These releases are available as both tags in the source code repositories and official builds.

The factory images are used for the initial installation and can be verified with signify. See the installation guide for details.

GrapheneOS uses automatic over-the-air updates, but full update packages are listed below for uncommon use cases like never connecting the device to the internet. A full update package can upgrade from any past version to the new version. The over-the-air updates use delta update packages when available. Those aren't currently linked below but may be in the future once they're being used more consistently. Update packages are not for performing the initial installation and you should ignore incorrect guides trying to use them to install the OS.

The update packages have a internal signature verified by the update client (or recovery when sideloading). Downgrade attacks are also prevented, and downgrades cannot be done unless a special downgrade update package has been signed with the release key. The internal payload for update_engine is also signed, providing another layer of signature verification and downgrade protection. Verified boot and the hardware-backed keystore also act as a final layer of protection.

Releases are tested by the developers and are then pushed out via the Beta channel. The release is then pushed out via the Stable channel after being tested by some users using the Beta channel. In some cases, problems are caught during Beta channel testing and a new release is made via the Beta channel to replace the aborted one. In general, it's not possible to downgrade unless a downgrade update package is generated, so use the Stable channel if you cannot tolerate dealing with temporary issues while a new release for the Beta channel is being created.

JavaScript is required to fetch the current list of releases from the update server. The list you're seeing below is a pre-generated template and may not be updated for the latest set of releases yet.

List of tagged releases. Snapshot releases without tags such as early releases of the project and early device support releases are not listed.

Tags:

QQ3A.200805.001.2020.09.11.14 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Testing the Android 11 kernels was useful, but we weren't able to ship the previous release due to issues uncovered during testing. The Android 11 kernels have minor backwards incompatible changes in the drivers for at least a subset of the devices so we'll need to ship them with the rest of the changes. Thanks to our testers for helping us with this. This will be the new final Android 10 release, assuming no further problems are uncovered during testing.

Beta testers for the Pixel 3a and Pixel 3a XL upgrading from the cancelled 2020.09.10.05 release (was only released to the Beta channel) will be asked to perform a factory reset after upgrading. Rejecting the factory reset several times will cause the device to roll back to the cancelled 2020.09.10.05 release. You can either accept the factory reset to upgrade now or wait until the upcoming release based on Android 11 which will be compatible with the filesystem format changes. We greatly appreciate that people are taking the risk of testing the Beta releases to help the project. It was immensely valuable in preventing any of these issues from making their way to the Stable channel.

Changes since the 2020.09.10.05 release:

revert to using the Android 10 kernels on the devices that were switched over early due to backwards incompatible changes in some drivers

Tags:

QQ3A.200805.001.2020.09.10.05 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

This should be the final GrapheneOS release based on Android 10. It ships the device-independent monthly security patches and migrates over to using the Android 11 branch of the GrapheneOS kernels for most devices, which brings all the upstream kernel hardening in Android 11 along with the full September kernel updates. The remaining patches for the full 2020-09-05 patch level require finishing the migration to Android 11 in order to ship the September update for the other device support code. It's possible we could ship some of this early, but instead we're going to be focusing on finishing the enormous task of migrating to Android 11. Further help with bringing up support for the devices with Android 11 and porting over each of the GrapheneOS hardening features to it would be greatly appreciated. Donations are also extremely helpful. GrapheneOS has brought on another full time developer using donated funds and there are 3 part time developers helping with Android 11. We're also collaborating with CalyxOS and others in the AOSP Alliance to bring up fully signed, production device support.

Changes since the 2020.08.07.01 release:

full 2020-09-01 security patch level

partial 2020-09-05 security patch level (missing userspace device support changes until port to Android 11 is finished)

Vanadium: update Chromium base to 84.0.4147.125

Vanadium: update Chromium base to 85.0.4183.81

Vanadium: update Chromium base to 85.0.4183.101

Vanadium: remove unused learn more link from Incognito page

recovery: reject updates with serialno constraints to match the GrapheneOS Updater app

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): update base kernel to Android 11

SetupWizard: update base to latest CalyxOS SetupWizard

conscrypt: drop temporary upstream revert of version code which was accidentally kept during a rebase

backport fix for USB audio regression from Android 11

Restoration of past features since the 2020.07.06.20 release:

kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): enable intra-object FORTIFY_SOURCE overflow checks

Tags:

QQ3A.200805.001.2020.08.07.01 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Changes since the 2020.08.03.22 release:

SELinux policy: fix executing apk libraries as executables for third party applications

Tags:

QQ3A.200805.001.2020.08.03.22 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Changes since the 2020.07.06.20 release:

full 2020-08-01 security patch level

full 2020-08-05 security patch level

rebased onto QQ3A.200805.001 release

fix build for Pixel 3 when Pixel 3 XL kernel is not built

fix secondary stack hardening when a non-page-size multiple stack size is specified

fix picking up previous build date when doing incremental builds

Vanadium: update Chromium base to 84.0.4147.89

Vanadium: update Chromium base to 84.0.4147.105

Vanadium: update Chromium base to 84.0.4147.111

Vanadium: remove Chromium logo in chrome://version

Restoration of past features since the 2020.07.06.20 release:

kernel (Pixel 4, Pixel 4 XL): read-only data expansion

Tags:

QQ3A.200705.002.2020.07.06.20 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL, emulator, generic, other targets)

Changes since the 2020.06.22.21 release:

full 2020-07-01 security patch level

full 2020-07-05 security patch level

rebased onto QQ3A.200705.002 release

change TrichromeLibrary package name

drop MAC randomization preference migration code

Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL: update APNs with carriersettings-extractor

disable network time refresh when network time is disabled (previous behavior inherited from upstream)

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): make reproducible builds simpler

kernel (Pixel 4, Pixel 4 XL): use max mmap entropy by default to cover init

Restoration of past features since the 2020.06.22.21 release:

kernel (Pixel 4, Pixel 4 XL): enable UNMAP_KERNEL_AT_EL0 Meltdown mitigation (KPTI)

kernel (Pixel 4, Pixel 4 XL): enable ARM64_SSBD Spectre v4 mitigation

kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): enable PANIC_ON_OOPS

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): set PANIC_TIMEOUT to -1

kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, Pixel 4, Pixel 4 XL): disable SECURITY_SELINUX_DEVELOP

Tags:

QQ3A.200605.001.2020.06.22.21 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 4, Pixel 4 XL)

QQ3A.200605.002.2020.06.22.21 (Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2020.06.02.02 release:

SystemUI: handle non-SRGB wallpapers

Vanadium: update Chromium base to 83.0.4103.96

Vanadium: update Chromium base to 83.0.4103.101

Vanadium: update Chromium base to 83.0.4103.106

script/generate_metadata.py: add channel name to update channel metadata

Updater: sanity check channel name in update channel metadata

Updater: raise minSdkVersion to 29

Updater: extract care_map.pb rather than care_map.txt

Updater: use a different zip for streaming updates (still an experimental / hidden feature)

disable RFC 7217 support (stable link-local IPv6 privacy addresses) and stick to link-local IP addresses based on the (random) MAC addresses

rebase SetupWizard changes onto upstream CalyxOS SetupWizard

SetupWizard: use system captive portal URL, rather than a custom Google URL

NetworkStack: ignore captive portal fallbacks when one is set at runtime

factory images flash-all script: reboot to bootloader after installing update

make_key: use 4096-bit RSA keys

script/release.sh: auto-detect AVB algorithm to support 4096-bit RSA keys for verified boot

add experimental Pixel 4 and Pixel 4 XL support

Auditor: update to version 18

Restoration of past features since the 2020.06.02.02 release:

kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add back FORTIFY_SOURCE enhancements

kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add back userspace ASLR improvements

Tags:

QQ3A.200605.001.2020.06.02.02 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL)

QQ3A.200605.002.2020.06.02.02 (Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2020.05.29.00 release:

full 2020-06-01 security patch level

full 2020-06-05 security patch level

rebased onto QQ3A.200605.002 release

Vanadium: update Chromium base to 83.0.4103.83

factory images: add fastboot version detection to flash-all.bat on Windows

Tags:

QQ2A.200501.001.B2.2020.05.29.00 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL)

QQ2A.200501.001.B3.2020.05.29.00 (Pixel 2, Pixel 2 XL, emulator, generic, other targets)

Changes since the 2020.05.23.12 release:

PDF Viewer: update to version 4

PDF Viewer: update to version 5

revert attempt at fixing audio DeviceDescriptor sorting

hardened_malloc: temporarily disable SLOT_RANDOMIZE for audioserver to work around DeviceDescriptor sorting bug

Tags:

QQ2A.200501.001.B2.2020.05.23.12 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL)

QQ2A.200501.001.B3.2020.05.23.12 (Pixel 2, Pixel 2 XL, emulator, generic, other targets)

Changes since the 2020.05.05.02 release:

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): use Clang for compiling code for the host too

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add build-tools prebuilts to PATH to reduce external dependencies and avoid potential reproducibility issues

add build-tools prebuilts to PATH in the release signing and delta generation scripts to reduce external dependencies and avoid potential reproducibility issues

fix upstream bug relying on malloc addresses for sort order of 3 items, causing Bluetooth A2DP audio to fail 2/3 of the time with hardened_malloc when the expected item isn't first

use the same datetime for build number and build date

always use UTC as the time zone for build dates

update GrapheneOS fork of android-prepare-vendor to the collaborative AOSPAlliance fork

raise minimum supported API level to 28 from 23, producing a warning for apps targeting API < 28 (the Play Store disallows uploading new apps or app updates targeting API < 28 so this isn't an aggressive warning)

Vanadium: update Chromium base to 81.0.4044.138

Vanadium: update Chromium base to 83.0.4103.60

Vanadium: disable media DRM preprovisioning

Vanadium: most private WebRTC IP handling policy by default

set SCHED_BATCH in the kernel build scripts

Restoration of past features since the 2020.05.05.02 release:

Settings: allow disabling Vanadium browser app via the Settings UI now that Trichrome (browser, WebView, shared library) has replaced Monochrome (monolithic app) for providing the WebView without having 2 copies of the browser engine

Tags:

QQ2A.200501.001.B2.2020.05.05.02 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL)

QQ2A.200501.001.B3.2020.05.05.02 (Pixel 2, Pixel 2 XL, emulator, generic, other targets)

Changes since the 2020.04.14.23 release:

full 2020-05-01 security patch level

full 2020-05-05 security patch level

rebased onto QQ2A.200501.001.B3 release

Vanadium: update Chromium base to 81.0.4044.111

Vanadium: update Chromium base to 81.0.4044.117

disable safe volume feature everywhere instead of only the US

hardened_malloc: implement slab allocation memory corruption checks for malloc_usable_size

set SCHED_BATCH in the build system and release generation scripts instead of the interactive shell

use more sensible factory images zip naming scheme

Settings: add missing title for top_level_settings to fix showing it as null in search results

Restoration of past features since the 2020.04.14.23 release:

Vanadium: use 64-bit Trichrome browser processes

Tags:

QQ2A.200405.005.2020.04.14.23 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2020.04.13.21 release:

Settings: adjust wifi_privacy_values to the new values

Settings: remove unnecessary workaround for MAC randomization preference

Settings: tweak MAC randomization preference wording

Tags:

QQ2A.200405.005.2020.04.13.21 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2020.04.07.10 release:

Vanadium: update Chromium base to 81.0.4044.96

Vanadium: remove unsupported password leak detection option

Vanadium: expand automated string rebranding

Vanadium: remove Google prefix from storage settings label

reword random MAC options to make them clearer

start the final phase of the migration process for random MAC preference values

generate manifests for stable releases directly referencing revisions by hash instead of tag name to simplify signature verification for the sources

Restoration of past features since the 2020.04.07.10 release:

globally enable -ftrivial-auto-var-init=zero rather than porting our downstream -fsanitize=local-init feature

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): globally enable -ftrivial-auto-var-init=auto rather than porting our downstream -fsanitize=local-init feature

Vanadium: enable -ftrivial-auto-var-init=auto rather than porting our downstream -fsanitize=local-init feature

Tags:

QQ2A.200405.005.2020.04.07.10 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2020.03.23.22 release:

full 2020-04-01 security patch level

full 2020-04-05 security patch level

rebased onto QQ2A.200405.005 release

Pixel 3a, Pixel 3a XL: fix SystemUI paths in memory pinning configuration

only include Updater app when OFFICIAL_BUILD=true is set in the environment to avoid accidental use of the default update server with unofficial builds that are not compatible

Vanadium: update Chromium base to 80.0.3987.162

PDF Viewer: update to version 3

update SELinux policy for officially supported devices based on isolated_app domain split

raise protected_fifos / protected_regular from 1 (world-writable directories) to 2 (group-writable directories too)

remove use of "Hey Google" as an example feature for battery saver in Settings

Tags:

QQ2A.200305.002.2020.03.23.22 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2020.03.04.16 release:

integrate Seedvault backup app as the default backup service

integrate port of CalyxOS SetupWizard app to support restoring with Seedvault and other initial setup

Vanadium: disable unused safe browsing feature by default (Safe Browsing is currently a no-op due to the lack of Play services, and support for using the local database backend hasn't been implemented. Various changes would be needed to make it available and to make sure that privacy is preserved.)

Vanadium: disable unused Google VR support

Vanadium: disable content feed suggestions by default

Vanadium: update Chromium base to 80.0.3987.149

Settings: fix broken upstream MAC randomization value mapping uncovered by the always randomize option value

make_key: use scrypt for key derivation used to encrypt keys

add script/encrypt_keys.sh and script/decrypt_keys.sh for handling key encryption

improve UX, performance and algorithm support for encrypted keys in script/release.sh and script/generate_delta.sh

dexpreopt: disable BOARD_USES_SYSTEM_OTHER_ODEX for mainline devices, which was causing odex files to be unintentionally omitted from the system image for modern devices

dexpreopt: use speed filter for boot images and non-prebuilts rather than unintentionally only setting it for prebuilts

dexpreopt: disable pre-optimization for apps bundled by android-prepare-vendor to work around unresolved issues with conflicting inlined definitions

Tags:

QQ2A.200305.002.2020.03.04.16 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2020.03.03.03 release:

Vanadium: backport upstream fix for Android 10 downloads

Vanadium: update Chromium base to 80.0.3987.132

Settings: avoid overriding MAC address with random persistent MAC address when viewing MAC address

finish porting support for per-connection random MAC rather than using the per-network random address

Tags:

QQ2A.200305.002.2020.03.03.03 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2020.02.07.19 release:

full 2020-03-01 security patch level

full 2020-03-05 security patch level

rebased onto QQ2A.200305.002 release

use time.grapheneos.org instead of grapheneos.org for HTTPS-based time updates

Vanadium: migrate to Trichrome for unified builds of separate browser and WebView apps with a shared library app

Vanadium: use org.grapheneos.vanadium.webview instead of com.android.webview as the WebView package name

Vanadium: rename WebView to Vanadium System WebView from Android System WebView

Vanadium: update Chromium base to 80.0.3987.99

Vanadium: update Chromium base to 80.0.3987.117

Vanadium: update Chromium base to 80.0.3987.119

SELinux policy: remove base system app apk_data_file execute

SELinux policy: remove zygote access to apk_data_file

Restoration of past features since the 2020.02.07.19 release:

Vanadium: stop replacing signature from the Vanadium signing key with the OS release key

Settings: add back control over camera access while the screen is locked

fix MAC randomization after reboot for the always randomize MAC option

SELinux policy: split out base system untrusted_app (normal unprivileged apps) and isolated_app (isolatedProcess sandbox) SELinux policy domains for future work

SELinux policy: remove base system app execmod

SELinux policy: remove base system app execmem

SELinux policy: remove base system app execute_no_trans

SELinux policy: remove base system app app_data_file execute

SELinux policy: remove base system app ashmem execute

SELinux policy: remove base system app tmpfs execute

SELinux policy: remove zygote execmem

SELinux policy: remove system_server_startup domain

add LTE only mobile network configuration option

Tags:

QQ1A.200205.002.2020.02.07.19 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2020.02.04.01 release:

rebuild crosshatch kernel to correct build environment issue

Vanadium (including WebView): update Chromium base to 80.0.3987.87

Vanadium (including WebView): drop partially working AImageReader workarounds

fully work around bug with AImageReader caught by CFI on 64-bit to fix crashes during video rendering in Vanadium, Bromite, etc.

Restoration of past features since the 2020.02.04.01 release:

WebView: use Vanadium WebView as provider

Tags:

QQ1A.200205.002.2020.02.04.01 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.01.06.21 release:

full 2020-02-01 security patch level

full 2020-02-05 security patch level

rebased onto QQ1A.200205.002 release

remove obsolete Email app

Vanadium: update Chromium base to 79.0.3945.116

WebView: update to 79.0.3945.116

Vanadium: update Chromium base to 79.0.3945.136

WebView: update to 79.0.3945.136

Vanadium: fully disable AImageReader to fix remaining issues with video playback uncovered by CFI on 64-bit

Settings: fix MAC randomization setting for other locales by removing incomplete translations

Restoration of past features since the 2019.01.06.21 release:

add PIN scrambling feature

Tags:

QQ1A.200105.002.2020.01.06.21 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.12.02.23 release:

full 2020-01-01 security patch level

full 2020-01-05 security patch level

rebased onto QQ1A.200105.002 release

Vanadium: update Chromium base to 79.0.3945.93

Vanadium: disable hiding trivial subdomains

WebView: update to 79.0.3945.93

add the option to randomize the MAC address for each connection instead of per-network

authenticated network time updates via HTTPS

Restoration of past features since the 2019.12.02.23 release:

Settings: expose control over USB peripheral denial feature

Tags:

QQ1A.191205.008.2019.12.02.23 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL)

QQ1A.191205.011.2019.12.02.23 (Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.11.05.23 release:

full 2019-12-01 security patch level

full 2019-12-05 security patch level

rebased onto QQ1A.191205.011 release

Pixel 3a, Pixel 3a XL: fix userspace hw_random stirring service

Vanadium: update Chromium base to 78.0.3904.96

WebView: update to 78.0.3904.96

Vanadium: update Chromium base to 78.0.3904.108

WebView: update to 78.0.3904.108

Auditor: update to version 17

QuickSearchBox: disable widget

QuickSearchBox: disable launcher icon

Launcher: rebranding

require unlocking to use work tile

Tags:

QP1A.191105.003.2019.11.05.23 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL)

QP1A.191105.004.2019.11.05.23 (Pixel 2, Pixel 2 XL, emulator, generic, other targets)

Changes since the 2019.11.04.23 release:

Vanadium: fix Services preferences menu

WebView: avoid incompatibility due to wrong apk variant

Tags:

QP1A.191105.003.2019.11.04.23 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL)

QP1A.191105.004.2019.11.04.23 (Pixel 2, Pixel 2 XL, emulator, generic, other targets)

Changes since the 2019.09.25.00 release:

full 2019-11-01 security patch level

full 2019-11-05 security patch level

rebased onto QP1A.191105.004 release

Settings: disable legacy suggestions mode

recovery: GrapheneOS branding for fastboot mode

Vanadium: update Chromium base to 77.0.3865.116

WebView: update to 77.0.3865.116

Vanadium: update Chromium base to 78.0.3904.62

WebView: update to 78.0.3904.62

Vanadium: update Chromium base to 78.0.3904.90

WebView: update to 78.0.3904.90

kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): mark functions with address taken via assembly (this fixes compatibility with CFI in a build with !CONFIG_MODULES)

protect static TLS from stack buffer overflows

drop legacy Pixel and Pixel XL support due to absence of any GrapheneOS device maintainers, the end of vendor support and an increasingly large security gap with current generation devices for the hardware, firmware and device / generation specific software

Restoration of past features since the 2019.09.25.00 release:

Bluetooth: add alloc_size attribute to OSI allocator

protect pthread_internal_t from stack buffer overflows

add secondary stack randomization

kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): disable dynamic kernel module support (resulting in substantially improved CFI granularity)

Tags:

QP1A.191005.007.A1.2019.10.07.21 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, emulator, generic, other targets)

QP1A.191005.007.2019.10.07.21 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL)

Changes since the 2019.09.25.00 release:

full 2019-10-01 security patch level

full 2019-10-05 security patch level

full 2019-10-06 security patch level

rebased onto QP1A.191005.007.A1 release

add changes to support disabling full preloading with exec spawning to the public libcore API

add OTHER_SENSORS to the public frameworks/base API

Messaging app: fix notifications with a backport

Vanadium: switch back to ChromeModern (standalone browser app) from Monochrome (monolithic browser + WebView app, no longer supported for Android 10) until Vanadium is moved to Trichrome (separate browser and WebView apps with a third shared library app)

unified kernel tree (kernel/google/crosshatch) for Pixel 3, Pixel 3 XL, Pixel 3a and Pixel 3a XL

Restoration of past features since the 2019.09.25.00 release:

begin generating / uploading delta updates from the last release to the current release

Tags:

QP1A.190711.020.C3.2019.09.25.00 (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

QP1A.190711.020.2019.09.25.00 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL)

Changes since the 2019.09.23.19 release:

update to QP1A.190711.020.C3 bug fix release

fix granting Network and Sensors permissions at install time

fix wording for Network permission group

Tags:

QP1A.190711.020.2019.09.23.19 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.09.21.18 release:

disable enforcing Runtime Resource Overlays for baseline overlays to work around incompatibility with exec spawning

enable exec spawning for com.android.phone again

Tags:

QP1A.190711.020.2019.09.21.18 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.09.18.14 release:

Settings: use Mainline branding for APEX components

Vanadium: update Chromium base to 77.0.3865.92

WebView: update to 77.0.3865.92

temporarily disable exec spawning for com.android.phone

Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, mainline: disable updatable apex for simplicity

Pixel 2, Pixel 2 XL: enable increased system.img inode count

script: replace networkstack key

Tags:

QP1A.190711.020.2019.09.18.14 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL, emulator, generic, other targets)

Changes since the 2019.08.25.15 release:

full port to Android 10 with some exceptions (listed below)

full 2019-08-05 security patch level

full 2019-09-01 security patch level

full 2019-09-05 security patch level

temporarily add back standalone WebView (77.0.3865.73) until Vanadium supports it for Android 10

Vanadium: update Chromium base to 76.0.3809.132

Vanadium: update Chromium base to 77.0.3865.73

Updater: update targetSdkVersion to 29

retrofit dynamic partitions for Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL

disable GSI keys

kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): temporarily disable slab canary implementation until an issue is narrowed down and addressed

kernel (Pixel 3, Pixel 3 XL): temporarily re-enable dynamic kernel module support until an issue is narrowed down and addressed (no dynamic kernel modules are ever actually loaded but something breaks internally with it disabled)

add guard page between the stack and the new static TLS region

bionic: pthread_internal_t changes have not yet been ported over so that feature is temporarily gone

Tags:

PQ3A.190801.002.2019.08.25.15 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, emulator, generic, other targets)

PQ3B.190801.002.2019.08.25.15 (Pixel 3a, Pixel 3a XL)

Changes since the 2019.08.05.19 release:

add missing privileged permission whitelist for SdkSetup in SDK emulator builds

set up Vanadium for other architectures (arm, x86, x86_64)

hardened_malloc (GrapheneOS only): remove workaround for use-after-free in the citadel (Titan M) driver's key attestation support since it was fixed upstream

hardened_malloc: update libdivide to 2.0

Vanadium (browser and WebView): update Chromium base to 76.0.3809.111

Vanadium: redirect settings help icon

Vanadium: set default search engine to DuckDuckGo

apply partial fix for package manager original-package feature

PDF Viewer: update to version 2

Auditor: update to version 16

add Vanadium to the apps that cannot be disabled via Settings (can still be disabled) since the warning isn't enough to deter people from unknowingly breaking apps using the WebView

Updater: add settings entry to manually trigger check for updates

Updater: reschedule update check job on channel change

arm, x86 and x86_64 are now supported / tested architectures

generic and emulator build targets are now supported / tested for development usage (not suitable for secure production releases)

Tags:

PQ3A.190801.002.2019.08.05.19 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, other devices)

PQ3B.190801.002.2019.08.05.19 (Pixel 3a, Pixel 3a XL)

Changes since the 2019.07.16.22 release:

full 2019-08-01 security patch level

partial 2019-08-05 security patch level (not yet fully available)

Vanadium (browser and WebView): update Chromium base to 76.0.3809.89

Vanadium: expand string rebranding including covering translations

Vanadium: rename Sync and Google services to Services

Vanadium: remove data reduction preference

Vanadium: remove translate offer preference

Vanadium: remove sync preferences

Vanadium: remove navigation error preference

Vanadium: remove safe browsing reporting preference

Vanadium: remove usage and crash reports preference

Vanadium: remove url keyed anonymized data preference

Vanadium: disable contextual search by default

Vanadium: remove redundant services preference category

Vanadium (browser and WebView): use a unified Vanadium signing key instead of the device-specific release key

rename WebView provider to Vanadium

SELinux policy: label protected_{fifos,regular} as proc_security (this is needed for init to override the default values)

Tags:

PQ3A.190705.001.2019.07.16.22 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL)

PQ3A.190705.003.2019.07.16.22 (Pixel 3, Pixel 3 XL, other devices)

PQ3B.190705.003.2019.07.16.22 (Pixel 3a, Pixel 3a XL)

Changes since the 2019.07.01.21 release:

Vanadium (browser and WebView): update Chromium base to 75.0.3770.143

Vanadium: disable media router media remoting by default

Vanadium: disable media router by default (avoids the triggering warning about not having Play services)

Vanadium: remove Help & feedback menu entry

Vanadium: further string rebranding from Chromium / Chrome to Vanadium

Vanadium: disable unused reporting feature at compile-time

Vanadium: disable unused remoting feature at compile-time

Vanadium (browser and WebView): move from external/chromium to external/vanadium in the GrapheneOS source tree and rename module from Chromium to Vanadium

Vanadium: disable offering translations by default

Vanadium: disable prefetching suggested pages by default

Vanadium: disable browser sign in feature by default

Vanadium: disable safe browsing reporting opt-in by default

extend release.sh to call the script for signing factory images

extend release.sh to call the script for generating update channel metadata

kernel build script (Pixel, Pixel XL, Pixel 3a, Pixel 3a XL): verify that no arguments are passed

kernel build script (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): verify that a single argument (device variant) is passed

enable kernel mitigations for file spoofing

Restoration of past features since the 2019.07.01.21 release:

Vanadium (browser and WebView): enable type-based CFI for virtual calls

enable kernel mitigations for link races

kernel (Pixel 2, Pixel 2 XL): backport fixes for SLAB_FREELIST_RANDOM

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable SLAB_FREELIST_RANDOM

kernel (Pixel 2, Pixel 2 XL): backport slub dynamic DEBUG_PAGEALLOC setting

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport slub free list pointer obfuscation

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport slub free list pointer obfuscation prefetch fix

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): backport slub native double free detection

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable SLAB_FREELIST_HARDENED

kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_LIST

kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_SG

kernel (Pixel, Pixel XL): reduce DEBUG_SG virt_addr_valid check to a warning (this works around a bug in the legacy QCE driver)

kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_NOTIFIERS

kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable DEBUG_CREDENTIALS

kernel (Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): enable SCHED_STACK_END_CHECK

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): bug on !PageSlab && !PageCompound in ksize

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): always perform cache_from_obj consistency checks

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): bug on kmem_cache_free with the wrong cache

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): real slab_equal_or_root check for !MEMCG_KMEM

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add missing cache_from_obj !PageSlab check

kernel (Pixel 2, Pixel 2 XL): backport upstreamed FORTIFY_SOURCE implementation

kernel (Pixel 2, Pixel 2 XL): backport upstreamed leading zero byte for stack canary

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add simpler page sanitization

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): add support for verifying page sanitization

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): slub: add basic full slab sanitization

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): slub: add support for verifying slab sanitization

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, Pixel 3a, Pixel 3a XL): slub: add multi-purpose random canaries

Tags:

PQ3A.190705.001.2019.07.01.21 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL)

PQ3A.190705.003.2019.07.01.21 (Pixel 3, Pixel 3 XL, other devices)

PQ3B.190705.003.2019.07.01.21 (Pixel 3a, Pixel 3a XL)

Changes since the 2019.06.23.05 release:

full 2019-07-01 security patch level

full 2019-07-05 security patch level

rebased onto PQ3A.190705.003/PQ3B.190705.003 releases

Auditor: update to version 15

Restoration of past features since the 2019.06.23.05 release:

add GrapheneOS PDF Viewer app (version 1)

Vanadium: stop ignoring download location prompt setting

Vanadium: show download prompt again by default

Tags:

PQ3A.190605.003.2019.06.23.05 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, other devices)

PQ3B.190605.006.2019.06.23.05 (Pixel 3a, Pixel 3a XL)

Changes since the 2019.06.14.02 release:

hardened_malloc: use copy_size to check for canaries (tiny performance / hardening fix and avoids an erroneous abort in a corner case with realloc from 0 byte allocations)

hardened_malloc: update libdivide to 1.1

Pixel 3a, Pixel 3a XL: raise maximum users to 16

Pixel 3a, Pixel 3a XL: disable system_other odex

Pixel 3a, Pixel 3a XL: disable system_other preloads_copy

Pixel 3a, Pixel 3a XL: show connected mac randomization feature

Pixel 3a, Pixel 3a XL: move to custom kernel

Pixel 3a, Pixel 3a XL: use monolithic kernel builds

kernel (Pixel 3a, Pixel 3a XL): disable slab merging

kernel (Pixel 3a, Pixel 3a XL): add toggle for disabling newly added USB devices

kernel (Pixel 3a, Pixel 3a XL): replace SECURITY_SMACK with SECURITY_NETWORK

kernel (Pixel 3a, Pixel 3a XL): mark qcedev data const

Vanadium (browser and WebView): update Chromium base to 75.0.3770.101

Vanadium: disable sensors access by default

Vanadium: disable third party cookies by default

Vanadium: disable background sync by default

Vanadium (browser and WebView): stub out battery API

Vanadium: disable search logo

Vanadium: always use local new tab page

Vanadium: disable payment support by default

Restoration of past features since the 2019.06.14.02 release:

Vanadium: do not enable default search engine notification permission by default

Tags:

PQ3A.190605.003.2019.06.14.02 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, other devices)

PQ3B.190605.006.2019.06.14.02 (Pixel 3a, Pixel 3a XL)

Changes since the 2019.06.03.18 release:

Vanadium (browser and WebView): update Chromium base to 75.0.3770.67

add back brk system call to the seccomp whitelist for compatibility with Go

Auditor: update to version 13

Auditor: update to version 14

Music: backport bug fix for passing CTS

Updater: replace seamlessupdate.app with releases.grapheneos.org alias

add initial experimental support for the Pixel 3a and Pixel 3a XL

Pixel 2, Pixel 2 XL: set AVB rollback index to security patch timestamp (backport of the implementation for the Pixel 3)

Restoration of past features since the 2019.06.03.18 release:

kernel (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): replace SECURITY_SMACK with SECURITY_NETWORK

Tags:

PQ3A.190605.003.2019.06.03.18 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, other devices)

Changes since the 2019.05.18.20 release:

full 2019-06-01 security patch level

full 2019-06-05 security patch level

rebased onto PQ3A.190605.003 release

Auditor: update to version 11

Auditor: update to version 12

hardened_malloc (GrapheneOS only): further expand workaround for Pixel 3 and Pixel 3 XL camera issues

Restoration of past features since the 2019.05.18.20 release:

disable exec spawning when using debugging options

enable exec spawning by default

enable Verizon visual voicemail support

kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): add toggle for disabling newly added USB devices

add properties for controlling deny_new_usb

implement dynamic deny_new_usb toggle mode

set deny_new_usb feature to dynamic by default

sepolicy: deny_new_usb sysctl and system property policy

Tags:

PQ3A.190505.001.2019.05.18.20 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL)

PQ3A.190505.002.2019.05.18.20 (Pixel 3, Pixel 3 XL, other devices)

Changes since the 2019.05.08.15 release:

GrapheneOS logo mask

Auditor: update to version 10

add preload parameter for avoiding full preload with exec

raise maximum users to 16

Vanadium (browser and WebView): update Chromium base to 74.0.3729.157

hardened_malloc (GrapheneOS only): apply temporary workaround for citadel HAL use-after-free (need to start building vendor HALs from the sources to fix issues like this)

Restoration of past features since the 2019.05.08.15 release:

disable OpenGL preloading for exec spawning

disable resource preloading for exec spawning

disable ICU cache pinning for exec spawning

disable class preloading for exec spawning

disable WebView reservation for exec spawning

disable JCA provider warm up for exec spawning

avoid AssetManager errors with exec spawning

Tags:

PQ3A.190505.001.2019.05.08.15 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL)

PQ3A.190505.002.2019.05.08.15 (Pixel 3, Pixel 3 XL, other devices)

Changes since the 2019.05.07.00 release:

fix cellular, hotspot and battery saver quick settings tiles (they became no-ops when unlocked)

Tags:

PQ3A.190505.001.2019.05.07.00 (Pixel, Pixel XL, Pixel 2, Pixel 2 XL)

PQ3A.190505.002.2019.05.07.00 (Pixel 3, Pixel 3 XL, other devices)

Changes since the 2019.04.01.19 release:

full 2019-05-01 security patch level

full 2019-05-05 security patch level

rebased onto PQ3A.190505.002 release

add Pixel and Pixel XL support including standard changes to kernel and device code

Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL: fix hw_random permissions

bundle Auditor (version 9)

Chromium (browser and WebView): update to 74.0.3729.136

Chromium: enable strict site isolation by default

Chromium: initial rebranding to Vanadium including icon recolor

hardened_malloc: extensive work on refactoring, micro-optimization and documentation (see commits for details)

hardened_malloc: implement mallinfo and mallinfo extensions for Android

hardened_malloc: implement Android API for requesting purging

hardened_malloc: implement the option of large size classes (enabled by default)

hardened_malloc: support extended range of small size classes (enabled by default)

hardened_malloc: support for slabs with 1 slot for largest sizes

hardened_malloc: use round-robin assignment to arenas

hardened_malloc: disable current in-place growth code path

hardened_malloc: harden arena implementation

hardened_malloc: fix non-init size for malloc_object_size extension

hardened_malloc: shrink initial region table size to fit in 1 page

hardened_malloc (GrapheneOS only): expand workaround for Pixel 3 and Pixel 3 XL camera issues

Pixel 3, Pixel 3 XL: change SystemUIGoogle pinning to SystemUI

Restoration of past features since the 2019.04.01.19 release:

use -fwrapv when signed overflow checking is off

add exec-based spawning support (disabled by default for now)

require unlocking to use battery saver quick tile

require unlocking to use cellular quick tile

require unlocking to use hotspot quick tile

require unlocking to use data saver quick tile

require unlocking to use rotation lock quick tile

require unlocking to use wifi quick tile

require unlocking to use airplane mode quick tile

require unlocking to use bluetooth quick tile

require unlocking to use nfc quick tile

add support for kernels without module support enabled to the VTS and compatibility tests

kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): disable slab merging

kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): disable loadable kernel module support

kernel (Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL): mark qcedev data const

kernel (Pixel 2, Pixel 2 XL): disable unused ramdisk compression formats

SELinux policy: remove priv_app app_data_file execute

SELinux policy: remove dumpstate ashmem execute and execmem (GrapheneOS doesn't use the ART JIT compiler)

SELinux policy: remove healthd ashmem execute and execmem (GrapheneOS doesn't use the ART JIT compiler)

SELinux policy: auditallow app execmem (moving back towards an exception system)

SELinux policy: auditallow app ashmem execute (moving back towards an exception system)

SELinux policy: auditallow ephemeral_app app_data_file execute (moving back towards an exception system)

SELinux policy: auditallow untrusted_app_all execmod (moving back towards an exception system)

SELinux policy: auditallow untrusted_app_all app_data_file execute (moving back towards an exception system)

SELinux policy: auditallow untrusted_app_all app_data_file execute_no_trans (moving back towards an exception system)

Tags:

PQ2A.190405.003.2019.04.01.19 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, other devices)

Initial release of GrapheneOS. Detailed changelogs were not written at this point.

Tags:

PQ2A.190305.002.2019.03.05.03 (Pixel 2, Pixel 2 XL, Pixel 3, Pixel 3 XL, other devices)

Final and only tagged release of the AndroidHardening project before it became GrapheneOS. Earlier AndroidHardening releases were only snapshots and are not listed here. Detailed changelogs were not written at this point.