GrapheneOS v2023110700: November Security Patch

"This release has been in the Stable channel for a while now, making GrapheneOS the first platform deploying hardware memory tagging to users in production."

GrapheneOS v2023110700: November Security Patch
  • "Our latest release has hardware memory tagging (MTE) support for hardened_malloc enabled by default for 8th generation Pixels which added support for it."
  • "We also want to enable Clang's stack allocation MTE and Chromium's MTE support for Vanadium soon."

What's changed

  • full 2023-11-01 security patch level
  • full 2023-11-05 security patch level for generic targets and 5th/8th generation Pixels (6th/7th generation Pixels are marked as 2023-11-01 upstream which may be due to a missing Mali GPU kernel patch we can work on obtaining to apply early)
  • rebased onto UP1A.231105.003 (generic) and UD1A.231105.004 (shusky) Android Open Source Project releases
  • Pixel 8, Pixel 8 Pro: always enable hardware memory tagging (there is no longer an opt-in toggle) which is currently used everywhere other than Vanadium (coming soon), vendor executables and user installed apps with their own native code not marked as compatible with memory tagging
  • disable GWP-ASan since it's a bug finding feature rather than a hardening feature and doesn't preserve all the hardened_malloc security properties for the random allocations in random system processes where it gets activated especially now that memory tagging is supported
  • Launcher: add missing catch for null pointer exception (upstream bug) triggered by Signal
  • revert change to show crash dialog for first crash of an app since boot since this results in a high support burden from the many third party app crashes it uncovers especially since it's not enabled on the stock OS
  • always compile VPN service packages with speed filter to avoid background recompilation since many of these apps only automatically connect at boot and the user has to manually reconnect if the OS restarts them such as when users manually trigger app restart via the background recompilation notification
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.199
  • backport health permission UI fixes from AOSP
  • backport DocumentsUI (Files) fix from AOSP preventing bypassing restrictions via initial open directory
  • GmsCompatConfig: update to version 81
  • GmsCompatConfig: update to version 82
  • use sdk_phone_x86_64 (emulator) target as the default one for convenience
  • flash-all: raise minimum fastboot version to 34.0.4

Full Changelog / Archive