Google extends Linux kernel help to maintain Android gadgets safe for longer

Android, like many different working programs, makes use of the open-source Linux kernel. There are a number of various kinds of Linux kernel releases, however the kind that’s most necessary to Android is the long-term help (LTS) one, as they’re up to date often with necessary bug fixes and safety patches. Beginning in 2017, the help lifetime of LTS releases of Linux was prolonged from two years to 6 years, however early final 12 months, this extension was reversed. Luckily, Google has introduced that transferring ahead, they’ll help their very own LTS kernel releases for 4 years. Right here’s why that’s necessary for the safety of Android gadgets.

The Linux kernel discovered on most Android gadgets is derived from one in all Google’s Android Widespread Kernel (ACK) branches. These ACK branches are created from the Android mainline kernel department at any time when a brand new LTS launch is asserted upstream. For instance, the android15-6.6 ACK department was created shortly after model 6.6 was declared as the newest LTS model, with the “android15” within the identify referencing the Android launch that the kernel is related to (on this case, Android 15.)

Google lists three causes for why it maintains its personal fork of every Linux kernel LTS launch. First, Google’s forks can comprise backports and cherry-picks of upstream performance wanted for Android options. Second, they will ship options which might be prepared for Android gadgets even once they’re nonetheless underneath growth upstream. Lastly, they will embrace sure vendor or OEM options which might be helpful for different Android companions.

After their creation, ACKs proceed to be up to date by Google to obtain bug fixes for Android-specific code in addition to LTS merges from the upstream kernel branches. The vulnerabilities impacting the Linux kernel which might be disclosed within the month-to-month Android Safety Bulletin, such these listed within the July 2024 bulletin, are addressed by these updates.

Nonetheless, it’s not all the time doable to establish when a bug repair is a safety repair, as a result of a patch fixing a bug might really even be closing a safety gap that the submitter both wasn’t conscious of or selected to not disclose was there. Google tries to establish these instances once they occur, but it surely’s not possible to catch all of them, resulting in conditions the place fixes have landed on upstream Linux months earlier than they made their option to Android gadgets. That is why Google pushes Android OEMs to often carry out LTS updates in order that they don’t get caught flat-footed by a shock safety vulnerability disclosure.

Clearly, Linux kernel LTS releases are extremely necessary to the safety of Android gadgets, as they assist Google and OEMs handle safety vulnerabilities each identified and unknown. The longer the help lifetime of a Linux kernel LTS launch, the longer Google and, subsequently, OEMs can maintain their gadgets up-to-date with safety fixes.

Sadly, whereas that longer help lifetime is nice for Google and OEMs, it places a large pressure on the builders and maintainers of the Linux kernel, lots of whom are unpaid volunteers. Plus, should you exclude Android and embedded gadgets, there aren’t that many gadgets operating older Linux variations.

Basically, the Linux maintainers determined that six-year help lifetimes for LTS kernel releases didn’t make sense for them anymore, in order that they determined to drop that window down to 2 years once more. This alteration was made public in early 2023, leaving many observers to surprise what it could imply for the Android world. Some believed it could power OEMs to lastly begin performing main kernel model upgrades to remain up-to-date, whereas others believed that Google or silicon distributors would lengthen LTS on their very own.

The latter is what Google is doing. On their developer web page for the ACK, Google wrote that “starting with kernel 6.6, the help lifetime for the secure kernels is 4 years.” That is preceded by an announcement that claims that “ACKs is likely to be supported for longer than the corresponding upstream secure kernel at kernel.org. On this case, Google gives prolonged help till the end-of-life (EOL) date proven on this part.” When a kernel is EOLed, they’re clearly now not supported by Google, however extra importantly, the “gadgets operating them are thought of to be weak.”

The earlier six-year Linux LTS lifecycle allowed Android OEMs to launch gadgets one, two, and even three years into the lifecycle and nonetheless get pleasure from a number of years of upstream help.

Nonetheless, since Google is just supporting new ACK branches for 4 years, OEMs can now not try this. That’s why, beginning with Android 15, gadgets are solely allowed to launch with both android14-6.1 or android15-6.6, i.e. the 2 most up-to-date kernel variations. The previous shall be supported till July 2029 whereas the latter till July 2028, so gadgets can launch with them this 12 months and nonetheless obtain three to 5 years of help earlier than they should improve their kernel.

Going ahead, Google says that there’ll solely be one new ACK department for every kernel launch, therefore why there isn’t an android15-6.1 department. This simplifies issues a bit, however in the end, OEMs will finally want to start out doing main kernel model upgrades in the event that they’re going to decide to longer and longer telephone replace insurance policies.