Releases

About the releases

These releases are available as both tags in the source code repositories and official builds.

The factory images are used for the initial installation and can be verified with signify. See the installation page for details.

GrapheneOS uses automatic over-the-air updates, but full update packages are listed below for uncommon use cases like never connecting the device to the internet. A full update package can upgrade from any past version to the new version. The over-the-air updates use delta update packages when available. Those aren't currently linked below but may be in the future once they're being used more consistently. Update packages are not for performing the initial installation and you should ignore incorrect guides trying to use them to install the OS.

The update packages have a internal signature verified by the update client (or recovery when sideloading). Downgrade attacks are also prevented, and downgrades cannot be done unless a special downgrade update package has been signed with the release key. The internal payload for update_engine is also signed, providing another layer of signature verification and downgrade protection. Verified boot and the hardware-backed keystore also act as a final layer of protection.

Releases are tested by the developers and are then pushed out via the Beta channel. The release is then pushed out via the Stable channel after being tested by some users using the Beta channel. In some cases, problems are caught during Beta channel testing and a new release is made via the Beta channel to replace the aborted one. In general, it's not possible to downgrade unless a downgrade update package is generated, so use the Stable channel if you cannot tolerate dealing with temporary issues while a new release for the Beta channel is being created.

Release announcements

Releases are announced on this page including via an atom feed, via our @GrapheneOS Twitter account, on the official subreddit and in the official #grapheneos IRC channel on irc.freenode.net bridged with the #grapheneos:matrix.org room on Matrix. A release announcement indicates that the source code tags are available and that the official builds will soon be pushed out via the Beta channel.

Stable channel

Pixel 5

Version: RQ1A.210205.004.2021.02.19.15

Pixel 4a (5G)

Version: RQ1A.210205.004.2021.02.19.15

Pixel 4a

Version: RQ1A.210205.004.2021.02.19.15

Pixel 4 XL

Version: RQ1A.210205.004.2021.02.19.15

Pixel 4

Version: RQ1A.210205.004.2021.02.19.15

Pixel 3a XL

Version: RQ1A.210205.004.2021.02.19.15

Pixel 3a

Version: RQ1A.210205.004.2021.02.19.15

Pixel 3 XL

Version: RQ1A.210205.004.2021.02.19.15

Pixel 3

Version: RQ1A.210205.004.2021.02.19.15

Pixel 2 XL (obsolete)

Version: RQ1A.210205.004.2021.02.14.11

Pixel 2 (obsolete)

Version: RQ1A.210205.004.2021.02.14.11

Beta channel

Pixel 5

Version: RQ1A.210205.004.2021.02.19.15

Pixel 4a (5G)

Version: RQ1A.210205.004.2021.02.19.15

Pixel 4a

Version: RQ1A.210205.004.2021.02.19.15

Pixel 4 XL

Version: RQ1A.210205.004.2021.02.19.15

Pixel 4

Version: RQ1A.210205.004.2021.02.19.15

Pixel 3a XL

Version: RQ1A.210205.004.2021.02.19.15

Pixel 3a

Version: RQ1A.210205.004.2021.02.19.15

Pixel 3 XL

Version: RQ1A.210205.004.2021.02.19.15

Pixel 3

Version: RQ1A.210205.004.2021.02.19.15

Pixel 2 XL (obsolete)

Version: RQ1A.210205.004.2021.02.14.11

Pixel 2 (obsolete)

Version: RQ1A.210205.004.2021.02.14.11

Changelog

List of tagged releases. Snapshot releases without tags such as early releases of the project and early device support releases are not listed.

2021.02.26.16

Tags:

  • RQ1A.210205.004.2021.02.26.16 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.23.15 release:

  • hardened_malloc: add back workarounds for camera driver bugs on the Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL

2021.02.23.15

Tags:

  • RQ1A.210205.004.2021.02.23.15 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.19.15 release:

  • Camera: set flash mode to off by default (camera flash causes a substantial delay and substantially lower image quality so it generally isn't desirable)
  • device theme: use black for settings background in the dark theme
  • drop legacy code for setting Seedvault as the enabled backup service
  • hardened_malloc: drop workarounds for camera driver bugs on the Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL
  • hardened_malloc: drop workaround for USB audio bug

2021.02.19.15

Tags:

  • RQ1A.210205.004.2021.02.19.15 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.07.17 release:

  • Vanadium: update Chromium base to 88.0.4324.181
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update APNs
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5: update CarrierConfig vendor.xml
  • Auditor: update to version 24
  • Auditor: update to version 25
  • Pixel 4a: set boot security patch level to leverage the YYYY-MM-01 vs. YYYY-MM-05 distinction for attestation
  • Pixel 4a (5G), Pixel 5: complete initial device support including porting hardening features
  • kernel (Pixel 4a (5G), Pixel 5): enable slab canary feature
  • kernel (Pixel 4a (5G), Pixel 5): set correct variable for 32-bit vdso toolchain
  • kernel (Pixel 5): disable unnecessary touch driver
  • kernel (Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5): use LLVM toolchain for everything other than the assembler
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): use LLVM toolchain for everything other than the assembler and target linker
  • kernel (Pixel 4a (5G), Pixel 5): use new kernel build-tools prebuilts repository

2021.02.07.17

Tags:

  • RQ1A.210205.004.2021.02.07.17 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.06.05 release:

  • fix added error reporting code for HTTPS-based network time updates
  • Seedvault: update to latest revision

2021.02.06.05

Tags:

  • RQ1A.210205.004.2021.02.06.05 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, emulator, generic, other targets)

Changes since the 2021.02.02.09 release:

  • Vanadium: update Chromium base to 88.0.4324.152
  • rework the GrapheneOS HTTPS-based network time updates to enforce certificate expiry based on the OS build date for the whole certificate chain to avoid failing to fix significant time sync issues while still having a reasonable expiry check

2021.02.02.09

Tags:

Changes since the 2021.01.23.03 release:

  • full 2021-02-01 security patch level
  • full 2021-02-05 security patch level
  • rebased onto RQ1A.210205.004 release
  • Vanadium: update Chromium base to 88.0.4324.141
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): make more data read-only per newer device kernels

2021.01.23.03

Tags:

Changes since the 2021.01.05.03 release:

  • device theme: use slightly different accent color for the dark theme
  • Dialer: add carrier-specific visual voicemail configurations
  • Vanadium: update Chromium base to 87.0.4280.141
  • Vanadium: update Chromium base to 88.0.4324.93
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): use UTC for kernel timestamp to make reproducible builds easier
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): update toolchain's toybox prebuilt for various fixes including fixing an issue with the date command causing a build reproducibility issue
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): apply upstream patch avoiding truncation of kernel debug symbol names generated when using Clang type-based CFI
  • adjust kernel configuration tests to permit disabling dynamic kernel modules for new kernel variants
  • fix dark theme issue with Settings app search panel
  • Camera2: backport fix for interaction with lockscreen
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: update APNs with carriersettings-extractor
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: add CarrierConfig vendor.xml from the stock OS with entries depending on Google and carrier apps stripped out

2021.01.05.03

Tags:

Changes since the 2020.12.12.03 release:

  • full 2021-01-01 security patch level
  • full 2021-01-05 security patch level
  • rebased onto RQ1A.210105.003 release
  • Settings: update GrapheneOS connectivity check URLs to match NetworkStack
  • Camera: remove unused Wi-Fi state permissions
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: update APNs with carriersettings-extractor
  • adjust kernel configuration tests to permit not having BPF_JIT since we don't have it enabled
  • add check for empty TTS engine name to address upstream bug
  • Vanadium: enable split cache by default
  • Vanadium: add back legacy media file access support for now
  • Vanadium: rename WebView and library apps based on the vanadium.app domain
  • Seedvault: update to latest revision
  • remove unnecessary vendor overlays
  • SetupWizard: change OS name to GrapheneOS for backup activity strings again
  • fix use-after-free in adbd authentication which was breaking support for persistently trusting keys due to zero-on-free
  • device theme: use blue accent color
  • replace default AOSP wallpaper with a solid black wallpaper — may get a bit fancier in the near future
  • update round icon mask
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: always use dark theme for boot chain firmware
  • Pixel 3a, Pixel 3a XL: disable unused dynamic kernel module support to match other devices
  • Updater: disconnect keepalive connection when service is done

2020.12.12.03

Tags:

Changes since the 2020.12.08.08 release:

  • Vanadium: disable WebView variations support
  • SetupWizard: update to latest upstream code
  • NetworkStack: switch to grapheneos.network for connectivity checks to improve compatibility with captive portals lacking support for the built-in login interface (HSTS preloading for grapheneos.org breaks the fallback browser login notification)

2020.12.08.08

Tags:

Changes since the 2020.11.27.15 release:

  • full 2020-12-01 security patch level
  • full 2020-12-05 security patch level
  • rebased onto RQ1A.201205.010 release
  • script: support any number of source versions for deltas
  • set read timeout for HTTPS network time connections
  • disable keepalive for HTTPS network time connections
  • always disconnect HTTPS network time connections
  • remove unnecessary Accept-Charset header for HTTPS network time requests
  • Vanadium: ask permission to play protected media by default
  • Vanadium: disable autofill server communication by default
  • Vanadium: update Chromium base to 87.0.4280.86
  • Vanadium: update Chromium base to 87.0.4280.101
  • Settings: remove partial MAC randomization translations
  • Auditor: update to version 23
  • downstream fix for VPN lockdown being overridden when stopping users replaced by upstream fix

2020.11.27.15

Tags:

Changes since the 2020.11.25.22 release:

  • Vanadium: disable autofill assistant by default (restores previous Vanadium behavior)
  • Vanadium: backport upstream fix for missing manifest changes (this fixes issues with opening URLs in external apps)
  • Vanadium: disable component updater pings by default
  • Settings: disallow configuring connectivity checks for users disallowed to configure Private DNS by the administrator (in theory, it could be a separate option, but we need to use one that's already part of the public API)

2020.11.25.22 preview

Tags:

Changes since the 2020.11.05.18 release:

  • PDF Viewer: update to version 6
  • NFC: backport compatibility fix for certain broken apps from AOSP master
  • Bluetooth: backport fix for Bluetooth capacity string
  • Vanadium: update Chromium base to 86.0.4240.198
  • Vanadium: update Chromium base to 87.0.4280.66
  • Vanadium: disable new high-level functionality for fetching variations
  • Vanadium: disable unused Omaha update check support
  • Vanadium: disable GaiaAuthFetcher code due to upstream bug
  • Vanadium: disable deprecated FTP support by default
  • Pixel 4 XL: correctly mark certain unsupported features as unavailable per the Pixel 4
  • Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a: use device-specific NFC configuration
  • add initial runtime flags handling for exec-based spawning to improve compatibility
  • Pixel 3, Pixel 3 XL, Pixel 4, Pixel 4 XL, Pixel 4a: disable chained vbmeta to simplify verified boot and improve attestation (Pixel 3a and Pixel 3a XL never used this)
  • Seedvault: update to latest revision
  • NetworkStack: remove change to connectivity check handling that's no longer required with Android 11
  • use GrapheneOS connectivity check server by default for connectivity checks in the OS
  • Settings: add setting to toggle between GrapheneOS connectivity check server and the standard Android connectivity check URLs to continue supporting blending in with other Android devices without a VPN
  • Updater: remove unused READ_PHONE_STATE permission

2020.11.05.18

While waiting for this release to become available, you can manually add a battery optimization exemption for the Clock app via Settings ➔ Apps & notifications ➔ Special app access ➔ Battery optimization where you can select "All apps", scroll down to the Clock app and manually add an exemption. Should get this added upstream.

Tags:

Changes since the 2020.11.03.03 release:

  • Clock: add battery optimization exemption required for the new target API level (this is missing in AOSP)

2020.11.03.03

Pixel 2 and Pixel 2 XL support will now be provided via separate extended support releases for obsolete devices. We'll be making the first one based on an official release in the near future. They can only reach the 2020-11-01 security patch this month due to the lack of a release with changes outside the scope of AOSP such as new GPU firmware.

Tags:

Changes since the 2020.10.23.04 release:

  • full 2020-11-01 security patch level
  • full 2020-11-05 security patch level
  • rebased onto RP1A.201105.002 release
  • Vanadium: update Chromium base to 86.0.4240.110
  • Vanadium: update Chromium base to 86.0.4240.114
  • Vanadium: update Chromium base to 86.0.4240.185
  • Vanadium: enable prefetch privacy changes by default
  • Vanadium: enable reduced referrer granularity by default
  • Camera: request fine location instead of coarse location for the disabled-by-default geotagging feature
  • Camera: remove unused INTERNET permission
  • Clock: apply assorted fixes from upstream
  • add explicit detection of fastboot being missing to the factory images flash-all scripts
  • Gallery: apply upstream fix from NXP for null pointer dereference bug
  • Auditor: update to version 22
  • script: make generate_deltas ask for the password only once
  • enable screenshot action for 3 button nav too (the upstream release limited it to being enabled for 2 button navigation)

2020.10.23.04

Tags:

Changes since the 2020.10.06.02 release:

  • Vanadium: update Chromium base to 86.0.4240.75
  • Vanadium: update Chromium base to 86.0.4240.99
  • Vanadium: remove deprecated, unused storage permissions
  • replace standard WebView with Vanadium WebView again
  • Pixel 4, Pixel 4 XL: disable unsupported aware feature so that ambient display is available
  • Seedvault: switch to upstream development branch now that it supports Android 11
  • SELinux policy: port hardening from Android 10
  • hardened_malloc: log fatal errors (detected memory corruption bugs) to Android's log system
  • fix minor issues with Android 11 port of Wi-Fi and Bluetooth quick tile unlock requirement
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, Pixel 4a): apply Bluetooth fixes from the stable kernel branch including fixes for CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490
  • improve experimental support for the Pixel 4a including porting most device-specific changes implemented for other devices

2020.10.06.02

Tags:

Changes since the 2020.10.01.23 release:

  • full 2020-10-01 security patch level
  • full 2020-10-05 security patch level
  • rebased onto RP1A.201005.006 release
  • hardened_malloc: optimize and harden initialization sanity checks
  • work around upstream bug causing null pointer crashes from media notifications in secondary profiles
  • enable secondary user logout support by default (purges credential encrypted storage keys from memory)
  • add back screenshot action to global action list as an alternative to the key chord (power button + volume down) and screenshot button in the gesture navigation recent apps list
  • reject received unix timestamps before build unix time for HTTPS-based network time implementation
  • Clock: apply fixes for various upstream issues
  • Updater: harden PendingIntent usage

2020.10.01.23

Tags:

Changes since the 2020.09.29.20 release:

  • Pixel 4 (non-XL): stop overriding default Bluetooth toggle to disable it by default like other devices
  • use otatools.zip for generating delta updates
  • Settings: fix integration of LTE only mode option to preferred network setting
  • Auditor: update to version 21

2020.09.29.20

Tags:

Changes since the 2020.09.25.00 release:

  • add overlay to show 2 button navigation option in Settings again
  • Calculator: gesture compatibility fix
  • Auditor: update to version 20
  • WebView: update to 85.0.4183.120
  • WebView: update to 85.0.4183.127
  • Vanadium: update Chromium base to 85.0.4183.127
  • fix syncing time for the port of our HTTPS-based network time update implementation to Android 11
  • stop using dedicated keys for signing OsuLogin and ServiceWifiResources rather than simply using the regular testkey/releasekey

2020.09.25.00

Tags:

Changes since the 2020.09.18.13 release:

  • fix Wi-Fi MAC randomization settings for translations that were missing our added option
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL: add missing configuration for biometric sensors in Android 11
  • fix upstream bug in the NFC quick settings tile for Android 11 breaking it after reboot
  • fix NFC quick settings tile icon handling for Android 11
  • Settings: fix upstream NFC preference so that it listens for changes and can see it being toggled via the NFC tile
  • Vanadium: update Chromium base to 85.0.4183.120
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL: update APNs with carriersettings-extractor
  • add back SetupWizard
  • Settings: fix launching WifiSettings

We're no longer going to be listing out restored past features in a separate section for the release notes.

2020.09.18.13 preview

Tags:

Changes since the 2020.09.11.14 release:

  • initial port to Android 11 with most GrapheneOS changes ported over (missing most SELinux policy hardening, some Pixel 4 / 4 XL kernel side channel mitigations, finer-grained Pixel 4 kernel Control Flow Integrity and the setup wizard)
  • full 2020-09-05 security patch level
  • temporarily use stock WebView until the next release of Chromium is available with public support for Android 11 to provide the WebView via Vanadium again
  • fix VPN lockdown setting getting overridden on user stop
  • SELinux policy: disable gmscore_app domain
  • SELinux policy: use dedicated SELinux domain for Updater app based on the modern untrusted_app domain
  • stop disabling support for stable local privacy addresses since Android 11 handles it better by only using it when MAC randomization is disabled
  • update to a new version of Seedvault for Android 11
  • build and use otatools.zip for signing releases instead of an ad-hoc approach
  • Auditor: update to version 19
  • Updater: update targetSdkVersion to 30
  • disable Scudo on 64-bit since we use the substantially more secure hardened_malloc
  • fully replace jemalloc with Scudo on 32-bit
  • hardened_malloc: improve stats implementation

Installations made before this project was renamed to GrapheneOS and before the first official release of the Android Hardening project will be forced to factory reset as part of this upgrade, due to lack of backwards compatibility with the unaltered AOSP encryption format.

2020.09.11.14

Tags:

  • QQ3A.200805.001.2020.09.11.14 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Testing the Android 11 kernels was useful, but we weren't able to ship the previous release due to issues uncovered during testing. The Android 11 kernels have minor backwards incompatible changes in the drivers for at least a subset of the devices so we'll need to ship them with the rest of the changes. Thanks to our testers for helping us with this. This will be the new final Android 10 release, assuming no further problems are uncovered during testing.

Changes since the 2020.09.10.05 release:

  • revert to using the Android 10 kernels on the devices that were switched over early due to backwards incompatible changes in some drivers

2020.09.10.05 preview

Tags:

  • QQ3A.200805.001.2020.09.10.05 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

This should be the final GrapheneOS release based on Android 10. It ships the device-independent monthly security patches and migrates over to using the Android 11 branch of the GrapheneOS kernels for most devices, which brings all the upstream kernel hardening in Android 11 along with the full September kernel updates. The remaining patches for the full 2020-09-05 patch level require finishing the migration to Android 11 in order to ship the September update for the other device support code. It's possible we could ship some of this early, but instead we're going to be focusing on finishing the enormous task of migrating to Android 11. Further help with bringing up support for the devices with Android 11 and porting over each of the GrapheneOS hardening features to it would be greatly appreciated. Donations are also extremely helpful. GrapheneOS has brought on another full time developer using donated funds and there are 3 part time developers helping with Android 11.

Changes since the 2020.08.07.01 release:

  • full 2020-09-01 security patch level
  • partial 2020-09-05 security patch level (missing userspace device support changes until port to Android 11 is finished)
  • Vanadium: update Chromium base to 84.0.4147.125
  • Vanadium: update Chromium base to 85.0.4183.81
  • Vanadium: update Chromium base to 85.0.4183.101
  • Vanadium: remove unused learn more link from Incognito page
  • recovery: reject updates with serialno constraints to match the GrapheneOS Updater app
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): update base kernel to Android 11
  • SetupWizard: update to latest upstream code
  • conscrypt: drop temporary upstream revert of version code which was accidentally kept during a rebase
  • backport fix for USB audio regression from Android 11

Restoration of past features since the 2020.07.06.20 release:

  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): enable intra-object FORTIFY_SOURCE overflow checks

2020.08.07.01

Tags:

  • QQ3A.200805.001.2020.08.07.01 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Changes since the 2020.08.03.22 release:

  • SELinux policy: fix executing apk libraries as executables for third party applications

2020.08.03.22

Tags:

  • QQ3A.200805.001.2020.08.03.22 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Changes since the 2020.07.06.20 release:

  • full 2020-08-01 security patch level
  • full 2020-08-05 security patch level
  • rebased onto QQ3A.200805.001 release
  • fix build for Pixel 3 when Pixel 3 XL kernel is not built
  • fix secondary stack hardening when a non-page-size multiple stack size is specified
  • fix picking up previous build date when doing incremental builds
  • Vanadium: update Chromium base to 84.0.4147.89
  • Vanadium: update Chromium base to 84.0.4147.105
  • Vanadium: update Chromium base to 84.0.4147.111
  • Vanadium: remove Chromium logo in chrome://version

Restoration of past features since the 2020.07.06.20 release:

  • kernel (Pixel 4, Pixel 4 XL): read-only data expansion

2020.07.06.20

Tags:

  • QQ3A.200705.002.2020.07.06.20 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Changes since the 2020.06.22.21 release:

  • full 2020-07-01 security patch level
  • full 2020-07-05 security patch level
  • rebased onto QQ3A.200705.002 release
  • change TrichromeLibrary package name
  • drop MAC randomization preference migration code
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL: update APNs with carriersettings-extractor
  • disable network time refresh when network time is disabled (previous behavior inherited from upstream)
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): make reproducible builds simpler
  • kernel (Pixel 4, Pixel 4 XL): use max mmap entropy by default to cover init

Restoration of past features since the 2020.06.22.21 release:

  • kernel (Pixel 4, Pixel 4 XL): enable UNMAP_KERNEL_AT_EL0 Meltdown mitigation (KPTI)
  • kernel (Pixel 4, Pixel 4 XL): enable ARM64_SSBD Spectre v4 mitigation
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): enable PANIC_ON_OOPS
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): set PANIC_TIMEOUT to -1
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): disable SECURITY_SELINUX_DEVELOP

2020.06.22.21

Tags:

Changes since the 2020.06.02.02 release:

  • SystemUI: handle non-SRGB wallpapers
  • Vanadium: update Chromium base to 83.0.4103.96
  • Vanadium: update Chromium base to 83.0.4103.101
  • Vanadium: update Chromium base to 83.0.4103.106
  • script/generate_metadata.py: add channel name to update channel metadata
  • Updater: sanity check channel name in update channel metadata
  • Updater: raise minSdkVersion to 29
  • Updater: extract care_map.pb rather than care_map.txt
  • Updater: use a different zip for streaming updates (still an experimental / hidden feature)
  • disable RFC 7217 support (stable link-local IPv6 privacy addresses) and stick to link-local IP addresses based on the (random) MAC addresses
  • SetupWizard: update to latest upstream code
  • SetupWizard: use system captive portal URL, rather than a custom Google URL
  • NetworkStack: ignore captive portal fallbacks when one is set at runtime
  • factory images flash-all script: reboot to bootloader after installing update
  • make_key: use 4096-bit RSA keys
  • script/release.sh: auto-detect AVB algorithm to support 4096-bit RSA keys for verified boot
  • add experimental Pixel 4 and Pixel 4 XL support
  • Auditor: update to version 18

Restoration of past features since the 2020.06.02.02 release:

  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add back FORTIFY_SOURCE enhancements
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add back userspace ASLR improvements

2020.06.02.02

Tags:

Changes since the 2020.05.29.00 release:

  • full 2020-06-01 security patch level
  • full 2020-06-05 security patch level
  • rebased onto QQ3A.200605.002 release
  • Vanadium: update Chromium base to 83.0.4103.83
  • factory images: add fastboot version detection to flash-all.bat on Windows

2020.05.23.12

Tags:

Changes since the 2020.05.05.02 release:

  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): use Clang for compiling code for the host too
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add build-tools prebuilts to PATH to reduce external dependencies and avoid potential reproducibility issues
  • add build-tools prebuilts to PATH in the release signing and delta generation scripts to reduce external dependencies and avoid potential reproducibility issues
  • fix upstream bug relying on malloc addresses for sort order of 3 items, causing Bluetooth A2DP audio to fail 2/3 of the time with hardened_malloc when the expected item isn't first
  • use the same datetime for build number and build date
  • always use UTC as the time zone for build dates
  • update GrapheneOS fork of android-prepare-vendor to the collaborative AOSPAlliance fork
  • raise minimum supported API level to 28 from 23, producing a warning for apps targeting API < 28 (the Play Store disallows uploading new apps or app updates targeting API < 28 so this isn't an aggressive warning)
  • Vanadium: update Chromium base to 81.0.4044.138
  • Vanadium: update Chromium base to 83.0.4103.60
  • Vanadium: disable media DRM preprovisioning
  • Vanadium: most private WebRTC IP handling policy by default
  • set SCHED_BATCH in the kernel build scripts

Restoration of past features since the 2020.05.05.02 release:

  • Settings: allow disabling Vanadium browser app via the Settings UI now that Trichrome (browser, WebView, shared library) has replaced Monochrome (monolithic app) for providing the WebView without having 2 copies of the browser engine

2020.05.05.02

Tags:

Changes since the 2020.04.14.23 release:

  • full 2020-05-01 security patch level
  • full 2020-05-05 security patch level
  • rebased onto QQ2A.200501.001.B3 release
  • Vanadium: update Chromium base to 81.0.4044.111
  • Vanadium: update Chromium base to 81.0.4044.117
  • disable safe volume feature everywhere instead of only the US
  • hardened_malloc: implement slab allocation memory corruption checks for malloc_usable_size
  • set SCHED_BATCH in the build system and release generation scripts instead of the interactive shell
  • use more sensible factory images zip naming scheme
  • Settings: add missing title for top_level_settings to fix showing it as null in search results

Restoration of past features since the 2020.04.14.23 release:

  • Vanadium: use 64-bit Trichrome browser processes

2020.04.14.23

Tags:

Changes since the 2020.04.13.21 release:

  • Settings: adjust wifi_privacy_values to the new values
  • Settings: remove unnecessary workaround for MAC randomization preference
  • Settings: tweak MAC randomization preference wording

2020.04.13.21

Tags:

Changes since the 2020.04.07.10 release:

  • Vanadium: update Chromium base to 81.0.4044.96
  • Vanadium: remove unsupported password leak detection option
  • Vanadium: expand automated string rebranding
  • Vanadium: remove Google prefix from storage settings label
  • reword random MAC options to make them clearer
  • start the final phase of the migration process for random MAC preference values
  • generate manifests for stable releases directly referencing revisions by hash instead of tag name to simplify signature verification for the sources

Restoration of past features since the 2020.04.07.10 release:

  • globally enable -ftrivial-auto-var-init=zero rather than porting our downstream -fsanitize=local-init feature
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): globally enable -ftrivial-auto-var-init=zero rather than porting our downstream -fsanitize=local-init feature
  • Vanadium: enable -ftrivial-auto-var-init=zero rather than porting our downstream -fsanitize=local-init feature

2020.04.07.10

Tags:

Changes since the 2020.03.23.22 release:

  • full 2020-04-01 security patch level
  • full 2020-04-05 security patch level
  • rebased onto QQ2A.200405.005 release
  • Pixel 3a, Pixel 3a XL: fix SystemUI paths in memory pinning configuration
  • only include Updater app when OFFICIAL_BUILD=true is set in the environment to avoid accidental use of the default update server with unofficial builds that are not compatible
  • Vanadium: update Chromium base to 80.0.3987.162
  • PDF Viewer: update to version 3
  • update SELinux policy for officially supported devices based on isolated_app domain split
  • raise protected_fifos / protected_regular from 1 (world-writable directories) to 2 (group-writable directories too)
  • remove use of "Hey Google" as an example feature for battery saver in Settings

2020.03.23.22

Tags:

Changes since the 2020.03.04.16 release:

  • integrate Seedvault backup app as the default backup service
  • integrate SetupWizard app to support restoring with Seedvault and other initial setup
  • Vanadium: disable unused safe browsing feature by default (Safe Browsing is currently a no-op due to the lack of Play services, and support for using the local database backend hasn't been implemented. Various changes would be needed to make it available and to make sure that privacy is preserved.)
  • Vanadium: disable unused Google VR support
  • Vanadium: disable content feed suggestions by default
  • Vanadium: update Chromium base to 80.0.3987.149
  • Settings: fix broken upstream MAC randomization value mapping uncovered by the always randomize option value
  • make_key: use scrypt for key derivation used to encrypt keys
  • add script/encrypt_keys.sh and script/decrypt_keys.sh for handling key encryption
  • improve UX, performance and algorithm support for encrypted keys in script/release.sh and script/generate_delta.sh
  • dexpreopt: disable BOARD_USES_SYSTEM_OTHER_ODEX for mainline devices, which was causing odex files to be unintentionally omitted from the system image for modern devices
  • dexpreopt: use speed filter for boot images and non-prebuilts rather than unintentionally only setting it for prebuilts
  • dexpreopt: disable pre-optimization for apps bundled by android-prepare-vendor to work around unresolved issues with conflicting inlined definitions

2020.03.04.16

Tags:

Changes since the 2020.03.03.03 release:

  • Vanadium: backport upstream fix for Android 10 downloads
  • Vanadium: update Chromium base to 80.0.3987.132
  • Settings: avoid overriding MAC address with random persistent MAC address when viewing MAC address
  • finish porting support for per-connection random MAC rather than using the per-network random address

2020.03.03.03

Tags:

Changes since the 2020.02.07.19 release:

  • full 2020-03-01 security patch level
  • full 2020-03-05 security patch level
  • rebased onto QQ2A.200305.002 release
  • use time.grapheneos.org instead of grapheneos.org for HTTPS-based time updates
  • Vanadium: migrate to Trichrome for unified builds of separate browser and WebView apps with a shared library app
  • Vanadium: use org.grapheneos.vanadium.webview instead of com.android.webview as the WebView package name
  • Vanadium: rename WebView to Vanadium System WebView from Android System WebView
  • Vanadium: update Chromium base to 80.0.3987.99
  • Vanadium: update Chromium base to 80.0.3987.117
  • Vanadium: update Chromium base to 80.0.3987.119
  • SELinux policy: remove base system app apk_data_file execute
  • SELinux policy: remove zygote access to apk_data_file

Restoration of past features since the 2020.02.07.19 release:

  • Vanadium: stop replacing signature from the Vanadium signing key with the OS release key
  • Settings: add back control over camera access while the screen is locked
  • fix MAC randomization after reboot for the always randomize MAC option
  • SELinux policy: split out base system untrusted_app (normal unprivileged apps) and isolated_app (isolatedProcess sandbox) SELinux policy domains for future work
  • SELinux policy: remove base system app execmod
  • SELinux policy: remove base system app execmem
  • SELinux policy: remove base system app execute_no_trans
  • SELinux policy: remove base system app app_data_file execute
  • SELinux policy: remove base system app ashmem execute
  • SELinux policy: remove base system app tmpfs execute
  • SELinux policy: remove zygote execmem
  • SELinux policy: remove system_server_startup domain
  • add LTE only mobile network configuration option

2020.02.07.19

Tags:

Changes since the 2020.02.04.01 release:

  • rebuild crosshatch kernel to correct build environment issue
  • Vanadium (including WebView): update Chromium base to 80.0.3987.87
  • Vanadium (including WebView): drop partially working AImageReader workarounds
  • fully work around bug with AImageReader caught by CFI on 64-bit to fix crashes during video rendering in Vanadium, Bromite, etc.

Restoration of past features since the 2020.02.04.01 release:

  • WebView: use Vanadium WebView as provider

2020.02.04.01

Tags:

Changes since the 2019.01.06.21 release:

  • full 2020-02-01 security patch level
  • full 2020-02-05 security patch level
  • rebased onto QQ1A.200205.002 release
  • remove obsolete Email app
  • Vanadium: update Chromium base to 79.0.3945.116
  • WebView: update to 79.0.3945.116
  • Vanadium: update Chromium base to 79.0.3945.136
  • WebView: update to 79.0.3945.136
  • Vanadium: fully disable AImageReader to fix remaining issues with video playback uncovered by CFI on 64-bit
  • Settings: fix MAC randomization setting for other locales by removing incomplete translations

Restoration of past features since the 2019.01.06.21 release:

  • add PIN scrambling feature

2020.01.06.21

Tags:

Changes since the 2019.12.02.23 release:

  • full 2020-01-01 security patch level
  • full 2020-01-05 security patch level
  • rebased onto QQ1A.200105.002 release
  • Vanadium: update Chromium base to 79.0.3945.93
  • Vanadium: disable hiding trivial subdomains
  • WebView: update to 79.0.3945.93
  • add the option to randomize the MAC address for each connection instead of per-network
  • authenticated network time updates via HTTPS

Restoration of past features since the 2019.12.02.23 release:

  • Settings: expose control over USB peripheral denial feature

2019.12.02.23

Tags:

Changes since the 2019.11.05.23 release:

  • full 2019-12-01 security patch level
  • full 2019-12-05 security patch level
  • rebased onto QQ1A.191205.011 release
  • Pixel 3a, Pixel 3a XL: fix userspace hw_random stirring service
  • Vanadium: update Chromium base to 78.0.3904.96
  • WebView: update to 78.0.3904.96
  • Vanadium: update Chromium base to 78.0.3904.108
  • WebView: update to 78.0.3904.108
  • Auditor: update to version 17
  • QuickSearchBox: disable widget
  • QuickSearchBox: disable launcher icon
  • Launcher: rebranding
  • require unlocking to use work tile

2019.11.04.23

Tags:

Changes since the 2019.09.25.00 release:

  • full 2019-11-01 security patch level
  • full 2019-11-05 security patch level
  • rebased onto QP1A.191105.004 release
  • Settings: disable legacy suggestions mode
  • recovery: GrapheneOS branding for fastboot mode
  • Vanadium: update Chromium base to 77.0.3865.116
  • WebView: update to 77.0.3865.116
  • Vanadium: update Chromium base to 78.0.3904.62
  • WebView: update to 78.0.3904.62
  • Vanadium: update Chromium base to 78.0.3904.90
  • WebView: update to 78.0.3904.90
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): mark functions with address taken via assembly (this fixes compatibility with CFI in a build with !CONFIG_MODULES)
  • protect static TLS from stack buffer overflows
  • drop legacy Pixel and Pixel XL support due to absence of any GrapheneOS device maintainers, the end of vendor support and an increasingly large security gap with current generation devices for the hardware, firmware and device / generation specific software

Restoration of past features since the 2019.09.25.00 release:

  • Bluetooth: add alloc_size attribute to OSI allocator
  • protect pthread_internal_t from stack buffer overflows
  • add secondary stack randomization
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): disable dynamic kernel module support (resulting in substantially improved CFI granularity)

2019.10.07.21

Tags:

Changes since the 2019.09.25.00 release:

  • full 2019-10-01 security patch level
  • full 2019-10-05 security patch level
  • full 2019-10-06 security patch level
  • rebased onto QP1A.191005.007.A1 release
  • add changes to support disabling full preloading with exec spawning to the public libcore API
  • add OTHER_SENSORS to the public frameworks/base API
  • Messaging app: fix notifications with a backport
  • Vanadium: switch back to ChromeModern (standalone browser app) from Monochrome (monolithic browser + WebView app, no longer supported for Android 10) until Vanadium is moved to Trichrome (separate browser and WebView apps with a third shared library app)
  • unified kernel tree (kernel/google/crosshatch) for Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL

Restoration of past features since the 2019.09.25.00 release:

  • begin generating / uploading delta updates from the last release to the current release

2019.09.25.00

Tags:

Changes since the 2019.09.23.19 release:

  • update to QP1A.190711.020.C3 bug fix release
  • fix granting Network and Sensors permissions at install time
  • fix wording for Network permission group

2019.09.23.19

Tags:

  • QP1A.190711.020.2019.09.23.19 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.09.21.18 release:

  • disable enforcing Runtime Resource Overlays for baseline overlays to work around incompatibility with exec spawning
  • enable exec spawning for com.android.phone again

2019.09.21.18 preview

Tags:

  • QP1A.190711.020.2019.09.21.18 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.09.18.14 release:

  • Settings: use Mainline branding for APEX components
  • Vanadium: update Chromium base to 77.0.3865.92
  • WebView: update to 77.0.3865.92
  • temporarily disable exec spawning for com.android.phone
  • Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, mainline: disable updatable apex for simplicity
  • Pixel 2, Pixel 2 XL: enable increased system.img inode count
  • script: replace networkstack key

2019.09.18.14 preview

Tags:

  • QP1A.190711.020.2019.09.18.14 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.08.25.15 release:

  • full port to Android 10 with some exceptions (listed below)
  • full 2019-08-05 security patch level
  • full 2019-09-01 security patch level
  • full 2019-09-05 security patch level
  • temporarily add back standalone WebView (77.0.3865.73) until Vanadium supports it for Android 10
  • Vanadium: update Chromium base to 76.0.3809.132
  • Vanadium: update Chromium base to 77.0.3865.73
  • Updater: update targetSdkVersion to 29
  • retrofit dynamic partitions for Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL
  • disable GSI keys
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): temporarily disable slab canary implementation until an issue is narrowed down and addressed
  • kernel (Pixel 3, Pixel 3 XL): temporarily re-enable dynamic kernel module support until an issue is narrowed down and addressed (no dynamic kernel modules are ever actually loaded but something breaks internally with it disabled)
  • add guard page between the stack and the new static TLS region
  • bionic: pthread_internal_t changes have not yet been ported over so that feature is temporarily gone

2019.08.25.15

Tags:

Changes since the 2019.08.05.19 release:

  • add missing privileged permission whitelist for SdkSetup in SDK emulator builds
  • set up Vanadium for other architectures (arm, x86, x86_64)
  • hardened_malloc (GrapheneOS only): remove workaround for use-after-free in the citadel (Titan M) driver's key attestation support since it was fixed upstream
  • hardened_malloc: update libdivide to 2.0
  • Vanadium (browser and WebView): update Chromium base to 76.0.3809.111
  • Vanadium: redirect settings help icon
  • Vanadium: set default search engine to DuckDuckGo
  • apply partial fix for package manager original-package feature
  • PDF Viewer: update to version 2
  • Auditor: update to version 16
  • add Vanadium to the apps that cannot be disabled via Settings (can still be disabled) since the warning isn't enough to deter people from unknowingly breaking apps using the WebView
  • Updater: add settings entry to manually trigger check for updates
  • Updater: reschedule update check job on channel change
  • arm, x86 and x86_64 are now supported / tested architectures
  • generic and emulator build targets are now supported / tested for development usage (not suitable for secure production releases)

2019.08.05.19

Tags:

Changes since the 2019.07.16.22 release:

  • full 2019-08-01 security patch level
  • partial 2019-08-05 security patch level (not yet fully available)
  • Vanadium (browser and WebView): update Chromium base to 76.0.3809.89
  • Vanadium: expand string rebranding including covering translations
  • Vanadium: rename Sync and Google services to Services
  • Vanadium: remove data reduction preference
  • Vanadium: remove translate offer preference
  • Vanadium: remove sync preferences
  • Vanadium: remove navigation error preference
  • Vanadium: remove safe browsing reporting preference
  • Vanadium: remove usage and crash reports preference
  • Vanadium: remove url keyed anonymized data preference
  • Vanadium: disable contextual search by default
  • Vanadium: remove redundant services preference category
  • Vanadium (browser and WebView): use a unified Vanadium signing key instead of the device-specific release key
  • rename WebView provider to Vanadium
  • SELinux policy: label protected_{fifos,regular} as proc_security (this is needed for init to override the default values)

2019.07.16.22

Tags:

Changes since the 2019.07.01.21 release:

  • Vanadium (browser and WebView): update Chromium base to 75.0.3770.143
  • Vanadium: disable media router media remoting by default
  • Vanadium: disable media router by default (avoids the triggering warning about not having Play services)
  • Vanadium: remove Help & feedback menu entry
  • Vanadium: further string rebranding from Chromium / Chrome to Vanadium
  • Vanadium: disable unused reporting feature at compile-time
  • Vanadium: disable unused remoting feature at compile-time
  • Vanadium (browser and WebView): move from external/chromium to external/vanadium in the GrapheneOS source tree and rename module from Chromium to Vanadium
  • Vanadium: disable offering translations by default
  • Vanadium: disable prefetching suggested pages by default
  • Vanadium: disable browser sign in feature by default
  • Vanadium: disable safe browsing reporting opt-in by default
  • extend release.sh to call the script for signing factory images
  • extend release.sh to call the script for generating update channel metadata
  • kernel build script (Pixel, Pixel XL, Pixel 3a, Pixel 3a XL): verify that no arguments are passed
  • kernel build script (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): verify that a single argument (device variant) is passed
  • enable kernel mitigations for file spoofing

Restoration of past features since the 2019.07.01.21 release:

  • Vanadium (browser and WebView): enable type-based CFI for virtual calls
  • enable kernel mitigations for link races
  • kernel (Pixel 2, Pixel 2 XL): backport fixes for SLAB_FREELIST_RANDOM
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable SLAB_FREELIST_RANDOM
  • kernel (Pixel 2, Pixel 2 XL): backport slub dynamic DEBUG_PAGEALLOC setting
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport slub free list pointer obfuscation
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport slub free list pointer obfuscation prefetch fix
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport slub native double free detection
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable SLAB_FREELIST_HARDENED
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_LIST
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_SG
  • kernel (Pixel, Pixel XL): reduce DEBUG_SG virt_addr_valid check to a warning (this works around a bug in the legacy QCE driver)
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_NOTIFIERS
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_CREDENTIALS
  • kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable SCHED_STACK_END_CHECK
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): bug on !PageSlab && !PageCompound in ksize
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): always perform cache_from_obj consistency checks
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): bug on kmem_cache_free with the wrong cache
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): real slab_equal_or_root check for !MEMCG_KMEM
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add missing cache_from_obj !PageSlab check
  • kernel (Pixel 2, Pixel 2 XL): backport upstreamed FORTIFY_SOURCE implementation
  • kernel (Pixel 2, Pixel 2 XL): backport upstreamed leading zero byte for stack canary
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add simpler page sanitization
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add support for verifying page sanitization
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): slub: add basic full slab sanitization
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): slub: add support for verifying slab sanitization
  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): slub: add multi-purpose random canaries

2019.07.01.21

Tags:

Changes since the 2019.06.23.05 release:

  • full 2019-07-01 security patch level
  • full 2019-07-05 security patch level
  • rebased onto PQ3A.190705.003/PQ3B.190705.003 releases
  • Auditor: update to version 15

Restoration of past features since the 2019.06.23.05 release:

  • add GrapheneOS PDF Viewer app (version 1)
  • Vanadium: stop ignoring download location prompt setting
  • Vanadium: show download prompt again by default

2019.06.23.05

Tags:

Changes since the 2019.06.14.02 release:

  • hardened_malloc: use copy_size to check for canaries (tiny performance / hardening fix and avoids an erroneous abort in a corner case with realloc from 0 byte allocations)
  • hardened_malloc: update libdivide to 1.1
  • Pixel 3a, Pixel 3a XL: raise maximum users to 16
  • Pixel 3a, Pixel 3a XL: disable system_other odex
  • Pixel 3a, Pixel 3a XL: disable system_other preloads_copy
  • Pixel 3a, Pixel 3a XL: show connected mac randomization feature
  • Pixel 3a, Pixel 3a XL: move to custom kernel
  • Pixel 3a, Pixel 3a XL: use monolithic kernel builds
  • kernel (Pixel 3a, Pixel 3a XL): disable slab merging
  • kernel (Pixel 3a, Pixel 3a XL): add toggle for disabling newly added USB devices
  • kernel (Pixel 3a, Pixel 3a XL): replace SECURITY_SMACK with SECURITY_NETWORK
  • kernel (Pixel 3a, Pixel 3a XL): mark qcedev data const
  • Vanadium (browser and WebView): update Chromium base to 75.0.3770.101
  • Vanadium: disable sensors access by default
  • Vanadium: disable third party cookies by default
  • Vanadium: disable background sync by default
  • Vanadium (browser and WebView): stub out battery API
  • Vanadium: disable search logo
  • Vanadium: always use local new tab page
  • Vanadium: disable payment support by default

Restoration of past features since the 2019.06.14.02 release:

  • Vanadium: do not enable default search engine notification permission by default

2019.06.14.02

Tags:

Changes since the 2019.06.03.18 release:

  • Vanadium (browser and WebView): update Chromium base to 75.0.3770.67
  • add back brk system call to the seccomp whitelist for compatibility with Go
  • Auditor: update to version 13
  • Auditor: update to version 14
  • Music: backport bug fix for passing CTS
  • Updater: replace seamlessupdate.app with releases.grapheneos.org alias
  • add initial experimental support for the Pixel 3a and Pixel 3a XL
  • Pixel 2, Pixel 2 XL: set AVB rollback index to security patch timestamp (backport of the implementation for the Pixel 3)

Restoration of past features since the 2019.06.03.18 release:

  • kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): replace SECURITY_SMACK with SECURITY_NETWORK

2019.06.03.18

Tags:

Changes since the 2019.05.18.20 release:

  • full 2019-06-01 security patch level
  • full 2019-06-05 security patch level
  • rebased onto PQ3A.190605.003 release
  • Auditor: update to version 11
  • Auditor: update to version 12
  • hardened_malloc (GrapheneOS only): further expand workaround for Pixel 3 and Pixel 3 XL camera issues

Restoration of past features since the 2019.05.18.20 release:

  • disable exec spawning when using debugging options
  • enable exec spawning by default
  • enable Verizon visual voicemail support
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): add toggle for disabling newly added USB devices
  • add properties for controlling deny_new_usb
  • implement dynamic deny_new_usb toggle mode
  • set deny_new_usb feature to dynamic by default
  • sepolicy: deny_new_usb sysctl and system property policy

2019.05.18.20

Tags:

Changes since the 2019.05.08.15 release:

  • GrapheneOS logo mask
  • Auditor: update to version 10
  • add preload parameter for avoiding full preload with exec
  • raise maximum users to 16
  • Vanadium (browser and WebView): update Chromium base to 74.0.3729.157
  • hardened_malloc (GrapheneOS only): apply temporary workaround for citadel HAL use-after-free (need to start building vendor HALs from the sources to fix issues like this)

Restoration of past features since the 2019.05.08.15 release:

  • disable OpenGL preloading for exec spawning
  • disable resource preloading for exec spawning
  • disable ICU cache pinning for exec spawning
  • disable class preloading for exec spawning
  • disable WebView reservation for exec spawning
  • disable JCA provider warm up for exec spawning
  • avoid AssetManager errors with exec spawning

2019.05.07.00

Tags:

Changes since the 2019.04.01.19 release:

  • full 2019-05-01 security patch level
  • full 2019-05-05 security patch level
  • rebased onto PQ3A.190505.002 release
  • add Pixel and Pixel XL support including standard changes to kernel and device code
  • Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL: fix hw_random permissions
  • bundle Auditor (version 9)
  • Chromium (browser and WebView): update to 74.0.3729.136
  • Chromium: enable strict site isolation by default
  • Chromium: initial rebranding to Vanadium including icon recolor
  • hardened_malloc: extensive work on refactoring, micro-optimization and documentation (see commits for details)
  • hardened_malloc: implement mallinfo and mallinfo extensions for Android
  • hardened_malloc: implement Android API for requesting purging
  • hardened_malloc: implement the option of large size classes (enabled by default)
  • hardened_malloc: support extended range of small size classes (enabled by default)
  • hardened_malloc: support for slabs with 1 slot for largest sizes
  • hardened_malloc: use round-robin assignment to arenas
  • hardened_malloc: disable current in-place growth code path
  • hardened_malloc: harden arena implementation
  • hardened_malloc: fix non-init size for malloc_object_size extension
  • hardened_malloc: shrink initial region table size to fit in 1 page
  • hardened_malloc (GrapheneOS only): expand workaround for Pixel 3 and Pixel 3 XL camera issues
  • Pixel 3, Pixel 3 XL: change SystemUIGoogle pinning to SystemUI

Restoration of past features since the 2019.04.01.19 release:

  • use -fwrapv when signed overflow checking is off
  • add exec-based spawning support (disabled by default for now)
  • require unlocking to use battery saver quick tile
  • require unlocking to use cellular quick tile
  • require unlocking to use hotspot quick tile
  • require unlocking to use data saver quick tile
  • require unlocking to use rotation lock quick tile
  • require unlocking to use wifi quick tile
  • require unlocking to use airplane mode quick tile
  • require unlocking to use bluetooth quick tile
  • require unlocking to use nfc quick tile
  • add support for kernels without module support enabled to the VTS and compatibility tests
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): disable slab merging
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): disable loadable kernel module support
  • kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): mark qcedev data const
  • kernel (Pixel 2, Pixel 2 XL): disable unused ramdisk compression formats
  • SELinux policy: remove priv_app app_data_file execute
  • SELinux policy: remove dumpstate ashmem execute and execmem (GrapheneOS doesn't use the ART JIT compiler)
  • SELinux policy: remove healthd ashmem execute and execmem (GrapheneOS doesn't use the ART JIT compiler)
  • SELinux policy: auditallow app execmem (moving back towards an exception system)
  • SELinux policy: auditallow app ashmem execute (moving back towards an exception system)
  • SELinux policy: auditallow ephemeral_app app_data_file execute (moving back towards an exception system)
  • SELinux policy: auditallow untrusted_app_all execmod (moving back towards an exception system)
  • SELinux policy: auditallow untrusted_app_all app_data_file execute (moving back towards an exception system)
  • SELinux policy: auditallow untrusted_app_all app_data_file execute_no_trans (moving back towards an exception system)

2019.03.05.03

Tags:

Final and only tagged release of the AndroidHardening project before it became GrapheneOS. Earlier AndroidHardening releases were only snapshots and are not listed here. Detailed changelogs were not written at this point.