In the past, when GrapheneOS was in a better state, the latest kernel.org LTS branches were promptly merged along with additional fixes not included in the upstream branches. The fix for the bug now assigned CVE-2019-2215 was already applied for the Pixel 1 and 2.
Conversation
Unfortunately, due to lack of resources and support, it hasn't yet been possible to start doing this for the ongoing revival of the project. In the past, I used to do it myself, but don't have the time and energy available anymore and people aren't stepping up to fill that gap.
3
4
7
Replying to
There's supposed to be a stable-base branch with all of the LTS kernel patches cherry picked on top of the AOSP kernel branch for the device. Every month, it needs to be rebased on top of the new AOSP kernel tag. They eventually merge these changes in quarterly / yearly releases.
Replying to
You can look at the kernel repositories in AndroidHardeningArchive to see what I used to do before. I did more recent work on this than what's in that particular archive, but GrapheneOS as it currently exists doesn't yet have this kind of work. It's on the list of things to do.
1
1
Show replies
It's a moving target, and requires careful review to make sure the patches apply properly (not just resolving conflicts, but making sure things didn't silently go wrong) and to correctly resolve the conflicts that do happen. It adds up to a lot of work, and I can't do it anymore.
1