Google Extends Linux Kernel Support To Maintain Android Device Security Longer

JAKARTA - Google has committed to extending its Linux fork kernel support period to four years, starting with kernel version 6.6. This step was taken after the Linux kernel project suspended its six-year support commitment to LTS release (Long-Term Support) and reduced it to two years. This change is critical to Android device security, which uses Linux kernels and requires periodic updates to accept security issues improvements.

The Linux kernel used in most Android devices comes from Google's Android Common Kernel (ACK) branch. This ACK branch is made from the main Android kernel branch whenever a new LTS release is announced. For example, the ACK Android 15-6.6 branch was created after version 6.6 was announced as the latest version of the LTS, with the "android15" referring to the Android release associated with the kernel (in this case, Android 15).

Google has three main reasons to keep the fork of each LTS Linux kernel release. First, this fork can contain backports andnorps of the upstream functionality required for Android features. Second, they can submit features that are ready for Android devices even when they are still in upstream development. Finally, they can include certain vendor or OEM features that are useful for other Android partners.

Once created, ACK continues to be updated by Google to receive bug fixes for Android-only codes as well as LTS mergers from upstream kernel branches. Vulnerabilities affecting Linux kernels disclosed in monthly Android Security Bulletins, as stated in the July 2024 bulletin, are overcome through this update.

However, it is not always possible to identify when bug fixes are a safety fix, as patchages that fix bugs can also close security gaps that are not realized or not disclosed by patch senders.

Google tried to identify these cases at the time of the incident, but it was impossible to catch them all, causing a situation where improvements had landed on the Linux upstream months before reaching Android devices. This is why Google is pushing Android OEMs to routinely update LTS so they don't get caught up by the surprising disclosure of security vulnerabilities.

The LTS Linux kernel is very important for Android device security, as it helps Google and OEM overcome security vulnerabilities both known and unknown. The longer the LTS kernel support period, the longer Google and OEM can keep their devices updated with security improvements.

However, this longer period of support puts great pressure on developers and managers of the Linux kernel, many of which are unpaid volunteers. If you exclude Android and embedded devices, not many devices run a longer version of Linux.

Maintenance Linux decided that the six-year support period for LTS kernel release no longer made sense to them, so they decided to reduce it to two more years. This change was announced in early 2023, leaving many observers wondering what it means for the Android world. Some believe it will force OEM to eventually start upgrading major kernel versions to keep updated, while others believe that Google or silicon vendors will extend their own LTS.

The latter is done by Google. On the developer page for ACK, Google wrote that "starting from kernel 6.6, the support period for stable kernel is 4 years." This was preceded by a statement saying that "ACK may be supported longer than the corresponding upstream stable kernel in kernel.org. In this case, Google provides extended support until the end date of service (EOL) shown in this section." When the kernel reachesung, they are no longer supported by Google, but more importantly, "the set running it is considered vulnerable."

The six-year LTS Linux cycle period previously allowed Android OEMs to launch one, two, or even three-year devices into cycles and still enjoy several years of upstream support.

However, as Google has only supported the new ACK branch for four years, OEM can no longer do that. That's why, starting from Android 15, devices are only allowed to launch with the Android 14-6.1 or Android15-6.6 kernels, which are two new versions of the kernel. The first will be supported until July 2029 while the last until July 2028, so devices can launch with them this year and still receive three to five years of support before they need to improve their kernels.

Google stated that there will be one new ACK branch for each kernel release, so there are no 15-6.1 Android branches. This simplifies everything, but in the end, OEM must start upgrading major kernel versions if they will commit to a longer phone update policy.