The crosshatch kernel repository (github.com/GrapheneOS/ker) is now used for the Pixel 3a and Pixel 3a XL in addition to the Pixel 3 and Pixel 3 XL. GrapheneOS will still use specialized kernel builds for each device with varying modules to improve CFI and reduce attack surface.
Conversation
Qualcomm's audio and Wi-Fi drivers are maintained in separate Git repositories from the core kernel, and Wi-Fi is split across 3 repositories (fw-api, qcacld-3.0, qca-wifi-host-cmn). It's quite nice that these are now properly unified. Still have a lot of past work to restore.
1
5
There was an upstream regression preventing disabling the infrastructure for dynamic kernel modules even though GrapheneOS avoids using them along with a regression preventing using the slab canary feature. Resolving these is a high priority and help would be greatly appreciated.
1
1
Android 10 introduced ShadowCallStack support for these devices alongside the existing support for type-based forward edge CFI. Both of these are entirely downstream features. It would help if upstream would stop creating political barriers to security features and Clang support.
1
1
Replying to
I'm talking about the many remaining upstream issues in the Linux kernel along with the lack of support for Clang features including Clang LTO. The existing support for Clang is also something that has continued to regress and require fixing, often deliberately. It's not solved.
1
CFI support isn't landed in mainline Linux releases despite a couple years of trying to upstream necessary patches leading to it. All of this was also thrown off track by Clang support being deliberately broken and the common politics-based refusal to take patches fixing bugs.