OS updates and VPN settings change

hardballs

Hi there! I'm new to GOS and just had an event that got me a little concerned.
Since a few days there was an OS update available, which I postponed until now. At the same time, I switched the system language which also prompted a restart of play services. And also at the same time - and that's what got me concerned - one user profile took quite a while to load (approx. 10 seconds, I thought the session might have crashed) and afterwards wouldn't connect to its always-on VPN. Had a look in the settings and both options (always on and don't allow connections outside of VPN) were disabled. Other profiles didn't have that problem. It might be that the profile in question has more apps installed, which were "optimizing" at that moment.
Rebooted after the OS update finished and promptly got another OS update, which I'm now also installing.
Do you also find that concerning? Did I just do too many things at once?

fid02

hardballs I had such a VPN issue yesterday. I rebooted my phone, tried again, all was well. What happens if you try that again?

If unresolved, try changing servers within the VPN app. There might be temporary downtime or issues with one or several of their servers.

hardballs

Also, is there a way to see which updates have been installed? I guess it would have been 2024070900 and 2024071200.

GrapheneOS

hardballs You only ever get updated to the latest release in the channel. It installs one update. In the general case, it downloads the entire latest OS release as an update package and installs it. There are delta updates from the past several weeks of releases which provide only the block-level firmware and OS image changes between the release you were on and the latest release so you only download the differences unless you fall more than around 2-4 weeks behind. We usually provide deltas going back around 3 weeks, so you end up downloading 2MB to 80MB instead of 1GB. Every user has bit-for-bit identical firmware and OS images, which are verified cryptographically with downgrade protection.

hardballs

fid02 Thank you for the reply - the VPN was not the issue, it reconnected instantly. I was uncomfortable with the automatic settings change.

fid02

hardballs Which automatic settings change?

hardballs

fid02 both VPN options (always on and don't allow connections outside of VPN) were disabled.

fid02

hardballs And you are sure you did not previously change those settings for any reason?

hardballs

fid02 Yes, sure. There is a remote possibility the VPN app was malfunctioning, since it also sets those two options to enabled at install time. But it makes no sense, really.

fid02

hardballs There is a remote possibility the VPN app was malfunctioning, since it also sets those two options to enabled at install time.

https://grapheneos.org/features#other-features

This is an incomplete list of other GrapheneOS features.
[…]

Enable the "Always-on VPN" and "Block connections without VPN" toggles for VPNs by default.

hardballs

fid02 Many thanks for the info. Well then.. I'm ready to go on and see it as an error during "app optimisation", switching system language for the profile and switching profiles simultaneously. Now I need to lookup and verify the last two OS updates on my phone. Probably using auditor.. or adb.

hardballs

hardballs auditor says pinned os patch level is 2024-07, vendor and boot patch level is 2024-07-05. Possible to get more info on the individual updates?

other8026

hardballs Possible to get more info on the individual updates?

You can check https://grapheneos.org/releases#changelog. You can also find information about releases in the Info app, which is a recent addition to GrapheneOS.

You can see which release you're on by going to Settings > About phone. You'll find the release under "build number".

hardballs

other8026 Thank you for mentioning the Info app. It looks like it shows the release notes of installed updates. I will trust that the updates are hard to be tampered with. (The web installer was impressive..)

Dumdum

hardballs I will trust that the updates are hard to be tampered with.

https://grapheneos.org/usage#updates-security

GrapheneOS

hardballs We build and sign on local workstations, not servers. The update servers aren't capable of making and serving a malicious update. The signing keys aren't available to them. The update client verifies the update package signature and the build date must be newer than the currently installed OS version. The low-level update system verifies the update payload inside of the update package and checks that the build date is equal or newer. Verified boot verifies all the firmware and OS images which is why the initial install has you lock the device and has downgrade protection itself which is based on the patch level for the OS and firmware anti-rollback versions for the SoC and secure element firmware. Once the new version successfully boots up to the main screen, it disables automatic rollback on boot failure and updates the verified boot rollback protection to prevent downgrade attacks.

hardballs

GrapheneOS That is really cool.