The heart of every Android product is a monolithic kernel, the Linux Kernel. The Linux kernel manages the communication and system resources between hardware and software components. The Linux Kernel makes up the lowest-level software which operates any Android or AOSP-based ROM like CopperheadOS. Google chose to build Android and AOSP on the Linux kernel for good reason; the Linux kernel offers unmatched portability. This means the Linux kernel and consequently Android can be ported to many different types of devices with ease. Portability is an excellent way to ensure a more broad user/customer base. The choice of which version of the Linux Kernel to use is important and has a broad set of consequences for security.
Originally basing Android on Linux Kernel 2.6, Google has maintained their own fork of the Linux kernel since 2010 called android-mainline, this kernel is the basis of all the individual kernel versions available on Android devices and is updated with the latest Linux kernel security patches. When a new Android device is launched, that device can be launched with the latest LTS kernel features, simply by merging Android-mainline.
The latest Android Common Kernels are used to create what Google is calling Generic Kernel Images (GKI). A GKI is nothing more than the “core” components of the kernel itself. Therefore, the drivers must be loaded in Kernel Modules and a stable Kernel Module Interface must be created. This KMI must currently be stable within the LTS version of the Linux kernel which the GKI is based on. This design direction allows for devices launched using a GKI to have less difficulty backporting of kernel features and enhancements without having to also upgrade the associated Android platform. In some ways this may help to mitigate the impact of lag-time between the choice of LTS Kernel to be used in a new device at bring-up, and when that mobile device goes to market. It also means that OEMs can upgrade device kernels independently of the Android platform on devices built from GKIs. Potentially bringing relief to those OEMs who have historically been slow to upgrade the Android platform or forego the upgrade completely.
The Generic Kernel Image project has intriguing implications for device security. The benefits for kernel fragmentation, the overall Android platform and Android OEMs readily present themselves. Some implications for the security of Android kernels are also clear, with all unnecessary drivers stripped away in a given GKI much of the tedious security work is done already. What is less clear is how actual KMI implementations play out in the wild, potentially opening an avenue for attackers to load compromised drivers. With Kernel Modules loadable ex-vivo of the Android platform, the ease of finding critical vulnerabilities may be both a blessing and a curse.
“On Pixel devices, it was discovered that 90% of the kernel security issues reported in the ASB (Android Security Bulletin) had already been fixed for devices that stay up to date.” - Google Documentation
We will continue to research the impact of the GKI project, and what implications KMI implementations will have in the future.