[Kernel] [All ROMs] [ALL VARIANTS] Glassrom kernel

Search This thread
By:
Advanced…
anupritaisno1

anupritaisno1

Senior Member
Apr 29, 2014
1,854
1,928
This is the stock kernel that ships with glassrom (or will ship with it)

5g variants are not yet supported
It is based off kirisakura kernel with additional hardening from my side.
You get this:
All the features from kirisakura kernel
Removed qualcomm's rmnet drivers
COMPAT_VDSO is disabled to enable full vDSO ASLR
KSPP patches have been applied
Clang control flow integrity (https://source.android.com/devices/tech/debug/cfi)

Backward edged control flow integrity:
Strong protections enforced by shadowcallstack (https://source.android.com/devices/tech/debug/shadow-call-stack)
Weak protections enforced by adding stack canaries to everything and ensuring ASLR is of a decent enough quality

Compiled with -O3 and Polly for maximum performance
Wireguard driver has been removed
AVB depends on the ROM. Flashing it on glassrom/oxygenos will definitely cause it to boot with enforcing AVB. On other ROMs this shouldn't happen
Selinux forced enforcing patch from Samsung
Yama is enabled and set to SCOPE_NO_ATTACH
Uses sdfat driver to provide vfat and exfat drivers

Todo:
Port Linux-hardened patch
fix fingerprint on oos

Notes:
Flashing it on oxygenos will break dt2w
Flashing the kernel regardless of ROM or device combination will break twrp ramdisk boot. The only way to boot twrp is using fastboot boot, installing it to the ramdisk will always lead to a kernel panic. This is not a bug and will not be fixed

Download: see release post https://xdaforums.com/showpost.php?p=81105101&postcount=8
Source:
https://github.com/GlassROM-devices/android_kernel_oneplus_sm8150

Donations:
Most of the hard work was done by @Freak07 so check out his thread and buy him a coffee
 
Last edited:
  • Like
Reactions: Samuel Holland, Freak07, intoxicated.mad and 12 others
K

Kaz205

Senior Member
Mar 20, 2019
66
82
anupritaisno1 said:
This is the stock kernel that ships with glassrom (or will ship with it)

5g variants are not yet supported
It is based off kirisakura kernel with additional hardening from my side.
You get this:
All the features from kirisakura kernel
Removed qualcomm's rmnet drivers
COMPAT_VDSO is disabled to enable full vDSO ASLR
KSPP patches have been applied
Clang control flow integrity (https://source.android.com/devices/tech/debug/cfi)

Backward edged control flow integrity:
Strong protections enforced by shadowcallstack (https://source.android.com/devices/tech/debug/shadow-call-stack)
Weak protections enforced by adding stack canaries to everything and ensuring ASLR is of a decent enough quality

Compiled with -O3 and Polly for maximum performance
Wireguard driver has been removed
AVB depends on the ROM. Flashing it on glassrom/oxygenos will definitely cause it to boot with enforcing AVB. On other ROMs this shouldn't happen
Selinux forced enforcing patch from Samsung
Yama is enabled (does nothing significant for now)

Todo:
Set Yama to level 3 (breaks magisk)
Port Linux-hardened patch

Notes:
Flashing it on oxygenos will break dt2w
Flashing the kernel regardless of ROM or device combination will break twrp ramdisk boot. The only way to boot twrp is using fastboot boot, installing it to the ramdisk will always lead to a kernel panic. This is not a bug and will not be fixed

Download:
https://mirror.apexcdn.net/files/glassrom/unsigned.zip

Source:
https://github.com/GlassROM-devices/android_kernel_oneplus_sm8150
Click to expand...
Click to collapse
Fingerprint is broken on oos
 
  • Like
Reactions: hightech316
anupritaisno1

anupritaisno1

Senior Member
Apr 29, 2014
1,854
1,928
Merged in the latest kernel from kirisakura git and also merged in 4.14.156
It boots fine but I don't have a good internet connection to be able to upload it
Will do so soon
 
  • Like
Reactions: haris_94
anupritaisno1

anupritaisno1

Senior Member
Apr 29, 2014
1,854
1,928
MrGimpGrumble said:
Thanks! Does this one work with OOS?
Click to expand...
Click to collapse

I eventually plan to stop supporting oos

OOS is proprietary for one and such a system is almost never secure. And if you don't believe me just look at their past vulnerability announcements. Almost all oxygenos vulnerabilities come from the fact that oneplus finds loopholes around Google's CTS. Who knows what other holes they've opened up that Google forgot to add checks for

Further, oos has many "memory optimisation" drivers that directly try to access ram and break most of the security features I'm implementing. Most custom ROMs do not have these and the drivers can be safely disabled

I will also add that this kernel is almost functionally identical with kirisakura kernel. Yes I might merge upstream slightly faster but other than that there is no difference that you would notice. The only difference is that I'm enabling all the security features that must be enabled - especially CFI and shadowcallstack which come standard on any Google pixel device

As for wireguard I just think running a VPN in kernel space is a very bad idea. Not to mention I have confirmed that on Android the tunnel leaks ipv6 traffic if you're not careful and no, disabling ipv6 is not the solution. The userspace go implementation is much safer and I mean it. The userspace implementation almost never leaks ipv6 traffic. Not to mention Go is a much safer language than C
 
  • Like
Reactions: haris_94 and MrGimpGrumble
anupritaisno1

anupritaisno1

Senior Member
Apr 29, 2014
1,854
1,928
okay new update is in the attachments

changes: linux 4.14.156
upstreamed to oos open beta 6 (doesn't mean fixed fingerprint yet)
upstreamed wifi driver and audio driver to latest caf tag (LA.UM.8.1.r1-12200-sm8150.0)
yama is now at level 3
all upstream changes from kirisakura. except for wake gestures as lineagehw seems to already have those

oos users should disable smart boost from settings
 

Attachments

  • unsigned.zip
    18.7 MB · Views: 85
  • Like
Reactions: haris_94, hightech316 and Freak07
anupritaisno1

anupritaisno1

Senior Member
Apr 29, 2014
1,854
1,928
okay new build is here
changelog:
linux 4.14.157
upstreamed sdfat driver
fixed a weird kernel panic that happened on anything other than oxygenos when the device was fast charging from a very low battery
 

Attachments

  • unsigned.zip
    18.7 MB · Views: 413
  • Like
Reactions: haris_94 and hightech316
anupritaisno1

anupritaisno1

Senior Member
Apr 29, 2014
1,854
1,928
scott.hart.bti said:
This sent me into an immediate Qualcomm crash dump upon booting on both stock OOS and Omni for OnePlus 7t global variant.

Previous releases as well, not just the newer release.
Click to expand...
Click to collapse

Please duplicate the crashdump message exactly

Especially send the "PC at" line and the error message if present

If the error message is blank please mention that it is

If you get a PC at __cfi_check_fail message please mention this
 
Last edited:
You must log in or register to reply here.

Similar threads

arter97
[r71] arter97 kernel for OnePlus 7 series
Replies
2K
Views
312K
C
cbomb1337
eng.stk
[KERNEL] [blu_spark r166 OP7/T/Pro] [A11 OOS]
Replies
1K
Views
204K
B
BigBrosMo
AnnoyingZlatan
[KERNEL] [Android 11/12] Dora kernel for OP7 series
Replies
365
Views
97K
Q
qwertyuiop1289
I
Weeb Kernel OP7/T/Pro
Replies
256
Views
57K
14christ
14christ
flar2
[KERNEL] [April 4] OnePlus 7 ElementalX 3.03
Replies
145
Views
45K
varunpilankar
varunpilankar

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 15
    anupritaisno1
    anupritaisno1
    This is the stock kernel that ships with glassrom (or will ship with it)

    5g variants are not yet supported
    It is based off kirisakura kernel with additional hardening from my side.
    You get this:
    All the features from kirisakura kernel
    Removed qualcomm's rmnet drivers
    COMPAT_VDSO is disabled to enable full vDSO ASLR
    KSPP patches have been applied
    Clang control flow integrity (https://source.android.com/devices/tech/debug/cfi)

    Backward edged control flow integrity:
    Strong protections enforced by shadowcallstack (https://source.android.com/devices/tech/debug/shadow-call-stack)
    Weak protections enforced by adding stack canaries to everything and ensuring ASLR is of a decent enough quality

    Compiled with -O3 and Polly for maximum performance
    Wireguard driver has been removed
    AVB depends on the ROM. Flashing it on glassrom/oxygenos will definitely cause it to boot with enforcing AVB. On other ROMs this shouldn't happen
    Selinux forced enforcing patch from Samsung
    Yama is enabled and set to SCOPE_NO_ATTACH
    Uses sdfat driver to provide vfat and exfat drivers

    Todo:
    Port Linux-hardened patch
    fix fingerprint on oos

    Notes:
    Flashing it on oxygenos will break dt2w
    Flashing the kernel regardless of ROM or device combination will break twrp ramdisk boot. The only way to boot twrp is using fastboot boot, installing it to the ramdisk will always lead to a kernel panic. This is not a bug and will not be fixed

    Download: see release post https://xdaforums.com/showpost.php?p=81105101&postcount=8
    Source:
    https://github.com/GlassROM-devices/android_kernel_oneplus_sm8150

    Donations:
    Most of the hard work was done by @Freak07 so check out his thread and buy him a coffee
    View
    3
    anupritaisno1
    anupritaisno1
    Kaz205 said:
    Fingerprint is broken on oos
    Click to expand...
    Click to collapse

    Yeah sorry about that. I'll make a version for oos soon

    I did test it for a short while on oos but did not test it enough
    View
    3
    anupritaisno1
    anupritaisno1
    okay new update is in the attachments

    changes: linux 4.14.156
    upstreamed to oos open beta 6 (doesn't mean fixed fingerprint yet)
    upstreamed wifi driver and audio driver to latest caf tag (LA.UM.8.1.r1-12200-sm8150.0)
    yama is now at level 3
    all upstream changes from kirisakura. except for wake gestures as lineagehw seems to already have those

    oos users should disable smart boost from settings
    View
    2
    anupritaisno1
    anupritaisno1
    okay new build is here
    changelog:
    linux 4.14.157
    upstreamed sdfat driver
    fixed a weird kernel panic that happened on anything other than oxygenos when the device was fast charging from a very low battery
    View
    2
    anupritaisno1
    anupritaisno1
    MrGimpGrumble said:
    Thanks! Does this one work with OOS?
    Click to expand...
    Click to collapse

    I eventually plan to stop supporting oos

    OOS is proprietary for one and such a system is almost never secure. And if you don't believe me just look at their past vulnerability announcements. Almost all oxygenos vulnerabilities come from the fact that oneplus finds loopholes around Google's CTS. Who knows what other holes they've opened up that Google forgot to add checks for

    Further, oos has many "memory optimisation" drivers that directly try to access ram and break most of the security features I'm implementing. Most custom ROMs do not have these and the drivers can be safely disabled

    I will also add that this kernel is almost functionally identical with kirisakura kernel. Yes I might merge upstream slightly faster but other than that there is no difference that you would notice. The only difference is that I'm enabling all the security features that must be enabled - especially CFI and shadowcallstack which come standard on any Google pixel device

    As for wireguard I just think running a VPN in kernel space is a very bad idea. Not to mention I have confirmed that on Android the tunnel leaks ipv6 traffic if you're not careful and no, disabling ipv6 is not the solution. The userspace go implementation is much safer and I mean it. The userspace implementation almost never leaks ipv6 traffic. Not to mention Go is a much safer language than C
    View

New posts