In the past, when GrapheneOS was in a better state, the latest kernel.org LTS branches were promptly merged along with additional fixes not included in the upstream branches. The fix for the bug now assigned CVE-2019-2215 was already applied for the Pixel 1 and 2.
Conversation
Replying to
Is it possible to lock out totaly the usb odb from ever accessing again if i choose to just have Graphene, ub only to charge phone but nevr to acess any data, also to lock out the recovery mode, be just able to update from phone it self! ?
1
Replying to
Charge only is the default. You need to authorize access from a computer. Recovery only allows installing signed updates and uses the same multi-layer signature verification, downgrade protection, etc. as the over-the-air update client. Recovery doesn't trust the attached PC.
The only thing worth disabling in recovery would be the option to wipe data (factory reset), but that's about providing theft protection rather than security hardening. Making sure the device is a useless brick to a thief is different than protecting the user data on the device.
1
2
Only thing you can really do via recovery is wiping the device, which destroys multiple forms of information needed to obtain the encryption keys and prevents obtaining those keys ever again, even with the correct unlock credentials. Preventing wiping is anti-theft, not security.
2