"Our latest release provides another enhancement for our protection against firmware-based attacks on devices by forensics companies. This replaces emergency reboots triggered by overheating with regular reboots. We're going to be doing more similar work," announced @GrapheneOS.
According to GrapheneOS community moderator @final, this release also includes changes with eSIM management:
eSIM management no longer requires Sandboxed Google Play;
eSIM management binaries are isolated from Google Play services;
they no longer make direct connections to Google via Google Play Services to active eSIMs.
isolate eSIM activation app from non-system apps to avoid it sharing data with sandboxed Google Play
make eSIM activation toggle available without sandboxed Google Play installed (eSIM management no longer requires sandboxed Google Play)
make the eSIM activation app toggle persistent instead of it being disabled at boot
remove misleading message about device info being sent to Google message before eSIM download
hardened_malloc: use tag 0 for freed slots instead of reserving a tag to allow using 15 of 16 possible tag values for random tags (there are 3 dynamic exclusions of the random values for the previous tag along with the 2 current or previous adjacent tags)
Settings: prevent disabling Camera2/CameraX extension provider app (Pixel Camera Services for Pixels) since it breaks apps using CameraX
kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro): use a normal reboot on overheating instead of an emergency reboot to harden against physical attacks
kernel: enable reset attack mitigation for UEFI systems supporting it (Tensor Pixels use minimalistic littlekernel-based boot firmware rather than UEFI and the previous Snapdragon Pixels using UEFI didn't implement this but we may need this for future devices)