental but rather will be part of a regular production release alongside the other supported devices.

Changes in version 79:

• update max supported version of Play services to 23.41
• update max supported version of Play Store to 38.0

A full list of changes from the previous release (version 78) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig)

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Notable changes in version 21:

• properly handle split APKs having their own density split APKs (fixes fully installing recent Play services releases)
• support updating disabled packages on Android 14+
• fix static dependencies for app variants
• remove non-descriptive app icon label to improve screen reader support
• set channel chip as not checkable to improve screen reader support
• update AndroidX Core KTX library to 1.12.0
• update AndroidX Activity KTX library to 1.8.0
• update AndroidX Navigation libraries to 2.7.4
• update AndroidX Preference KTX library to 1.2.1
• update AndroidX lifecycle libraries to 2.6.2
• update Glide library to 4.16.0
• switch to Kotlin Symbol Processing (KSP) variant of Glide library
• update Material library to 1.10.0
• update Bouncy Castle library to 1.76
• update Kotlin Coroutines libraries to 1.7.3
• update Gradle to 8.3
• update Kotlin to 1.9.10
• update AndroidX navigation safeargs plugin to 2.6.0
• update Android Gradle plugin to 8.1.2
• update Android build tools to 34.0.0
• update SDK to 34 (Android 14)
• update target API level to 34 (Android 14)
• add low-level ACCESS_NETWORK_STATE permission required by API 34 to schedule jobs depending on network availability
• add low-level FOREGROUND_SERVICE_DATA_SYNC permission required by API 34 to set foreground service type

A full list of changes from the previous release (version 20) is available through the Git commit log between the releases.

Apps is the client for the GrapheneOS app repository. It's included in GrapheneOS but can also be used on other Android 12+ operating systems. Our app repository currently provides our standalone apps, out-of-band updates to certain GrapheneOS components and a mirror of the core Google Play apps to make it easy for GrapheneOS users to install sandboxed Google Play with versions of the Google Play apps we've tested with our sandboxed Google Play compatibility layer.

GrapheneOS users must either obtain GrapheneOS app updates through our app repository or install it with adb install-multiple with both the APK and fs-verity metadata since fs-verity metadata is now required for out-of-band system app updates on GrapheneOS as part of extending verified boot to them.

Changes in version 118.0.5993.80.0:

• update to Chromium 118.0.5993.80

A full list of changes from the previous release (version 118.0.5993.65.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Experimental GrapheneOS support for the Pixel 8 and Pixel 8 Pro is available. Please join #testing:grapheneos.org on Matrix if you want to help with testing it. Most functionality should be working but fingerprint unlock support isn't available yet. We're working on it.

One of our core developers who primarily works on device support has had their Amazon account locked after purchasing a Pixel 8 with Amazon gift cards. Can an Amazon employee please contact us and help escalate their case? Amazon support isn't helping and it's time sensitive.

We'll have a fix for Widevine L1 on 6th/7th generation Pixels in our next release.

Only other remaining major regression we've been able to confirm is ahead-of-time compilation work being redone on the first boot after updating. Fully restoring this to how it was will take time.

We're currently doing very frequent updates to get out fixes for Android 14 regressions quickly. Releases will be slowing down again now that all the known serious issues are resolved. We'll be working on completing Pixel 8 and Pixel 8 Pro alongside fixing more 14 regressions.

Pixel 4, Pixel 4 XL and Pixel 4a are end-of-life and shouldn't be used anymore due to lack of most security patches for firmware and drivers. We're considering porting them to Android 14 to continue providing extended support longer than initially planned to keep them as a way to preview the current version of the OS despite them not being secure. It will be a significant effort to port them properly without lost functionality and we're looking for a new developer to fund rather than reassigning any developers from their existing work on the OS.

Tags:

• 2023101300 (Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, emulator, generic, other targets)

Changes since the 2023101100 release:

• exempt non-app system packages from new package visibility restrictions to fix many APIs in secondary users
• Sandboxed Google Play compatibility layer: expand background activity launch shim to all the core Google Play apps to fix sandboxed Play Store compatibility issues with Android 14
• Sandboxed Google Play compatibility layer: fix "Don't show again" notification action which broke after Android 14 port
• Pixel 5: add back support for battery share (reverse wireless charging) via the new infrastructure in Android 14 which we already adopted for 6th/7th/8th generation Pixels
• GmsCompatConfig: update to version 78

We've fixed 3/5 of the remaining max priority regressions in Android 14 for today's release. The only remaining ones are restoring ahead-of-time compilation to how it worked before and restoring support for Widevine L1 on 6th/7th generation Pixels.

https://grapheneos.social/deck/@Graphe

We're working to restoring AOT compilation to how it was before: precompilation for base OS and background compilation (Finalizing step) for user installed apps. Full AOT is an important part of our exploit mitigations and precompilation is an important verified boot improvement.

There will temporarily be a long boot time after installing an update based on how many apps you have installed. It's unfortunate Android 14 broke a bunch of this functionality. It impacts us a lot more than the stock OS. For now, reboot into new version when you can wait for it.

Changes in version 78:

• update max supported version of Play services to 23.40
• update max supported version of Play Store to 37.9

A full list of changes from the previous release (version 77) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).