FORUMS
Remove All Ads from XDA

[Kernel] [All ROMs] [ALL VARIANTS] Glassrom kernel

1,681 posts
Thanks Meter: 1,747
 
By anupritaisno1, Senior Member on 25th November 2019, 09:33 AM
Post Reply Email Thread
This is the stock kernel that ships with glassrom (or will ship with it)

5g variants are not yet supported
It is based off kirisakura kernel with additional hardening from my side.
You get this:
All the features from kirisakura kernel
Removed qualcomm's rmnet drivers
COMPAT_VDSO is disabled to enable full vDSO ASLR
KSPP patches have been applied
Clang control flow integrity (https://source.android.com/devices/tech/debug/cfi)

Backward edged control flow integrity:
Strong protections enforced by shadowcallstack (https://source.android.com/devices/t...dow-call-stack)
Weak protections enforced by adding stack canaries to everything and ensuring ASLR is of a decent enough quality

Compiled with -O3 and Polly for maximum performance
Wireguard driver has been removed
AVB depends on the ROM. Flashing it on glassrom/oxygenos will definitely cause it to boot with enforcing AVB. On other ROMs this shouldn't happen
Selinux forced enforcing patch from Samsung
Yama is enabled and set to SCOPE_NO_ATTACH
Uses sdfat driver to provide vfat and exfat drivers

Todo:
Port Linux-hardened patch
fix fingerprint on oos

Notes:
Flashing it on oxygenos will break dt2w
Flashing the kernel regardless of ROM or device combination will break twrp ramdisk boot. The only way to boot twrp is using fastboot boot, installing it to the ramdisk will always lead to a kernel panic. This is not a bug and will not be fixed

Download: see release post https://forum.xda-developers.com/sho...01&postcount=8
Source:
https://github.com/GlassROM-devices/...oneplus_sm8150

Donations:
Most of the hard work was done by @Freak07 so check out his thread and buy him a coffee
The Following 10 Users Say Thank You to anupritaisno1 For This Useful Post: [ View ] Gift anupritaisno1 Ad-Free
25th November 2019, 10:38 AM |#2  
Junior Member
Thanks Meter: 3
 
More
Quote:
Originally Posted by anupritaisno1

This is the stock kernel that ships with glassrom (or will ship with it)

5g variants are not yet supported
It is based off kirisakura kernel with additional hardening from my side.
You get this:
All the features from kirisakura kernel
Removed qualcomm's rmnet drivers
COMPAT_VDSO is disabled to enable full vDSO ASLR
KSPP patches have been applied
Clang control flow integrity (https://source.android.com/devices/tech/debug/cfi)

Backward edged control flow integrity:
Strong protections enforced by shadowcallstack (https://source.android.com/devices/t...dow-call-stack)
Weak protections enforced by adding stack canaries to everything and ensuring ASLR is of a decent enough quality

Compiled with -O3 and Polly for maximum performance
Wireguard driver has been removed
AVB depends on the ROM. Flashing it on glassrom/oxygenos will definitely cause it to boot with enforcing AVB. On other ROMs this shouldn't happen
Selinux forced enforcing patch from Samsung
Yama is enabled (does nothing significant for now)

Todo:
Set Yama to level 3 (breaks magisk)
Port Linux-hardened patch

Notes:
Flashing it on oxygenos will break dt2w
Flashing the kernel regardless of ROM or device combination will break twrp ramdisk boot. The only way to boot twrp is using fastboot boot, installing it to the ramdisk will always lead to a kernel panic. This is not a bug and will not be fixed

Download:
https://mirror.apexcdn.net/files/glassrom/unsigned.zip

Source:
https://github.com/GlassROM-devices/...oneplus_sm8150

Fingerprint is broken on oos
The Following User Says Thank You to Kaz205 For This Useful Post: [ View ] Gift Kaz205 Ad-Free
25th November 2019, 12:13 PM |#3  
anupritaisno1's Avatar
OP Senior Member
Thanks Meter: 1,747
 
More
Quote:
Originally Posted by Kaz205

Fingerprint is broken on oos

Yeah sorry about that. I'll make a version for oos soon

I did test it for a short while on oos but did not test it enough
The Following 3 Users Say Thank You to anupritaisno1 For This Useful Post: [ View ] Gift anupritaisno1 Ad-Free
28th November 2019, 08:42 PM |#4  
anupritaisno1's Avatar
OP Senior Member
Thanks Meter: 1,747
 
More
Merged in the latest kernel from kirisakura git and also merged in 4.14.156
It boots fine but I don't have a good internet connection to be able to upload it
Will do so soon
The Following User Says Thank You to anupritaisno1 For This Useful Post: [ View ] Gift anupritaisno1 Ad-Free
29th November 2019, 04:09 PM |#5  
Senior Member
Flag Philadelphia
Thanks Meter: 32
 
More
Quote:
Originally Posted by anupritaisno1

Merged in the latest kernel from kirisakura git and also merged in 4.14.156
It boots fine but I don't have a good internet connection to be able to upload it
Will do so soon

Thanks! Does this one work with OOS?
1st December 2019, 09:29 AM |#6  
anupritaisno1's Avatar
OP Senior Member
Thanks Meter: 1,747
 
More
Quote:
Originally Posted by MrGimpGrumble

Thanks! Does this one work with OOS?

I eventually plan to stop supporting oos

OOS is proprietary for one and such a system is almost never secure. And if you don't believe me just look at their past vulnerability announcements. Almost all oxygenos vulnerabilities come from the fact that oneplus finds loopholes around Google's CTS. Who knows what other holes they've opened up that Google forgot to add checks for

Further, oos has many "memory optimisation" drivers that directly try to access ram and break most of the security features I'm implementing. Most custom ROMs do not have these and the drivers can be safely disabled

I will also add that this kernel is almost functionally identical with kirisakura kernel. Yes I might merge upstream slightly faster but other than that there is no difference that you would notice. The only difference is that I'm enabling all the security features that must be enabled - especially CFI and shadowcallstack which come standard on any Google pixel device

As for wireguard I just think running a VPN in kernel space is a very bad idea. Not to mention I have confirmed that on Android the tunnel leaks ipv6 traffic if you're not careful and no, disabling ipv6 is not the solution. The userspace go implementation is much safer and I mean it. The userspace implementation almost never leaks ipv6 traffic. Not to mention Go is a much safer language than C
The Following 2 Users Say Thank You to anupritaisno1 For This Useful Post: [ View ] Gift anupritaisno1 Ad-Free
1st December 2019, 01:08 PM |#7  
anupritaisno1's Avatar
OP Senior Member
Thanks Meter: 1,747
 
More
okay new update is in the attachments

changes: linux 4.14.156
upstreamed to oos open beta 6 (doesn't mean fixed fingerprint yet)
upstreamed wifi driver and audio driver to latest caf tag (LA.UM.8.1.r1-12200-sm8150.0)
yama is now at level 3
all upstream changes from kirisakura. except for wake gestures as lineagehw seems to already have those

oos users should disable smart boost from settings
Attached Files
File Type: zip unsigned.zip - [Click for QR Code] (18.74 MB, 50 views)
The Following 3 Users Say Thank You to anupritaisno1 For This Useful Post: [ View ] Gift anupritaisno1 Ad-Free
4th December 2019, 10:14 PM |#8  
anupritaisno1's Avatar
OP Senior Member
Thanks Meter: 1,747
 
More
okay new build is here
changelog:
linux 4.14.157
upstreamed sdfat driver
fixed a weird kernel panic that happened on anything other than oxygenos when the device was fast charging from a very low battery
Attached Files
File Type: zip unsigned.zip - [Click for QR Code] (18.75 MB, 36 views)
The Following 2 Users Say Thank You to anupritaisno1 For This Useful Post: [ View ] Gift anupritaisno1 Ad-Free
5th December 2019, 02:50 PM |#9  
Senior Member
Flag oita
Thanks Meter: 15
 
More
Quote:
Originally Posted by anupritaisno1

okay new build is here
changelog:
linux 4.14.157
upstreamed sdfat driver
fixed a weird kernel panic that happened on anything other than oxygenos when the device was fast charging from a very low battery

work on pa?
5th December 2019, 10:01 PM |#10  
anupritaisno1's Avatar
OP Senior Member
Thanks Meter: 1,747
 
More
Quote:
Originally Posted by ryshd296

work on pa?

Please test it and let me know

It should boot on any ROM that can enforce selinux
The Following User Says Thank You to anupritaisno1 For This Useful Post: [ View ] Gift anupritaisno1 Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes