The crosshatch kernel repository (github.com/GrapheneOS/ker) is now used for the Pixel 3a and Pixel 3a XL in addition to the Pixel 3 and Pixel 3 XL. GrapheneOS will still use specialized kernel builds for each device with varying modules to improve CFI and reduce attack surface.
Conversation
Replying to
Qualcomm's audio and Wi-Fi drivers are maintained in separate Git repositories from the core kernel, and Wi-Fi is split across 3 repositories (fw-api, qcacld-3.0, qca-wifi-host-cmn). It's quite nice that these are now properly unified. Still have a lot of past work to restore.
1
5
There was an upstream regression preventing disabling the infrastructure for dynamic kernel modules even though GrapheneOS avoids using them along with a regression preventing using the slab canary feature. Resolving these is a high priority and help would be greatly appreciated.
1
1
Android 10 introduced ShadowCallStack support for these devices alongside the existing support for type-based forward edge CFI. Both of these are entirely downstream features. It would help if upstream would stop creating political barriers to security features and Clang support.
1
1
Replying to
You have been speaking much of kernel insecurity, and i jsut read the news today about new 0-day ---thehackernews.com/2019/10/androi
Btw Pixel 3 seems not to be invloled...
PLs can u tell if Pixel 3a have same kernel security as Pixel 3?
1
1
Replying to
Pixel 3 and 3a have comparable security and use the same kernel source tree. This issue was also mitigated on GrapheneOS by CONFIG_DEBUG_LIST + CONFIG_PANIC_ON_DATA_CORRUPTION. Please see what I've written about this issue:
Quote Tweet
In the past, when GrapheneOS was in a better state, the latest kernel.org LTS branches were promptly merged along with additional fixes not included in the upstream branches. The fix for the bug now assigned CVE-2019-2215 was already applied for the Pixel 1 and 2.
Show this thread
2
1
3
Show replies