As stated, all operating systems on Pixel devices must be on Android 13 to get full security updates. There isn't any leeway there.
Conversation
As a user, you have the freedom to stay on an old version, at the cost of having missing security content, which I don't really suggest.
1
2
But it's entirely possible to install (a modified) Android 13 and NOT lose the ability to downgrade.
2
You do lose the ability to downgrade the Titan M2 firmware regardless of which OS you use and based on our experience with the migration from Android 11 to Android 12, they do not preserve backwards compatibility. We're the only ppl who noticed since others don't use what broke.
2
1
I probably already lost that, then, since I tried the A13 beta...? But Android 12 continues to work right now.
1
The features which tend to break are only used by a small portion of apps such as our Auditor app.
1
1
But most apps are versioned separately from the OS anyway? Auditor is the exception since it's bundled with Graphene, but in theory, if you supported an older version at all, you could fix the compatibility of the app, right?
3
Auditor is standalone and is portable to non-GrapheneOS devices.
1
1
But it should only be an issue if bundled, if I understand this correctly.
If it's not bundled, it can update to one that supports the latest firmware, no matter what OS version is running
1
No, it's always an issue. If you updated to Android 12 Beta or Android 12 and beyond, you cannot have working Auditor on Android 11 because the Titan M firmware is still on the Android 12 Beta or beyond firmware and OS keystore HAL / service doesn't know how to work with that.
1
1
Auditor cannot talk to the secure element directly. It talks to the sandboxed OS keystore service which itself talks to the device-specific sandboxed keystore HALs (one for TEE, one for secure element) which talk to that hardware via kernel drivers.
If you go back to Android 11 on a Pixel 5 or earlier from Android 12 Beta or later, it breaks secure element keystore support in multiple ways because they made breaking changes to the internal API it uses between itself and the HAL / service and you can't downgrade it.
1