- Enable APEX for Pixel 6/7, necessary for camera and pKVM
- Also drop hack removing pKVM for Pixel 6/7
- patch from GrapheneOS
- Extend hmalloc workaround to /apex
- Deblobber:
- actually handle wildcard f/w/b overlays
- move some stuff around
- remove some more Pixel blobs
- flag and disable removal of camera extensions, being able to use the second camera is nice
- Adjust what hardenDefconfig disables, caused boot issues
minimal impact as most of these are already default-disabled
can be narrowed down in future
- Disable some of the bionic hardening patches, causing more boot issues
annoying to lose, but having a phone that boots is more important
- Add LTE only mode to 17.1, 18.1, 19.1, and 20.0, credit GrapheneOS
- Remove Pixel 2 ramdisk compression reverts, fixed upstream
And yes, I know I should've split up this commit...
Signed-off-by: Tad <tad@spotco.us>
Disabling extended sizes classes does not appear to have the savings it does on desktop.
Disabling the quarantine isn't acceptable given that default scudo implements it
This should help 64-bit devices with <4GB RAM substantially, at reduced hardening.
clark for example only has 2.5GB of usable memory and idles at 1.6GB used.
After this change, idle usage drops to 1.1GB!
Signed-off-by: Tad <tad@spotco.us>
I've triple checked that calls/data work fine without these blobs
and also have another report from walleye as the same.
I have no idea what is happening to those who have SIM issues.
This reverts commit dc392b17b6.
These were previously removed, and added back after a false report of breakage.
Data and VoLTE tested working on taimen
Signed-off-by: Tad <tad@spotco.us>
Change the property too, so it takes effect next update.
Since 16.0 lacks a toggle, this effectively disables the feature for it.
Even devices with 4GB of RAM have usability severely impacted.
Plus some other tweaks/churn
Signed-off-by: Tad <tad@spotco.us>
- Turns out AVB was set permissive this entire time :(
--flags 2 == VERIFICATION_DISABLED
- APEX support from GrapheneOS
- Disable vbmeta chaining like GrapheneOS
and optionally handle it like CalyxOS
taimen 19.1 boots with locked bootloader successfully after this
Signed-off-by: Tad <tad@spotco.us>
This ensures init_on_alloc/free is used instead of page poisioning where available.
3.4 through 3.18 have a patch without a toggle for page sanitization.
Signed-off-by: Tad <tad@spotco.us>
Adds ptrace_scope and timeout options to 17.1, tested working
Also adds hardened_malloc to 15.1, but failing to compile:
external/hardened_malloc/h_malloc.c:1688:18: error: use of undeclared identifier 'M_PURGE'
if (param == M_PURGE) {
^
external/hardened_malloc/h_malloc.c:1743:30: error: missing field 'ordblks' initializer [-Werror,-Wmissing-field-initializers]
struct mallinfo info = {0};
^
Signed-off-by: Tad <tad@spotco.us>
10+4 devices tested working with bionic hardening patches enabled
but hammerhead and shamu do not boot...
2 of the patches were already found to have issues and disabled
3 other patches were ruled out:
- Stop implicitly marking mappings as mergeable
- Make __stack_chk_guard read-only at runtime
- On 64-bit, zero the leading stack canary byte
Leaves 11+1 patches remaining that need to be tested
But I don't have either of the two known impacted devices.
Signed-off-by: Tad <tad@spotco.us>
- enable the patchset for 18.1
- add an ugly patch that extends the Pixel 3* camera workaround to all camera executables
Signed-off-by: Tad <tad@spotco.us>
Some patches were ported from 12 to 10/11
Some patches from 11 were ported to 10
This 10/11 port should be very close to 12
BOUNS: 16.0 patches, disabled
Signed-off-by: Tad <tad@spotco.us>
- Drops Calendar, Eleven, and Email
- Adds a variable for Silence inclusion
- Adds a NONE option for microG inclusion flag to disable NLP inclusion
Signed-off-by: Tad <tad@spotco.us>
