Updates GrapheneOS: a open source privacy and security OS

SecurityNightmares

Level 38
Verified
Jan 9, 2020
2,702

2021.02.19.15


Changes since the 2021.02.07.17 release:
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update APNs
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update CarrierConfig vendor.xml
  • Auditor: update to version 24
  • Auditor: update to version 25
  • Pixel 4a: set boot security patch level to leverage the YYYY-MM-01 vs. YYYY-MM-05 distinction for attestation
  • Pixel 4a (5G), Pixel 5: complete initial device support including porting hardening features
  • kernel (Pixel 4a (5G), Pixel 5): enable slab canary feature
  • kernel (Pixel 4a (5G), Pixel 5): set correct variable for 32-bit vdso toolchain
  • kernel (Pixel 5): disable unnecessary touch driver
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): use LLVM toolchain for everything other than the assembler
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): use LLVM toolchain for everything other than the assembler and target linker
  • kernel (Pixel 4a (5G), Pixel 5): use new kernel build-tools prebuilts repository
 

SecurityNightmares

Level 38
Verified
Jan 9, 2020
2,702

2021.02.23.15

Changes since the 2021.02.19.15 release:
  • Camera: set flash mode to off by default (camera flash causes a substantial delay and substantially lower image quality so it generally isn't desirable)
  • device theme: use black for settings background in the dark theme
  • drop legacy code for setting Seedvault as the enabled backup service
  • hardened_malloc: drop workarounds for camera driver bugs on the Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL
  • hardened_malloc: drop workaround for USB audio bug
 

SecurityNightmares

Level 38
Verified
Jan 9, 2020
2,702
Installing GrapheneOS from other devices with GrapheneOS is now officially supported and tested: GrapheneOS web install guide
ChromeOS and Google Android are also now officially supported and tested platforms.

Increased portability is a nice advantage over the traditional approach.

Also always stay on official instructions!
There's a popular Windows install video telling users to use a sketchy 3rd party fastboot.
It leads to bricked devices. A contributor helped port the fastboot version check to Windows.
The guide's author made a follow-up video with a guide on removing this added safety check.
 

SecurityNightmares

Level 38
Verified
Jan 9, 2020
2,702

2021.03.02.10


Changes since the 2021.02.26.16 release:
  • full 2021-03-01 security patch level
  • full 2021-03-05 security patch level
  • rebased onto RQ2A.210305.006 release, initial release of Android 11 QPR2 (Quarterly Platform Release 2)
  • Settings (Pixel 4, Pixel 4 XL, Pixel 5): enable refresh rate control
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update APNs
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update CarrierConfig vendor.xml
 

SecurityNightmares

Level 38
Verified
Jan 9, 2020
2,702

2021.03.06.00

Changes since the 2021.03.02.10 release:
  • Vanadium: update Chromium base to 89.0.4389.72
  • Vanadium: enable user agent freeze by default
  • Vanadium: disable building code as dynamic feature modules
  • kernel (Pixel 4a): fix techpack/audio build reproducibility issue
  • backport upstream fix for building on compressed filesystems
  • Calendar: remove launcher icon since the app exists for compatibility / testing
  • Seedvault: update to latest revision
 

SecurityNightmares

Level 38
Verified
Jan 9, 2020
2,702

2021.03.19.14

Changes since the 2021.03.06.00 release:

  • integrate the latest open source release of TalkBack and Switch Access as first party accessibility services again (a text-to-speech service like RHVoice needs to be installed, configured and enabled to be able to use TalkBack)
  • SELinux policy: add back removing tmpfs execute for all base system app domains
  • SELinux policy: expand exception from ashmem execute restriction to legacy non-base system app domains (was more strict than currently intended since we don't want to break app compatibility)
  • add Bluetooth timeout feature with a security fix applied to the original implementation
  • Updater: rename title of the management activity launched via Settings
  • set GrapheneOS launcher as a default notification listener on fresh installs so that the default enabled notification integration is permitted by default like the stock OS (existing users still need to manually enable the permission for the built-in launcher)
  • add back removing DUN requirement for tethering
  • add back ignoring tethering provisioning requirement
  • enable app compaction by default
  • enable app freezer by default
  • enable camera/microphone indicators by default
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): switch from standard 39-bit address space to 48-bit address space via 4-level page tables
  • Vanadium: update Chromium base to 89.0.4389.86
  • Vanadium: update Chromium base to 89.0.4389.90
  • Vanadium: enable partitioning connections by default
  • hardened_malloc: update libdivide to 4.0.0
  • hardened_malloc: use longer region quarantine random array (256 regions instead of 128)
  • Auditor: update to version 26

Specially "enable camera/microphone indicators by default" is very nice (y)
 

SecurityNightmares

Level 38
Verified
Jan 9, 2020
2,702

hardened_malloc version 7 released

These integer numbered tags are the standalone releases, while the RQ1A.210105.003.2021.01.05.03 style tags are part of GrapheneOS releases and may contain GrapheneOS-specific changes such as workarounds for latent memory corruption bugs encountered in the wild while waiting for an upstream or downstream fix.
 
Top