close
close

Google Expands Linux Kernel Support to Keep Android Devices Secure Longer

Posted on by darion

JAKARTA – Google has committed to extending the support period for the Linux kernel fork to four years, starting with kernel version 6.6. The move comes after the Linux kernel project suspended its six-year support commitment for the Long-Term Support (LTS) release and shortened it to two years. This change is critical for the security of Android devices, which use Linux kernels and require periodic updates to accept improvements to security issues.

The Linux kernel used in most Android devices comes from Google’s Android Common Kernel (ACK) branch. This ACK branch is created from the mainline Android kernel branch whenever a new LTS release is announced. For example, the Android 15-6.6 ACK branch was created when version 6.6 was announced as the latest LTS release, with “android15” referring to the version of Android associated with the kernel (in this case, Android 15).

Google has three main reasons for keeping a fork of each Linux LTS kernel release. First, this fork can contain backports of upstream functionality required for Android features. Second, they can push features that are ready for Android devices even when they are still in upstream development. Finally, they can contain some vendor or OEM features that are useful to other Android partners.

Once created, the ACK continues to be updated by Google to receive bug fixes for Android-exclusive code, as well as LTS merges from the upstream kernel branch. Security vulnerabilities affecting Linux kernels disclosed in monthly Android security bulletins, as reported in the July 2024 bulletin, are addressed with this update.

However, it is not always possible to tell whether bug fixes constitute security fixes, since bug fixes may also close security holes that were not known or disclosed by the patchers.

Google tried to identify these instances at the time of the incident, but couldn’t catch them all, resulting in improvements hitting Linux months before they reach Android devices. That’s why Google is pushing Android OEMs to routinely update to LTS, lest they get caught in a surprise vulnerability disclosure.

The LTS Linux kernel is very important for Android device security because it helps Google and OEMs overcome known and unknown security flaws. The longer the support period of the LTS kernel, the longer Google and OEMs can update their devices with security improvements.

But this extended support period puts enormous pressure on Linux kernel developers and managers, many of whom are unpaid volunteers. If you exclude Android and embedded devices, few devices support the longer version of Linux.

Linux Maintenance decided that the six-year support period for LTS kernel releases no longer made sense to them, so they decided to shorten it to two years. This change was announced in early 2023, leaving many observers wondering what it means for the Android world. Some believe that this will force OEMs to finally start updating major kernel versions to stay up to date, while others believe that Google or silicon vendors will extend their own LTS.

Google does the latter. On the ACK developer page, Google wrote that “starting with kernel 6.6, the support period for a stable kernel is 4 years.” This was preceded by a statement that “ACK may be supported longer than the corresponding stable kernels on kernel.org. In such a case, Google provides extended support until the End of Service (EOL) date shown in this section.” Once a kernel reaches critical state, it is no longer supported by Google, but more importantly, “the stack that supports it is considered vulnerable.”

The six-year LTS cycle for Linux previously allowed Android OEMs to ship devices on one-, two-, or even three-year cycles while still receiving several years of support.

However, since Google only supports the new ACK branch for four years, OEMs can no longer do so. Therefore, starting with Android 15, devices can only boot with Android 14-6.1 or Android15-6.6 kernels, which are two new kernel versions. The former will be supported until July 2029, and the latter until July 2028, so devices can launch with them this year and still get three to five years of support before they need to upgrade their kernels.

Google has stated that there will be one new ACK branch for each kernel version, so there is no Android 15-6.1 branch. This simplifies things, but eventually OEMs need to start updating to major kernel versions if they are to commit to a longer phone update policy.

Tag: android