USB data line control row is now inaccurate and should be split up in 4 separate rows with accurate information

[thestinger]

The standard Android feature doesn't disable USB data lines and does not disable the USB-C protocol. It only disables high level USB support (peripherals, gadgets). You can even still use DisplayPort via USB-C. The current label refers to data lines, so it's not accurate anymore. I propose splitting it up to properly cover this while acknowledging what LineageOS and AOSP do.

There can be 4 rows instead:

1) Disabling USB-C data

GrapheneOS (green): Default (while locked), docs

Other operating systems do not implement this. It involves hardware-specific driver changes.

2) Disabling USB-C charging with OS booted

GrapheneOS (green): Opt-in, docs

Other operating systems do not implement this. It involves hardware-specific driver changes.

3) Disabling pogo pins data

GrapheneOS (green): Default (while locked), docs

Other operating systems do not implement this. It involves hardware-specific driver changes.

4) Disabling USB connections

GrapheneOS (green): Default (while locked), hardware + software, docs

LineageOS and CalyxOS (light red): Opt-in, incomplete software-only

Hover text: Can only disable high level software attack surface. Cannot disable USB until after early boot. Lacks a way to block new USB connections without ending existing connections. The mode for disabling USB connections while locked continues allowing new connections until existing connections end, including a connection through another method such as a pogo pins USB connection to a stand.

AOSP (red): Device admin API

Hover text: Requires installing a device admin app like Sentry. Can only disable high level software attack surface. Cannot disable USB until after early boot. Lacks a way to block new USB connections without ending existing connections.

[thestinger]

USB is a major form of attack surface heavily used by forensic data companies like Cellebrite, XRY/MSAB, Graykey, etc. GrapheneOS added the much more advanced USB-C, pogo pins and USB attack surface reduction to counter those companies. This is something MANY users care a lot about, and it is worth having multiple rows for it. These companies rarely if ever use other attack vectors like Wi-Fi or cellular right now, although they could.

Defaults matter, which is not something currently communicated by the table. Most users won't change defaults. The proposal above differentiates Default vs. Opt-in.

Disabling USB-C data or charging is not the same thing as disabling new USB connections. USB is a protocol implemented on top of USB-C at a high level. USB-C can also be used with DisplayPort, Thunderbolt and other things. The Linux kernel still continues using the USB-C driver and still implements the USB-C protocol when using the standard Android USB HAL to disable USB connections.

Pogo pins are a separate thing from USB-C and have their own data protocol. Similarly to USB-C, USB is one of the protocols they can implement but not the only one. The implemented protocols depend on the device.

Disabling USB connections in hardware at a low-level is a lot different from doing it at a high level in the OS. Doing it at a high level in the OS cannot eliminate the low-level firmware or software (driver and protocol) attack surface.

[thestinger]

Both CalyxOS and LineageOS used to use the previous GrapheneOS software-only approach to blocking new USB peripherals either while locked or all the time, but didn't enable it by default. GrapheneOS switched to a hardware-based approach with much higher security, but then we extended our old software approach to cover USB gadgets too and merged it into the hardware-based feature as a unified approach with 2 layers of security. It would have been possible for CalyxOS and LineageOS to do the same to have a portable, cross-device software implementation without the major flaw of not blocking new USB connections in the disabled while locked mode until existing USB connections end.

It would certainly be possible to implement the GrapheneOS hardware approach for Snapdragon, we just didn't do it because those devices don't meet our security requirements so we don't support them at the moment. It is possible to do this for them though, and it's not a Pixel exclusive capability.

[eylenburg]

Hi, I just updated the table to be similar to your suggestions. I also linked to this Github issue in a tooltip because you shared some valuable information for those who want to know more.

[matchboxbananasynergy]

I noticed that there is currently a "?" for DivestOS, iode, and /e/OS.

Maybe @SkewedZeppelin can shed light on how DivestOS and the other OSes handle this.

Referring specifically to the "can disable USB connections" line. Would be good to know if they inherit the LineageOS interface, whether it's on by default, etc.