final [GrapheneOS] 📱👁️🗨️ on Nostr: Next release for 9th generation Pixels will have further hardening with RANDSTRUCT ...
Next release for 9th generation Pixels will have further hardening with RANDSTRUCT enabled for the kernel with a deterministic seed (the commit timestamp).
RANDSTRUCT randomizes the order of data structures and function pointer tables at compilation based on a seed, so exploits need to be catered to specific seeds. We've made it deterministic to preserve #GrapheneOS reproducible builds by using the hash of the commit date as a seed so it changes the layouts with each base kernel change and we can make it per-device-model later too.
When other devices get Kernel 6.1 (the upstream is in testing) it can be possible for them to get it too.
RANDSTRUCT randomizes the order of data structures and function pointer tables at compilation based on a seed, so exploits need to be catered to specific seeds. We've made it deterministic to preserve #GrapheneOS reproducible builds by using the hash of the commit date as a seed so it changes the layouts with each base kernel change and we can make it per-device-model later too.
When other devices get Kernel 6.1 (the upstream is in testing) it can be possible for them to get it too.