Skip to content

Commit

Permalink
replace obsolete USB peripherals section in usage guide
Browse files Browse the repository at this point in the history
  • Loading branch information
@thestinger
thestinger committed Nov 13, 2024
1 parent ae44e23 commit 99a845c
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 17 deletions.
2 changes: 1 addition & 1 deletion static/js/redirect.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,11 @@ const redirects = new Map([
["/usage#sandboxed-play-services-installation", "/usage#sandboxed-google-play-installation"],
["/usage#sandboxed-play-services-limitations", "/usage#sandboxed-google-play-limitations"],
["/usage#google-camera", "/usage#pixel-camera"],
["/usage#usb-peripherals", "/usage#usb-c-port-and-pogo-pins-control"],

["/faq#dns", "/faq#custom-dns"],
["/faq#when-devices", "/faq#future-devices"],


["/features#usb-c-port-control", "/features#usb-c-port-and-pogo-pins-control"],

["/hiring#qualitifations", "/hiring#qualifications"],
Expand Down
39 changes: 23 additions & 16 deletions static/usage.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ <h2><a href="#table-of-contents">Table of contents</a></h2>
<li><a href="#updates-sideloading">Sideloading</a></li>
</ul>
</li>
<li><a href="#usb-peripherals">USB peripherals (Pixel 5a and earlier)</a></li>
<li><a href="#usb-c-port-and-pogo-pins-control">USB-C port and pogo pins control</a></li>
<li><a href="#web-browsing">Web browsing</a></li>
<li>
<a href="#camera">Camera</a>
Expand Down Expand Up @@ -523,26 +523,33 @@ <h3><a href="#updates-sideloading">Sideloading</a></h3>
</section>
</section>

<section id="usb-peripherals">
<h2><a href="#usb-peripherals">USB peripherals (Pixel 5a and earlier)</a></h2>
<section id="usb-c-port-and-pogo-pins-control">
<h2><a href="#usb-c-port-and-pogo-pins-control">USB-C port and pogo pins control</a></h2>

<p>GrapheneOS defaults to ignoring connected USB peripherals when the device is
already booted and the screen is locked. A USB device already connected at boot will
still work. The purpose is reducing attack surface for a locked device with active
login sessions to user profiles to protect data that's not at rest. This can be
controlled in <b>Settings&#160;<span aria-label="and then">></span>
Security&#160;<span aria-label="and then">></span> USB peripherals</b>. The options
are:</p>
<p>Our <b>USB-C port and pogo pins</b> setting protects against attacks through
USB-C or pogo pins while the OS is booted. For the majority of devices without pogo
pins, the setting is labelled <b>USB-C port</b>.</p>

<p>The setting is available in <b>Settings&#160;<span aria-label="and then">></span>
Security&#160;<span aria-label="and then">></span> Exploit protection</b>.</p>

<p>The setting has five modes:</p>

<ul>
<li>Disallow new USB peripherals</li>
<li>Allow new USB peripherals when unlocked (default)</li>
<li>Allow new USB peripherals (like stock Android)</li>
<li>Off</li>
<li>Charging-only</li>
<li>Charging-only when locked</li>
<li>Charging-only when locked, except before first unlock</li>
<li>On</li>
</ul>

<p>This option has no impact on the device acting as a USB peripheral itself when
connected to a computer. Android defaults to charge only mode and requires opt-in
to the device being used for file transfer, USB tethering, MIDI or PTP.</p>
<p>The default is <b>Charging-only when locked</b>, which significantly reduces
attack surface when the device is locked. After locking, it blocks any new USB
connections immediately and disables USB data once any current connections end.</p>

<p>For technical details on how this feature works using a combination of hardware
and software protection, see the <a href="/features#usb-c-port-and-pogo-pins-control">section
on the features page</a>.</p>
</section>

<section id="web-browsing">
Expand Down

0 comments on commit 99a845c

Please sign in to comment.