[Kernel] [All ROMs] [ALL VARIANTS] Glassrom kernel

Search This thread

anupritaisno1

Senior Member
Apr 29, 2014
1,854
1,922
This is the stock kernel that ships with glassrom (or will ship with it)

5g variants are not yet supported
It is based off kirisakura kernel with additional hardening from my side.
You get this:
All the features from kirisakura kernel
Removed qualcomm's rmnet drivers
COMPAT_VDSO is disabled to enable full vDSO ASLR
KSPP patches have been applied
Clang control flow integrity (https://source.android.com/devices/tech/debug/cfi)

Backward edged control flow integrity:
Strong protections enforced by shadowcallstack (https://source.android.com/devices/tech/debug/shadow-call-stack)
Weak protections enforced by adding stack canaries to everything and ensuring ASLR is of a decent enough quality

Compiled with -O3 and Polly for maximum performance
Wireguard driver has been removed
AVB depends on the ROM. Flashing it on glassrom/oxygenos will definitely cause it to boot with enforcing AVB. On other ROMs this shouldn't happen
Selinux forced enforcing patch from Samsung
Yama is enabled and set to SCOPE_NO_ATTACH
Uses sdfat driver to provide vfat and exfat drivers

Todo:
Port Linux-hardened patch
fix fingerprint on oos

Notes:
Flashing it on oxygenos will break dt2w
Flashing the kernel regardless of ROM or device combination will break twrp ramdisk boot. The only way to boot twrp is using fastboot boot, installing it to the ramdisk will always lead to a kernel panic. This is not a bug and will not be fixed

Download: see release post https://forum.xda-developers.com/showpost.php?p=81105101&postcount=8
Source:
https://github.com/GlassROM-devices/android_kernel_oneplus_sm8150

Donations:
Most of the hard work was done by @Freak07 so check out his thread and buy him a coffee
 
Last edited:

Kaz205

Senior Member
Mar 20, 2019
66
82
This is the stock kernel that ships with glassrom (or will ship with it)

5g variants are not yet supported
It is based off kirisakura kernel with additional hardening from my side.
You get this:
All the features from kirisakura kernel
Removed qualcomm's rmnet drivers
COMPAT_VDSO is disabled to enable full vDSO ASLR
KSPP patches have been applied
Clang control flow integrity (https://source.android.com/devices/tech/debug/cfi)

Backward edged control flow integrity:
Strong protections enforced by shadowcallstack (https://source.android.com/devices/tech/debug/shadow-call-stack)
Weak protections enforced by adding stack canaries to everything and ensuring ASLR is of a decent enough quality

Compiled with -O3 and Polly for maximum performance
Wireguard driver has been removed
AVB depends on the ROM. Flashing it on glassrom/oxygenos will definitely cause it to boot with enforcing AVB. On other ROMs this shouldn't happen
Selinux forced enforcing patch from Samsung
Yama is enabled (does nothing significant for now)

Todo:
Set Yama to level 3 (breaks magisk)
Port Linux-hardened patch

Notes:
Flashing it on oxygenos will break dt2w
Flashing the kernel regardless of ROM or device combination will break twrp ramdisk boot. The only way to boot twrp is using fastboot boot, installing it to the ramdisk will always lead to a kernel panic. This is not a bug and will not be fixed

Download:
https://mirror.apexcdn.net/files/glassrom/unsigned.zip

Source:
https://github.com/GlassROM-devices/android_kernel_oneplus_sm8150
Fingerprint is broken on oos
 
  • Like
Reactions: hightech316

anupritaisno1

Senior Member
Apr 29, 2014
1,854
1,922
Merged in the latest kernel from kirisakura git and also merged in 4.14.156
It boots fine but I don't have a good internet connection to be able to upload it
Will do so soon
 
  • Like
Reactions: haris_94

anupritaisno1

Senior Member
Apr 29, 2014
1,854
1,922
Thanks! Does this one work with OOS?

I eventually plan to stop supporting oos

OOS is proprietary for one and such a system is almost never secure. And if you don't believe me just look at their past vulnerability announcements. Almost all oxygenos vulnerabilities come from the fact that oneplus finds loopholes around Google's CTS. Who knows what other holes they've opened up that Google forgot to add checks for

Further, oos has many "memory optimisation" drivers that directly try to access ram and break most of the security features I'm implementing. Most custom ROMs do not have these and the drivers can be safely disabled

I will also add that this kernel is almost functionally identical with kirisakura kernel. Yes I might merge upstream slightly faster but other than that there is no difference that you would notice. The only difference is that I'm enabling all the security features that must be enabled - especially CFI and shadowcallstack which come standard on any Google pixel device

As for wireguard I just think running a VPN in kernel space is a very bad idea. Not to mention I have confirmed that on Android the tunnel leaks ipv6 traffic if you're not careful and no, disabling ipv6 is not the solution. The userspace go implementation is much safer and I mean it. The userspace implementation almost never leaks ipv6 traffic. Not to mention Go is a much safer language than C
 

anupritaisno1

Senior Member
Apr 29, 2014
1,854
1,922
okay new update is in the attachments

changes: linux 4.14.156
upstreamed to oos open beta 6 (doesn't mean fixed fingerprint yet)
upstreamed wifi driver and audio driver to latest caf tag (LA.UM.8.1.r1-12200-sm8150.0)
yama is now at level 3
all upstream changes from kirisakura. except for wake gestures as lineagehw seems to already have those

oos users should disable smart boost from settings
 

Attachments

  • unsigned.zip
    18.7 MB · Views: 76

anupritaisno1

Senior Member
Apr 29, 2014
1,854
1,922
okay new build is here
changelog:
linux 4.14.157
upstreamed sdfat driver
fixed a weird kernel panic that happened on anything other than oxygenos when the device was fast charging from a very low battery
 

Attachments

  • unsigned.zip
    18.7 MB · Views: 340

anupritaisno1

Senior Member
Apr 29, 2014
1,854
1,922
This sent me into an immediate Qualcomm crash dump upon booting on both stock OOS and Omni for OnePlus 7t global variant.

Previous releases as well, not just the newer release.

Please duplicate the crashdump message exactly

Especially send the "PC at" line and the error message if present

If the error message is blank please mention that it is

If you get a PC at __cfi_check_fail message please mention this
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 14
    This is the stock kernel that ships with glassrom (or will ship with it)

    5g variants are not yet supported
    It is based off kirisakura kernel with additional hardening from my side.
    You get this:
    All the features from kirisakura kernel
    Removed qualcomm's rmnet drivers
    COMPAT_VDSO is disabled to enable full vDSO ASLR
    KSPP patches have been applied
    Clang control flow integrity (https://source.android.com/devices/tech/debug/cfi)

    Backward edged control flow integrity:
    Strong protections enforced by shadowcallstack (https://source.android.com/devices/tech/debug/shadow-call-stack)
    Weak protections enforced by adding stack canaries to everything and ensuring ASLR is of a decent enough quality

    Compiled with -O3 and Polly for maximum performance
    Wireguard driver has been removed
    AVB depends on the ROM. Flashing it on glassrom/oxygenos will definitely cause it to boot with enforcing AVB. On other ROMs this shouldn't happen
    Selinux forced enforcing patch from Samsung
    Yama is enabled and set to SCOPE_NO_ATTACH
    Uses sdfat driver to provide vfat and exfat drivers

    Todo:
    Port Linux-hardened patch
    fix fingerprint on oos

    Notes:
    Flashing it on oxygenos will break dt2w
    Flashing the kernel regardless of ROM or device combination will break twrp ramdisk boot. The only way to boot twrp is using fastboot boot, installing it to the ramdisk will always lead to a kernel panic. This is not a bug and will not be fixed

    Download: see release post https://forum.xda-developers.com/showpost.php?p=81105101&postcount=8
    Source:
    https://github.com/GlassROM-devices/android_kernel_oneplus_sm8150

    Donations:
    Most of the hard work was done by @Freak07 so check out his thread and buy him a coffee
    3
    Fingerprint is broken on oos

    Yeah sorry about that. I'll make a version for oos soon

    I did test it for a short while on oos but did not test it enough
    3
    okay new update is in the attachments

    changes: linux 4.14.156
    upstreamed to oos open beta 6 (doesn't mean fixed fingerprint yet)
    upstreamed wifi driver and audio driver to latest caf tag (LA.UM.8.1.r1-12200-sm8150.0)
    yama is now at level 3
    all upstream changes from kirisakura. except for wake gestures as lineagehw seems to already have those

    oos users should disable smart boost from settings
    2
    okay new build is here
    changelog:
    linux 4.14.157
    upstreamed sdfat driver
    fixed a weird kernel panic that happened on anything other than oxygenos when the device was fast charging from a very low battery
    2
    Thanks! Does this one work with OOS?

    I eventually plan to stop supporting oos

    OOS is proprietary for one and such a system is almost never secure. And if you don't believe me just look at their past vulnerability announcements. Almost all oxygenos vulnerabilities come from the fact that oneplus finds loopholes around Google's CTS. Who knows what other holes they've opened up that Google forgot to add checks for

    Further, oos has many "memory optimisation" drivers that directly try to access ram and break most of the security features I'm implementing. Most custom ROMs do not have these and the drivers can be safely disabled

    I will also add that this kernel is almost functionally identical with kirisakura kernel. Yes I might merge upstream slightly faster but other than that there is no difference that you would notice. The only difference is that I'm enabling all the security features that must be enabled - especially CFI and shadowcallstack which come standard on any Google pixel device

    As for wireguard I just think running a VPN in kernel space is a very bad idea. Not to mention I have confirmed that on Android the tunnel leaks ipv6 traffic if you're not careful and no, disabling ipv6 is not the solution. The userspace go implementation is much safer and I mean it. The userspace implementation almost never leaks ipv6 traffic. Not to mention Go is a much safer language than C