Nostr

#GrapheneOS version 2024032100 released:

This is a larger update containing a lot of fixes for apps or apps using libraries that are breaking with Android 14 QPR2. The temporary Bluetooth compatibility toggles have also been removed as Bluetooth devices should be fixed.

See the changes:

- Bluetooth: revert broken upstream change and changes depending on it to fix Galaxy Watch 6 Classic and likely other devices impacted by the same issue (this was a failure of upstream testing and release engineering for AOSP and doesn't impact the stock Pixel OS because it uses a different APEX module revision branched from an older revision of AOSP but it will impact every other AOSP-based OS on Android 14 QPR2 since there isn't a Bluetooth mainline module published in the Play Store and AOSP yet)

- Android Runtime: disable stripping symbols for libart to restore compatibility with many obfuscated Chinese apps using a specific obfuscation SDK which was broken by Android 14 QPR2 when not using the mainline ART module due to the mainline module being based on an older codebase

- Android Runtime: remove Android's hard-wired speed-profile compilation for launcher apps which was limiting ahead-of-time compilation for user installed launcher apps to the parts of the code included in baseline and/or cloud profiles rather than compiling the whole app via our default speed compilation which we use to replace JIT compilation and JIT profiles guiding background AOT compilation

- backport 12 upstream fixes from the mainline MediaProvider, Wifi, NetworkStack and HealthFitness APEX modules

- allowlist using device controls quick tile when unlocked since it already has a toggle for controlling availability so our new default requirement of the device being unlocked needs to be overridden for it

- revert disabling hardened_malloc for Broadcom Bluetooth HAL (does not appear to be a memory corruption bug found by GrapheneOS but rather the stock OS is using an older Bluetooth module without the issue)

- revert allowing users to disable Bluetooth for Bluetooth system app (does not appear to be a memory corruption bug found by GrapheneOS but rather the stock OS is using an older Bluetooth module without the issue)

- more complete setup design configuration to improve appearance of Setup Wizard, etc.

- Settings: fix upstream footer formatting issue for App pinning screen

- update timezone module to Android mainline 341510010 (based on tzdata 2024a)

- kernel (5.15, 6.1): improve support for hosting servers by enabling SYN cookies as we do for the older kernels

- kernel (6.1): drop obsolete usage of YAMA which we replaced with our dynamic SELinux flag extension

- kernel (5.10): update to latest GKI LTS branch revision

- GmsCompatConfig: update to version 99

https://grapheneos.org/releases#2024032100

Reply to this note

Please Login to reply.

Discussion

final [GrapheneOS] 📱👁️‍🗨️ 1y ago

We are hopeful that the April security updates following are likely the ETA for the upstream fixes to the firmware/OS for vulnerabilities we reported to Google in January that affected the stock operating system.

We had already done our own work after our disclosure from auto-reboot improvements, USB port controls and other additional hardening these past few months despite the ineffectiveness of the vulnerabilities against GrapheneOS. The hardening done would increase difficulty of exploitation to perform data extraction of a device in an AFU state by a threat actor with physical access. USB controls would also likely throw off a prepared actor who had prepared to exploit ASAP to prevent an automatic reboot from occuring.

Having an upstream fix is great as it would disrupt these threat actors further and help people not using GrapheneOS, it also makes our current work more complete.

nostr:nevent1qqs2wh5sgc4mvy43rfh5yu5kkznye3046403lqa9ccthfsvrjttuhlspz3mhxue69uhhyetvv9ujumn0wd68ytnzvupzps26tfjesmn6ksf5mm36hpf9fkjut49sfeutfutvs2phrykn25v9qvzqqqqqqywyalzc