diff --git a/static/js/redirect.js b/static/js/redirect.js index 1f8edead..177c60c5 100644 --- a/static/js/redirect.js +++ b/static/js/redirect.js @@ -21,11 +21,11 @@ const redirects = new Map([ ["/usage#sandboxed-play-services-installation", "/usage#sandboxed-google-play-installation"], ["/usage#sandboxed-play-services-limitations", "/usage#sandboxed-google-play-limitations"], ["/usage#google-camera", "/usage#pixel-camera"], + ["/usage#usb-peripherals", "/usage#usb-c-port-and-pogo-pins-control"], ["/faq#dns", "/faq#custom-dns"], ["/faq#when-devices", "/faq#future-devices"], - ["/features#usb-c-port-control", "/features#usb-c-port-and-pogo-pins-control"], ["/hiring#qualitifations", "/hiring#qualifications"], diff --git a/static/usage.html b/static/usage.html index 5cba227f..115af984 100644 --- a/static/usage.html +++ b/static/usage.html @@ -67,7 +67,7 @@
  • Sideloading
    • -
  • USB peripherals (Pixel 5a and earlier)
    • +
  • USB-C port and pogo pins control
  • Web browsing
  • Camera @@ -523,26 +523,33 @@ -
    -

    USB peripherals (Pixel 5a and earlier)

    +
    +

    USB-C port and pogo pins control

    -

    GrapheneOS defaults to ignoring connected USB peripherals when the device is - already booted and the screen is locked. A USB device already connected at boot will - still work. The purpose is reducing attack surface for a locked device with active - login sessions to user profiles to protect data that's not at rest. This can be - controlled in Settings > - Security > USB peripherals. The options - are:

    +

    Our USB-C port and pogo pins setting protects against attacks through + USB-C or pogo pins while the OS is booted. For the majority of devices without pogo + pins, the setting is labelled USB-C port.

    + +

    The setting is available in Settings > + Security > Exploit protection.

    + +

    The setting has five modes:

      -
    • Disallow new USB peripherals
      • -
    • Allow new USB peripherals when unlocked (default)
      • -
    • Allow new USB peripherals (like stock Android)
      • +
    • Off
      • +
    • Charging-only
      • +
    • Charging-only when locked
      • +
    • Charging-only when locked, except before first unlock
      • +
    • On
    -

    This option has no impact on the device acting as a USB peripheral itself when - connected to a computer. Android defaults to charge only mode and requires opt-in - to the device being used for file transfer, USB tethering, MIDI or PTP.

    +

    The default is Charging-only when locked, which significantly reduces + attack surface when the device is locked. After locking, it blocks any new USB + connections immediately and disables USB data once any current connections end.

    + +

    For technical details on how this feature works using a combination of hardware + and software protection, see the section + on the features page.