This time we have a new security feature that's been worked on for a while: USB-C Port Security. This is a significant security enhancement.
This feature allows users of Tensor Pixels (6 and later) to have fine grained controls on USB controller functionality including totally disabling data lines or the port when the OS is in use.
There are 5 modes:
- On (current)
- Charging-only when locked except in BFU (before first-unlock)
- Charging-only when locked
- Charging-only
- Off (which even disables charging while booted into the normal OS mode).
This is different from the previous existing USB control features including the Android 12 USB HAL toggle which only disable high-level kernel functionality which still left all the low-level kernel driver, USB protocol and USB controller attack surface enabled.
It is likely that the charging only except in BFU mode will be the default in the distant future. Other, stricter modes will be useful for people who have threat models that consider a threat having proximity to an AFU device a high risk.
GrapheneOS will continue to develop systematic security enhancements.
Other changelogs:
-
kernel (5.10, 5.15): add support for ignoring USB alt modes
-
kernel (Tensor Pixels): extend max77759 USB-C controller driver used by Tensor Pixels with support for a sysfs node providing fine-grained control over the USB-C data path at the USB controller level
-
Setup Wizard: fix crash for SIM locales not recognized by com.android.internal.app.LocalePicker