#GrapheneOS version 2024062000 released.
This version removes the USB peripheral security settings where USB-C port controls are supported. This is because that setting does the same job and far better. There are also hardening improvements.
- remove our USB peripheral security setting on devices supporting our much better USB-C port mode (Pixel 6 and later)
- extend USB-C port setting to also handle pogo pins on the Pixel Tablet
- kernel (5.10, 5.15, 6.1, 6.6): replace our deny_new_usb feature with a new deny_new_usb2 feature also disabling USB gadgets
- extend USB-C port setting to enable deny_new_usb2 as a second layer of defense disabling new USB connections in the kernel (the existing implementation disables new connections and USB data at a hardware level via the USB controller, which disables more attack surface, but we want to keep around the higher level kernel approach too)
- Files: fix upstream null pointer exception triggered on resuming activity
- Settings: require user authentication for changing auto-reboot, USB peripheral and USB-C port security settings
- Settings: avoid prompting for user authentication when selecting the same value as before for GrapheneOS settings requiring it
- temporarily add back memory tagging exception for Pixel wifi_ext service
- simplify implementation of our auto-reboot feature and properly handle the first lock after the user first sets up a lock method
- avoid resetting USB-C port after first unlock if it was already connected Before First Unlock (fix for regression caused by upstream changes)
- add GrapheneOS Linux kernel port to the 6.6 GKI LTS branch
- kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.215
- kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.87
- kernel (6.1, 6.6): add script for building emulator kernel
- kernel (6.1, 6.6): enable forced module signing for x86_64 (emulator builds)
- System Updater: increase update check interval to 6 hours from 4 hours
- Vanadium: update to version 126.0.6478.110.0
GmsCompatConfig: update to version 119
- fix cast in GrapheneOS package management infrastructure needed for upcoming App Communication Scopes work
final [GrapheneOS] 📱👁️🗨️
npub1c9…7sqfm
2024-06-21 06:17:01
Author Public Key
npub1c9d95evcdeatgy6dacats5j5mfw96jcyu79579kg9qm3jtf42xzs07sqfmPublished at
2024-06-21 06:17:01Event JSON
{
"id": "4c79e98535472951c17cc83206083a8f7cd2c01124505bd1cf1509346fce20a1",
"pubkey": "c15a5a65986e7ab4134dee3ab85254da5c5d4b04e78b4f16c82837192d355185",
"created_at": 1718950621,
"kind": 1,
"tags": [
[
"t",
"GrapheneOS"
],
[
"t",
"grapheneos"
]
],
"content": "#GrapheneOS version 2024062000 released.\n\nThis version removes the USB peripheral security settings where USB-C port controls are supported. This is because that setting does the same job and far better. There are also hardening improvements.\n\n- remove our USB peripheral security setting on devices supporting our much better USB-C port mode (Pixel 6 and later)\n\n- extend USB-C port setting to also handle pogo pins on the Pixel Tablet\n\n- kernel (5.10, 5.15, 6.1, 6.6): replace our deny_new_usb feature with a new deny_new_usb2 feature also disabling USB gadgets\n\n- extend USB-C port setting to enable deny_new_usb2 as a second layer of defense disabling new USB connections in the kernel (the existing implementation disables new connections and USB data at a hardware level via the USB controller, which disables more attack surface, but we want to keep around the higher level kernel approach too)\n\n- Files: fix upstream null pointer exception triggered on resuming activity\n\n- Settings: require user authentication for changing auto-reboot, USB peripheral and USB-C port security settings\n\n- Settings: avoid prompting for user authentication when selecting the same value as before for GrapheneOS settings requiring it\n\n- temporarily add back memory tagging exception for Pixel wifi_ext service\n\n- simplify implementation of our auto-reboot feature and properly handle the first lock after the user first sets up a lock method\n\n- avoid resetting USB-C port after first unlock if it was already connected Before First Unlock (fix for regression caused by upstream changes)\n\n- add GrapheneOS Linux kernel port to the 6.6 GKI LTS branch\n\n- kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.215\n\n- kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.87\n\n- kernel (6.1, 6.6): add script for building emulator kernel\n\n- kernel (6.1, 6.6): enable forced module signing for x86_64 (emulator builds)\n\n- System Updater: increase update check interval to 6 hours from 4 hours\n\n- Vanadium: update to version 126.0.6478.110.0\n\nGmsCompatConfig: update to version 119\n\n- fix cast in GrapheneOS package management infrastructure needed for upcoming App Communication Scopes work",
"sig": "846eaeab06d758ca4c9fe87e2d2e9140f1a8bd66ab76800f21f5b0046ba05efd999fffec91aca4c409a8f7742f52c38dbd4d373a8690ead5f62b2f6714596d23"
}