github.com/GrapheneOS/os- was resolved by upstream improvements to ART in Android 12 resulting in boot images being fully relocatable. Exec spawning now works completely as intended and verified boot will work better, especially once dexpreopt changes in AOSP master land in stable.
Conversation
Implementing these will further improve verified boot for GrapheneOS:
* github.com/GrapheneOS/os-
* github.com/GrapheneOS/os-
* github.com/GrapheneOS/os-
AOSP enforces that system server cannot load code from outside verified images. We need to expand it to all base OS apps again.
Replying to
GrapheneOS used to have this feature fully implemented for the base OS for code but not the non-code ART boot image data. Since boot image data now appears to be fully relocatable, we need to get dexpreopt expanded to everything again and we can enforce this for both code/data.
1
6
APEX has made this more complicated despite the fact that we're shipping them unpacked in the base OS without out-of-band updates (flattened APEX).
AOSP master appears to have most of the improvements to dexpreopt we need but now we need to deal with source.android.com/devices/tech/d too.
5