diff --git a/static/features.html b/static/features.html
index e6e5a4f9..bc964e49 100644
--- a/static/features.html
+++ b/static/features.html
@@ -384,12 +384,25 @@
- Enhanced verified boot
with better security properties and reduced attack surface
+ - GrapheneOS finishes the incomplete implementation of verified boot
+ for out-of-band updates to packages (APKs) in the OS. We enforce this
+ by requiring fs-verity metadata signed with a trusted key for system
+ app updates both at install time and boot time. This provides
+ continuous verification where every read from an out-of-band APK
+ update is verified similarly to every read from a firmware, OS image
+ or APEX update being verified. The signing key and version are
+ enforced to prevent downgrades or other attacks such as replacing a
+ package with a variant of the same one from a different GrapheneOS
+ supported device. We disable the persistent package parsing cache to
+ prevent bypassing the metadata checks through this otherwise highly
+ persistent state, which only has a very small negative impact on boot
+ time from the data not being available from previous boots (typically
+ less than 1 second).
- GrapheneOS closes a loophole where app-based system components
built as part of the OS can be downgraded to an older version due to
versionCode not being incremented when system components get updated
- as part of changes to the OS. We prevent this for both package updates
- and as part of detecting whether to use out-of-band updates to system
- apps at boot.
+ as part of changes to the OS. We enforce this both at package install
+ time and boot time.
- Enhanced hardware-based attestation with more precise version information
- Hardware-based security verification and monitoring via our
Auditor app and attestation service