Next release for 9th generation Pixels will have further hardening with RANDSTRUCT enabled for the kernel with a deterministic seed (the commit timestamp).
RANDSTRUCT randomizes the order of data structures and function pointer tables at compilation based on a seed, so exploits need to be catered to specific seeds. We've made it deterministic to preserve #GrapheneOS reproducible builds by using the hash of the commit date as a seed so it changes the layouts with each base kernel change and we can make it per-device-model later too.
When other devices get Kernel 6.1 (the upstream is in testing) it can be possible for them to get it too.
final [GrapheneOS] 📱👁️🗨️
npub1c9…7sqfm
2024-08-29 21:21:33
Author Public Key
npub1c9d95evcdeatgy6dacats5j5mfw96jcyu79579kg9qm3jtf42xzs07sqfmPublished at
2024-08-29 21:21:33Event JSON
{
"id": "e6cc68fc43f258cdf4127946ce339f3ab1d251ae9888ae2cd609a773441e6093",
"pubkey": "c15a5a65986e7ab4134dee3ab85254da5c5d4b04e78b4f16c82837192d355185",
"created_at": 1724966493,
"kind": 1,
"tags": [
[
"t",
"GrapheneOS"
],
[
"t",
"grapheneos"
]
],
"content": "Next release for 9th generation Pixels will have further hardening with RANDSTRUCT enabled for the kernel with a deterministic seed (the commit timestamp).\n\nRANDSTRUCT randomizes the order of data structures and function pointer tables at compilation based on a seed, so exploits need to be catered to specific seeds. We've made it deterministic to preserve #GrapheneOS reproducible builds by using the hash of the commit date as a seed so it changes the layouts with each base kernel change and we can make it per-device-model later too.\n\nWhen other devices get Kernel 6.1 (the upstream is in testing) it can be possible for them to get it too.",
"sig": "d163019d95f1277a4259d17321be4dc7ade1e05c077df5af7cf04848799a074d54edfb17f85bff87e7401b5b5128bde5acf743467889c61a03e65bea4d7e317e"
}