GrapheneOS: a open source privacy and security OS

  • Thread starter ForgottenSeer 85179
  • Start date
F

ForgottenSeer 85179

Thread author
New update for secure PDF viewer app:
(Available in Google store for other devices too!)
A fast update:
 
F

ForgottenSeer 85179

Thread author
June 2020 security update:

2020.06.02.02
Changes since the 2020.05.29.00 release:
  • full 2020-06-01 security patch level
  • full 2020-06-05 security patch level
  • rebased onto QQ3A.200605.002 release
  • Vanadium: update Chromium base to 83.0.4103.83
  • factory images: add fastboot version detection to flash-all.bat on Windows
 
F

ForgottenSeer 85179

Thread author
  • Settings: adjust wifi_privacy_values to the new values
  • Settings: remove unnecessary workaround for MAC randomization preference
  • Settings: tweak MAC randomization preference wording
What did you want say with these?
 
F

ForgottenSeer 85179

Thread author
New update:
2020.06.22.21

Changes since the 2020.06.02.02 release:

  • SystemUI: handle non-SRGB wallpapers
  • Vanadium: update Chromium base to 83.0.4103.96
  • Vanadium: update Chromium base to 83.0.4103.101
  • Vanadium: update Chromium base to 83.0.4103.106
  • script/generate_metadata.py: add channel name to update channel metadata
  • Updater: sanity check channel name in update channel metadata
  • Updater: raise minSdkVersion to 29
  • Updater: extract care_map.pb rather than care_map.txt
  • Updater: use a different zip for streaming updates (still an experimental / hidden feature)
  • disable RFC 7217 support (stable link-local IPv6 privacy addresses) and stick to link-local IP addresses based on the (random) MAC addresses
  • rebase SetupWizard changes onto upstream CalyxOS SetupWizard
  • SetupWizard: use system captive portal URL, rather than a custom Google URL
  • NetworkStack: ignore captive portal fallbacks when one is set at runtime
  • factory images flash-all script: reboot to bootloader after installing update
  • make_key: use 4096-bit RSA keys
  • script/release.sh: auto-detect AVB algorithm to support 4096-bit RSA keys for verified boot
  • add experimental Pixel 4 and Pixel 4 XL support
  • Auditor: update to version 18
Restoration of past features since the 2020.06.02.02 release:

  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add back FORTIFY_SOURCE enhancements
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add back userspace ASLR improvements
 
F

ForgottenSeer 85179

Thread author
July Security Update available:

Changes since the 2020.06.22.21 release:

  • full 2020-07-01 security patch level
  • full 2020-07-05 security patch level
  • rebased onto QQ3A.200605.002 release
  • change TrichromeLibrary package name
  • drop MAC randomization preference migration code
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL: update APNs with carriersettings-extractor
  • disable network time refresh when network time is disabled (previous behavior inherited from upstream)
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): make reproducible builds simpler
  • kernel (Pixel 4, Pixel 4 XL): use max mmap entropy by default to cover init
Restoration of past features since the 2020.06.22.21 release:

  • kernel (Pixel 4, Pixel 4 XL): enable UNMAP_KERNEL_AT_EL0 Meltdown mitigation (KPTI)
  • kernel (Pixel 4, Pixel 4 XL): enable ARM64_SSBD Spectre v4 mitigation
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): enable PANIC_ON_OOPS
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): set PANIC_TIMEOUT to -1
 
F

ForgottenSeer 85179

Thread author
August security update:
2020.08.03.22

Changes since the 2020.07.06.20 release:
  • full 2020-08-01 security patch level
  • full 2020-08-05 security patch level
  • rebased onto QQ3A.200805.001 release
  • fix build for Pixel 3 when Pixel 3 XL kernel is not built
  • fix secondary stack hardening when a non-page-size multiple stack size is specified
  • fix picking up previous build date when doing incremental builds
  • Vanadium: update Chromium base to 84.0.4147.89
  • Vanadium: update Chromium base to 84.0.4147.105
  • Vanadium: update Chromium base to 84.0.4147.111
  • Vanadium: remove Chromium logo in chrome://version
Restoration of past features since the 2020.07.06.20 release:
  • kernel (Pixel 4, Pixel 4 XL): read-only data expansion
 
F

ForgottenSeer 85179

Thread author
September security update and preparation for Android 11:
2020.09.10.05

This should be the final GrapheneOS release based on Android 10. It ships the device-independent monthly security patches and migrates over to using the Android 11 branch of the GrapheneOS kernels, which brings all the upstream kernel hardening in Android 11 along with the full September kernel updates. The remaining patches for the full 2020-09-05 patch level require finishing the migration to Android 11 in order to ship the September update for the other device support code. It's possible we could ship some of this early, but instead we're going to be focusing on finishing the enormous task of migrating to Android 11. Further help with bringing up support for the devices with Android 11 and porting over each of the GrapheneOS hardening features to it would be greatly appreciated. Donations are also extremely helpful. GrapheneOS has brought on another full time developer using donated funds and there are 3 part time developers helping with Android 11. We're also collaborating with CalyxOS and others in the AOSP Alliance to bring up fully signed, production device support.

Pixel 4 kernel tags are not published yet since that's still a work in progress. We want to fix some side channel mitigation regressions caused by upstream Android 10 hardening work. We can't simply revert the upstream changes since they're important mitigations too. This should be handled within 24 hours. We'll publish releases and tags whether or not we get these side channel mitigations working, but the plan is to finish the work first.

Changes since the 2020.08.07.01 release:

  • full 2020-09-01 security patch level
  • partial 2020-09-05 security patch level (missing userspace device support changes until port to Android 11 is finished)
  • Vanadium: update Chromium base to 84.0.4147.125
  • Vanadium: update Chromium base to 85.0.4183.81
  • Vanadium: update Chromium base to 85.0.4183.101
  • Vanadium: remove unused learn more link from Incognito page
  • recovery: reject updates with serialno constraints to match the GrapheneOS Updater app
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): update base kernel to Android 11
  • SetupWizard: update base to latest CalyxOS SetupWizard
  • conscrypt: drop temporary upstream revert of version code which was accidentally kept during a rebase
  • backport fix for USB audio regression from Android 11
Restoration of past features since the 2020.07.06.20 release:

  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): enable intra-object FORTIFY_SOURCE overflow checks

Also nice that more dev's join the team
 
F

ForgottenSeer 85179

Thread author
2020.09.11.14

Testing the Android 11 kernels was useful, but we weren't able to ship the previous release due to issues uncovered during testing. The Android 11 kernels have minor backwards incompatible changes in the drivers for at least a subset of the devices so we'll need to ship them with the rest of the changes. Thanks to our testers for helping us with this. This will be the new final Android 10 release, assuming no further problems are uncovered during testing.

Changes since the 2020.09.10.05 release:

  • revert to using the Android 10 kernels on the devices that were switched over early due to backwards incompatible changes in some drivers
 
F

ForgottenSeer 85179

Thread author
Standalone hardened_malloc version 3 released:


Also forget to post here (but do in another thread :D ):
Auditor app version 19 released:
 
F

ForgottenSeer 85179

Thread author
2020.09.18.13 preview

Changes since the 2020.09.11.14 release:
  • initial port to Android 11 with most GrapheneOS changes ported over (missing most SELinux policy hardening, some Pixel 4 / 4 XL kernel side channel mitigations, finer-grained Pixel 4 kernel Control Flow Integrity, the setup wizard and the hardened Vanadium WebView)
  • full 2020-09-05 security patch level
  • temporarily use stock WebView until the next release of Chromium is available with public support for Android 11 to provide the WebView via Vanadium again
  • fix VPN lockdown setting getting overridden on user stop
  • SELinux policy: disable gmscore_app domain
  • SELinux policy: use dedicated SELinux domain for Updater app based on the modern untrusted_app domain
  • stop disabling support for stable local privacy addresses since Android 11 handles it better by only using it when MAC randomization is disabled
  • update to a new version of Seedvault for Android 11
  • build and use otatools.zip for signing releases instead of an ad-hoc approach
  • Auditor: update to version 19
  • Updater: update targetSdkVersion to 30
  • disable Scudo on 64-bit since we use the substantially more secure hardened_malloc
  • fully replace jemalloc with Scudo on 32-bit
Installations made before this project was renamed to GrapheneOS and before the first official release of the Android Hardening project will be forced to factory reset as part of this upgrade, due to lack of backwards compatibility with the unaltered AOSP encryption format.


This a preview release and is only going to be released via the Beta channel.
 
F

ForgottenSeer 85179

Thread author
2020.09.25.00

Changes since the 2020.09.18.13 release:

  • fix Wi-Fi MAC randomization settings for translations that were missing our added option
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL: add missing configuration for biometric sensors in Android 11
  • fix upstream bug in the NFC quick settings tile for Android 11 breaking it after reboot
  • fix NFC quick settings tile icon handling for Android 11
  • Settings: fix upstream NFC preference so that it listens for changes and can see it being toggled via the NFC tile
  • Vanadium: update Chromium base to 85.0.4183.120
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL: update APNs with carriersettings-extractor
  • add back SetupWizard
  • Settings: fix launching WifiSettings
We're no longer going to be listing out restored past features in a separate section for the release notes.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top