1. CDD: Add per-user block-level encryption to storage encryption
    
    Add an alternative section to define encryption requirements for
    device implementations using per-user block-level encrypted
    partition.
    
    Bug: 184198954
    Test: none
    Change-Id: Icba5a5541c367f8863466b453e249800c1f6d9aa
    
  2. Merge "CDD: Carveout automotive from Restricted profiles" into android11-dev
  3. Merge "CDD: TrustAgent and Biometric Carve-out" into android11-dev
  4. CDD: Added local regulations carveout to Device Identifiers requirements.
    
    Updating device identifiers requirements to allow apps to have access
    to SIM serial number/ICCID where local regulations require the app to
    detect changes in subscriber identity.
    
    Change-Id: I0c5559d05de30a70cb6139b65249744a1eb8ec84
    BUG: 168387648
    
  5. CDD: TrustAgent and Biometric Carve-out
    
    7.3.10: Relaxing C-1-8 biometrics requirement for upgrading devices.
    9.11.1: Relaxing C-7-8 trustagent requirement for Automotive,
    considering driver distraction could be of concern.
    
    Bug: 141269831
    Test: NA
    Change-Id: I922d92300ad6565d99adff732877052e02f14850
    (cherry picked from commit debd0994d09ffd162d916b710d0ad9c5311a2f03)
    
  6. CDD: Carveout automotive from Restricted profiles
    
    Removed the multiple user restricted profiles from
    the core requirement and add them to all the
    device configurations except automotive
    
    Bug: 143736934
    Test: N/A
    Change-Id: Ia9d8e606a50567c2dfab190423923c809ecc5ca2
    (cherry picked from commit fe5bc486b29c74bec3b9e67283e393314db6d055)
    
  7. CDD: Added in TextClassifier as part of ContentCapture
         requirements.
    
    This change has been introduced to ensure that TextClassifier
    Service does not exfiltrate data off the device.
    
    Bug: 149022430
    
    Change-Id: I77368a337d54e54e6261fa7338f135208e322126
    
  8. Merge "CDD: Update requirements for Android biometrics" into rvc-dev
  9. Merge "CDD: Mandate metadata encryption" into rvc-dev
  10. Merge "CDD: Intents Classification and Clarification" into rvc-dev
  11. CDD: Mandate metadata encryption
    
    Improvements in kernel support mean that we can now enable metadata
    encryption on all devices. Metadata encryption improves user privacy,
    and testing is more effective when we reduce ways for devices to vary.
    
    Bug: 147690095
    Test: n/a
    Change-Id: Id94f110ad64b39db55d43501e929b26431b7fc53
    
  12. Merge "CDD: Requirements for Blob Sharing Service." into rvc-dev
  13. CDD: Strongly recommend kernel heap initialization
    
    The idea is to eliminate bugs related to using uninitialized heap
    variables in the kernel by force-initializing all the heap allocations
    (page alloc and kmalloc()). This includes potential stability bugs as well
    as information leaks as well as vulnerabilities related to control flow
    subversion. Together with stack initialization, this change is going to
    mitigate most of the bugs related to uninitialized memory in the kernel.
    
    Test: None
    Bug: 143931827
    
    Signed-off-by: Alexander Potapenko <glider@google.com>
    Change-Id: I3af6f5d8a02fd3895b9c5e125a602e8672478488
    
  14. CDD: Intents Classification and Clarification
    
    Intents have been classified as application intents and
    broadcast intents.
    Application intents have been listed for each form factor.
    Removed the terminology of Core intents and called it common
    application intents to be more inline with the developer pages.
    
    Also renamed section "3.2.3.5 default app settings" to
    "conditional application intents" and moved in the conditional
    application intents in that section.
    
    The goal is to provide clarity to OEM's and developers on the
    list of intents to expect an activity/handler.
    
    Change-Id: I4416c2b06b7845581e701f8137e7d870d4749938
    BUG: 148181180
    
  15. CDD: Requirements for Blob Sharing Service.
    
    Blob Sharing is a new feature in R which allows
    apps to share data blobs with other apps by contributing
    the data to the system. The purpose of these new CDD requirements
    are to ensure data blobs belonging to apps are only shared as
    restricted by the originating application.
    
    Bug: 145299226
    Test: visual inspection in markdown editor
    Change-Id: I0b418af6b32a85b2fdff4ca50168b9eadbf0f03a
    
  16. Merge "CDD:  Require OTA Resume On Reboot feature." into rvc-dev
  17. CDD:  Require OTA Resume On Reboot feature.
    
    Update File-based encryption to included content related to Resume On Reboot requirements.
    
    Bug: b/145144304
    Change-Id: Ifd18665d28e26e9afa7ac63011e1484f2559d6cc
    
  18. Merge "CDD: Requirements for Connectivity bug reports." into rvc-dev
  19. Merge "CDD: Clarify escrow token policy for Automotive" into rvc-dev
  20. CDD: Clarify escrow token policy for Automotive
    
    To ensure proper escrow token usage for
    trusted devices, clarify that the encryption
    keys must not be stored in any part of the
    vehicle even if they are outside of Android
    automotive head unit.
    
    Bug: 151435941
    Test: NA
    Change-Id: I7450d0c116e832fef549074852a463afabc10c98
    
  21. Merge "CDD: Added requirements of file-based on-access verification" into rvc-dev
  22. CDD: Added requirements of file-based on-access verification
    
    The new articles require device implementation to support on-access
    verification with trusted certificates, such that for an enabled file,
    if a part of the file is tampered with, a read from the tampered part
    will fail.
    
    As an example, fs-verity, which is an implementation in Linux kernel
    and is used to protect an APK if the APK is installed with a trusted
    signature.
    
    Test: check in an MD viewer
    Bug: 144365636
    Change-Id: Icae88a7cc3e4cdb61cf08cab98ab8adfa2931f77
    
  23. CDD: Requirements for Connectivity bug reports.
    
    This new type of bug report is well-defined starting with Android R, and
    is intended to capture information relevant to connectivity (telephony,
    wi-fi, and networking) debugging without including unnecessary PII.
    
    Bug: 145145343
    Change-Id: Ie6e320482aaf07ca0b739a14ce627d6545367aa3
    
  24. CDD: Update requirements for Android biometrics
    
    Update biometric section to clarify security requirements and enforce
    consistent biometric implementations. This ensures that biometric
    solutions are correctly implemented and surfaced via the biometrics APIs,
    and that their security is measured and tested appropriately.
    
    Bug: 145928315
    Test: make -j
    
    Change-Id: I633980e0f8993eb5814451e57601c216e03adaa8
    
  25. Merge "CDD: Add section for app data migration" into rvc-dev
  26. Merge "CDD: Changes related to Scoped Storage" into rvc-dev
  27. CDD: Changes related to Scoped Storage
    
    * Dropped references to WRITE_EXTERNAL_STORAGE and
      WRITE_MEDIA_STORAGE permissions as the permission
      WRITE_EXTERNAL_STORAGE is a no-op for apps targeting Android R.
      Also the privileged permission WRITE_MEDA_STORAGE is deprecated
      in Android R.
    * Scoped storage is enforced only by target SDK but the flag
      requestLegacyExternalStorage is not a way to opt out when targeting
      Android R.
    * We no longer need text to emphasize how apps can access SD cards,
      this is enforced in the SDK
    * Raw file path access now allowed as privacy rules are enforced 
      behind the scenes
    
    BUG: 144375132
    Change-Id: I292426ee55ecb395dcdbcc3f840d8c9bc5e7a6fc
    
  28. CDD: Add section for app data migration
    
    Allow devices to offer a device-to-device application data migration
    capability that does not limit the application data it copies to what
    is configured by the application developer in the manifest and any
    backup include and exclude files, subject to certain security and
    privacy requirements.
    
    Bug: 143524713
    Change-Id: Iccf72a4b4e6959b63d0311cd50a2f09e83aa8562
    
  29. Merge "CDD: Require to display the same consistent UI for      ACTION_MANAGE_OVERLAY_PERMISSION intent." into rvc-dev
  30. Merge "CDD: Remove sleep timeout configuration for Automotive" into rvc-dev
  31. CDD: Remove sleep timeout configuration for Automotive
    
    Automotive devices have a different timeout.
    The screen goes to locked screen whenever
    the vehicle is turned off or the user
    profile is switched. The timeout configuration
    is not an applicable setting for automotive
    devices. Removing the requirement.
    
    Bug: 154351787
    Test: NA
    Change-Id: I339b85850adec12843bb8506b081912e6abb7659
    
  32. Merge "CDD: Emergency Location Bypass API for Automotive" into rvc-dev
  33. Merge "CDD: strongly recommend kernel stack initialization" into rvc-dev
  34. Merge "CDD: Add Identity Credential as STRONGLY RECOMMENDED" into rvc-dev
  35. CDD: Emergency Location Bypass API for Automotive
    
    Clarify that automotive may use emergency
    location bypass in the case of detection
    of a crash/accident, satisfying eCall requirements
    
    Bug: 152455211
    Test: NA
    Change-Id: I5b27dabd76ecba393ba85f9b08775caf9614cbeb
    
  36. CDD: Add Identity Credential as STRONGLY RECOMMENDED
    
    The Identity Credential System allows app developers to store
    and retrieve user identity documents, device implementations are
    strongly recommended to implement Identity Credential in a secure area.
    
    Bug: 146022741
    Test: n/a
    Change-Id: I69bb11fdb1e9b7abcc73bf4ff23a447ca4a413de
    
  37. Merge "CDD: mandate non-reversible FBE key derivation function" into rvc-dev
  38. CDD: mandate non-reversible FBE key derivation function
    
    The kernel portion of FBE originally used an AES-128-ECB based Key
    Derivation Function (KDF) to derive per-file keys.  While this met the
    original security requirements, it is not a standard KDF and it does not
    follow cryptographic best practices.  For example, it is reversible, so
    if a single file's key was compromised then all other files protected by
    the same FBE policy were too.  It is also inflexible, making it hard to
    add new features to FBE and encouraging poor practices like reusing the
    FBE master keys for both encryption and key derivation.
    
    Android R supports a new FBE policy version which uses HKDF-SHA512
    to derive all subkeys from the master key.  It can be enabled using an
    fstab option like "fileencryption=aes-256-xts:aes-256-cts:v2".  It is
    also the default setting when the shipping API level is >= R.  Kernel
    support is in android-4.14 and later, and in the upstream Linux kernel.
    
    So, start requiring that a strong KDF be used and that FBE keys are not
    used for different cryptographic purposes.  As with the other storage
    encryption format requirements, this only applies to new devices; this
    is covered by the paragraph at the beginning of section 9.9.
    
    This requirement does not require any special hardware support, and the
    new KDF performs as well or better than the old KDF.
    
    Bug: 144509061
    Change-Id: Ie8b8df0a19be21dcfb7aed18aa3ac7e9c7e2b893
    
  39. CDD: strongly recommend kernel stack initialization
    
    The idea is to eliminate bugs related to using uninitialized local
    variables in the kernel by force-initializing all the locals. This
    includes potential stability bugs as well as information leaks as well
    as vulnerabilities related to control flow subversion. Together with
    heap initialization, this change is going to mitigate most of the bugs
    related to uninitialized memory in the kernel.
    
    Test: None
    Bug: 143863382
    
    Signed-off-by: Alexander Potapenko <glider@google.com>
    Change-Id: Ia0fe68df775a89c1d49b8d348fd105dcb41ff494
    
  40. CDD: Require to display the same consistent UI for
         ACTION_MANAGE_OVERLAY_PERMISSION intent.
    
    Without such requirement intent android.settings.action.MANAGE_OVERLAY_PERMISSION
    with data URI “package:<package>” can redirect the user
    to the app-specific screen to enable permission
    android.permission.SYSTEM_ALERT_WINDOW. This makes it too
    easy for malicious apps to fool the user into enabling it.
    
    Bug: 145286669
    Change-Id: I5fce6cc6bf21b93f953b53ce077c0272dc71bae2
    
  41. CDD: MUST NOT expose app details to other apps
    
    Apps targeting Android 11 cannot see details about other installed apps
    by default, due to the package visibility change.
    
    Bug: 145293555
    Change-Id: Iba1d6facb57f492589c3f5d61c719d0369367d1c
    
  42. Docs: Almost final Cleanup CL.
    
    Bug: 140142603
    
    Test: ./cdd_gen.sh --version <version-number> --branch <branch-name>
    Change-Id: Ib0a8e55035eab94ff6ab28ad3c6aa6c7c1ae19d3
    
  43. Docs: Editorial Fixes for Section 9.8 and 5.2.5 (video codec table)
    
    bug: b/140142603
    test: NA
    
    Change-Id: Ie5047a8497c94c4cb4e9f0b2bbea51efab9f2eda
    
  44. Docs: Whitespace at EOF
    
    Last line of file should end with a single newline.
    
    Bug: 140034464
    Test: N/A
    Change-Id: Icdaaf61f25a0448fdf866fee4295b0ee15348812
    
  45. Docs: Fix misspellings
    
    Bug: 140034464
    Test: N/A
    Change-Id: If526c0b31459c7f368c623a0d0e916bfc3fd344f
    
  46. CDD: Lockscreen and biometrics changes
    
    - Introducing new biomatrics tier model, adding
     the requirements and constraints for each tier.
    - Some editorial changes by reorganizing and folding some sections
    - Transferred ag/6940471 on master to qt-branch
    
    Bug: 126002559
    Bug: 120995257 (7.3.10/C-2-5)
    Bug: 124243324 (9.11.1/C-7-12)
    Bug: 124403616 (7.3.10 additional background)
    Bug: 123365828 (9.11.1/C-7-11)
    Test: NA
    
    Change-Id: Ib36d40935c77ec370a2494ddb1506b0a952fd525
    
  47. CDD: Updating location and corresponding privacy requirements
    
    - Some minor changes for reporting GNSS measurements
    - Bumping up from Should to SR for 3-axis accelerometer
    - Update privacy requirements related to the user's location to align
    with the updated privacy policy
    
    Bug: 124539379
    Bug: 124405285
    Bug: 124405354
    Bug: 123593924
    Bug: 124404671
    Bug: 124404696
    Test: N/A
    Change-Id: I6278b6af8f1f3f00fe455d66fa051d3d7f5a2dc7
    
  48. CDD: Tighten keystore req
    
    - Tighten the security consistently for Android ecosystem.
    - Remove the condition of a secure lock screen for Keystore reqs for
    form-factors (i.e. Handheld, Auto, TV) that have adopted keystore reqs.
    
    Bug: 111748530
    
    Change-Id: If7682e1410b52390135627d3edc9724d779a265f
    
  49. CDD: Require user consent for screen casting and screen recording
    
    - Provide more transparency for users about casting/screen recording.
    
    Bug: 135560873
    Test: N/A
    
    Change-Id: I36c4f4e26e113bd24737bb0b5fc1476f6d378c83
    
  50. CDD: Update clipboard requirement
    
    - Updating the clipboard requirement to improve privacy.
    
    Test: N/A
    Fixes: 121159550
    Change-Id: Id1cd6237ee741acdf2a24c43a9c4f5f2ec09d0ee
    
  51. Merge "CDD: Require runtime permission for location and physical Activity" into qt-dev
  52. CDD: Require runtime permission for location and physical Activity
    
    - Ensure the correct permission model is implemented for both location
     and proprietary APIs that return location and physical activity.
    - Correspond with the improved location/activity permission in Q.
    
    Test: N/A
    Bug: 124308476
    Bug: 124124462
    
    Change-Id: If5deec3f9c45c1784f66ebf24936e50602cd24a3
    
  53. CDD: Update privacy requirements for capturing contents
    
    - Ensure the data captured on the device will not be leaked and abused.
    
    Bug: 124510178
    Test: none
    
    Change-Id: I9840d1fca81b85c5198882ba8ddbdff527896e02
    
  54. CDD: priv apps root of trust on Verified Boot
    
    - This is a minor language improvement for the spirit.  Previously, the
      document explicitly requires /system, but actually all partition
      protected by Verified Boot is fine.
    
    Test: None
    Bug: 123365823
    Change-Id: I405371c69323bb95bc07e18c09b78ed2d1bcf46e
    
  55. Merge "CDD: Scope Factory Data Reset(FDR) wording to userdata partition." into qt-dev
  56. CDD: Revise section about Android Protected Confirmation API
    
     - Make the security requirements more concise to cover a larger design
       space of possible implementations while preserving the expected
       security guarantees.
    
    Bug: 119186987
    Test: n/a
    Change-Id: I64a7b52a1218df8f16a2a6bb63f1d78465b9d916
    
  57. CDD: Scope Factory Data Reset(FDR) wording to userdata partition.
    
    This is to improve user data privacy.
    
    Bug: 124238463
    Test: None
    Change-Id: I0a098daec3362417b105bda7be56cea424f62253
    
  58. CDD: Permisssions for the hardRestricted level
    
    - The permission model (including permission) restriction is the most
      important mechanism to protect the users privacy
    - Apps need a consitent permission model to be able to effectivly deal
      with user data
    
    Fixes: 124522273
    Change-Id: If85a3f266ab75de64e5ac840101fb3ce983e179d
    
  59. CDD: Clarify privacy requirement for bugreports.
    
    Clarify that bugreports are covered by the following requirement:
    MUST NOT preload or distribute software components out-of-box that send
    user's private information off the device without the user's consent or
    clear ongoing notifications.
    
    Bug: 132458597
    Test: N/A
    Change-Id: I4d1732bb45153e5eccce1964437f9bdf25350d54
    
  60. CDD: Require new device identifier access restrictions
    
    Devices must prevent access to all device identifiers from
    an app that does not meet one of the new requirements.
    
    Bug: 123367433
    Test: N/A
    Change-Id: I683ff569f8f51c38fa4defa0f60c898ea48414ab
    
  61. Merge "CDD: Relax hardware vulnerability requirements" into qt-dev
  62. Merge "CDD: Update CDD for CFI and SCS" into qt-dev
  63. CDD: Strongly recommend StrongBox for devices with secure processors
    
    This arguably is a weakening of the P recommendation, but it's part of
    an incremental strategy to mandate StrongBox across the entire
    ecosystem.  We'll start by recommending it for devices with the
    necessary hardware, then move to mandating it for such devices and
    recommending that all devices add such hardware, then mandate it for
    all devices.
    
    Bug: 135707870
    Test: N/A
    Change-Id: Idf18fde8fc163ee0944a6ce1e611441414ebc461
    
  64. Merge "CDD: Align mic and playback capture requirement" into qt-dev
  65. CDD: Relax hardware vulnerability requirements
    
    Limit mitigation requirements to vulnerable hardware.
    
    Bug: 122834364
    Change-Id: If81385671bfd42f0d100f139c081fd759de81cd0
    
  66. CDD: Align mic and playback capture requirement
    
    - The two audio sources should have the same privacy requirements.
    - Some typo correction for section 5.4.
    
    
    Test: N/A
    Bug: 124333245
    Change-Id: Ida67df090b028b35f0dbea84c1e43de8339c5696
    Signed-off-by: Kevin Rocard <krocard@google.com>
    
  67. CDD: Update CDD for CFI and SCS
    
    -Strongly recommend shadow-call-stack (SCS) and control-flow-integrity
    (CFI) for the kernel and userspace to provide additional protection
    against code-reuse attacks.
    
    Bug: 123365748
    Test: --
    Change-Id: Ida7b2f190da26439443d5247d467047e134933c1
    
  68. CDD: Remove "shared device" exception for encryption
    
     -This can potentially be used to try to gain exceptions for devices
    we never envisioned (for example, many phones allow multiple user
    accounts, and any device shipping with family features is
    pretty much by definition going to be "shared").
    
     -This exception was also somewhat designed for devices with
    lower hardware capabilities.  But with Adiantum available, we
    haven't seen any data showing such an exception is still
    needed.
    
    Bug: 124123642
    Test: None
    Change-Id: Ie2b3f0b5be2c8cda80176160255558e6e5a2cff5
    
  69. CDD: Remove encryption performance exception
    
    We now require encryption on all devices, without any
    exceptions for performance.
    
    For devices which lack AES CPU instructions, and thus have
    performance concerns with AES, we allow the use of Adiantum as
    the encryption method.
    
    Bug: 118200376
    Test: None
    Change-Id: I219fd6d1733c053741d8b71b7f5bd067938d1196
    
  70. CDD: Remove FDE, mandate FBE where encryption is mandated
    
    - Already-launched devices are exempted, and must instead follow
    mandates of their launch CDD.
    
    Bug: 118760699
    Test: not applicable to CDD changes
    Change-Id: Icea70b46c986af187248d9b946e5c17d2b8ef1dd
    
  71. CDD: Clarify data deletion requirements
    
    - Make it clear that all generated data, not just user-generated data
    should be deleted on factory device reset.
    - Clarify that only operating system files on read-only filesystems are
    exempt from being deleted.
    
    Bug: 124238463
    Test: None
    Change-Id: I3cd0bb57ed2c425763b7a50849dc216bc5dcab50
    
  72. Docs: Errata for Android 9 CDD.
    
    - Fixed Section 9.10 by removing C-2-1 due to the introduction of C-0-2
    - Fixed typos in other sections
    
    Bug: 112010610
    
    Test: ./cdd_gen.sh --version 9 --branch pie-dev
    Change-Id: Ie4003beb20425a7fc83cf68ea23772aca389b85b
    
  73. Merge pi-dev as of ag/4582919 into stage-aosp-master.
    
    Bug: 112189069
    Change-Id: I67297b2d6eb189283acb350c1001010f0e9c81d9
    
  74. CDD: Move the req of supporting encryption under perf carve-out
    
    - Ensure the consistent security across devices
    - Replace the carve-out of secure lock screen with the perf carve-out
     for supporting encryption
    
    Test: None
    Bug: 71909258
    Change-Id: Ied56bb0bdd99e3f27e68c13829073c5982019c74
    
  75. Merge "CDD: Require logging of some basic events available to app developers through statsd." into pi-dev
  76. CDD: Clarifying kernel page table isolation
    
    - Modifying the requirement language for C-0-12(kernel page table isolation)
     requirement to add clarity.
    
    Bug: 79088532
    Change-Id: If3b3da40b78203c177cb4b833ea49837336a72b7
    
  77. Merge "CDD: Requirements for services that have access to "android.permission.RECOVER_KEYSTORE"" into pi-dev
  78. CDD: Require logging of some basic events available to app developers through statsd.
    
    Enlist required fields to be more specific about what is
    needed for developer tools and what is needed for privacy.
    
    Bug: 76161779
    Bug: 74125988
    
    Test: None
    Change-Id: I4ff9a73f72c3270caaac0f116297d666a58561fb
    
  79. CDD: Requirements for services that have access to "android.permission.RECOVER_KEYSTORE"
    
    - Prevent brute-force attacks on the lockscreen knowledge factor.
    
    Bug: 73599998
    
    Test: None
    Change-Id: I8f7fa701b11f015e26429c4683a36d37aa2faa47
    
  80. Merge "CDD: Add section about Android Protected Confirmation API" into pi-dev
  81. Merge "CDD: Update CDD language for biometrics and lockscreen." into pi-dev
  82. CDD: Add section about Android Protected Confirmation API
    
     - Device implementations with secure hardware may implement the
       Android Protected Confirmation API to request the user to
       approve a textual message.
    
    Bug: 73001803
    Test: n/a
    Change-Id: I96c5929b0b4ab99b31a9fe7ca0ac82710f94cdca
    
  83. CDD: Update CDD language for biometrics and lockscreen.
    
    This CL makes CDD changes that are aimed at providing more explicit
    guidance on creating secure biometric based unlocks, and on
    consolidating the CDD language for secure lockscreens to make the
    authentication model consistent with our security bar.
    
    More specifically, it changes the following things:
    (1) A new section similar to "7.3.10 Fingerprint Sensors" that's more
    generic and applicable to all biometric sensors. Should have mostly
    the same constraints but slightly altered where necessary.
    (2) Language that deals with match-on-chip solutions for biometrics.
    (3) A new requirement in 9.11 that mandates keeping a minimum
    Sleep timeout of at most 15 seconds.
    (4) New requirements in "9.11.1 Secure Lock Screens" that:
      (a) Constrain what a primary authentication can be.
      (b) Adds information related to alternate biometric unlocks and
      adhering to the SAR/IAR bar that was introduced in the 8.1 CDD
      (c) Adds requirements around 'passive' biometric unlocks like Face
      when used to unlock keystore keys.
      (d) Clarifies some language around falling back to requiring primary
      auth every 72 hours for all non-primary modes of authentication
    (5) Removes the API requirement to return false for both the KeyguardManager.isKeyguardSecure() and the KeyguardManager.isDeviceSecure() methods.
    
    Bug: 73723272
    Bug: 77656214
    Bug: 111053551
    Test: --
    Change-Id: Iede9eba5ac79de56802cd830c3dc4e521f40e098
    
  84. CDD: 9.10. Device Integrity: Change verified boot items from SR to MUST.
    
    Change STRONGLY RECOMMENDED to MUST for verified boot items and slight
    cleanup of language used:
    
     - MUST use tamper-evident storage: for storing whether the bootloader
       is unlocked. Tamper-evident storage means that the boot loader can
       detect if the storage has been tampered with from inside Android.
    
     - MUST prompt the user, while using the device, and require physical
       confirmation before allowing a transition from boot loader locked
       mode to boot loader unlocked mode.
    
     - MUST implement rollback protection for the partitions used by
       Android (e.g. boot, system partitions) and use tamper-evident
       storage for storing the metadata used for determining the minimum
       allowable OS version.
    
    Test: n/a
    Bug: 72919368
    Change-Id: Ifcb0c994cb86f92a422dcde6fa6da1ca064d4ca0
    
  85. Merge "CDD: StrongBox requirements" into pi-dev
  86. Merge "CDD: Update CDD changes for CFI and IOSAN" into pi-dev
  87. Merge "CDD: Recommend metadata encryption" into pi-dev
  88. Merge "CDD: Require verified boot on all devices, including low ram devices" into pi-dev
  89. CDD: Update CDD changes for CFI and IOSAN
    
    This CL renames section 9.7 to 'Security Features' (instead of kernel
    security features), and adds a new sub-section for userspace specific
    security feature advice. There's only a single recommendation in for
    P, but we will be using this section to add more details and
    recommendations/constraints for Q.
    
    Bug: 73724250
    Test: --
    
    Change-Id: If45c5fd9b7668dcafc9ce8dbd2a59b9c4418ca42
    
  90. CDD: StrongBox requirements
    
    - Tighten the security by supporting StrongBox.
    - Clarifying the requirements if StrongBox is supported.
    
    Bug: 73002261
    Test: N/A
    Change-Id: I9834ced2e697bee013cb0725f31745826da1f0c5
    
  91. CDD: Require verified boot on all devices, including low ram devices
    
    We remove the low RAM exception for verified boot.
    
    Test: None
    Bug: 73374550
    Change-Id: I340e8753c8648bbe2a68426123851359d4cba1cb
    
  92. Merge "CDD: Handheld MUST include an application that handles intents related to Storage Access Framework (SAF)" into pi-dev
  93. Merge "Docs: clarify that that CONFIG_ARM_LPAE is not allowed for 32-bit ARM" into pi-dev
  94. Docs: clarify that that CONFIG_ARM_LPAE is not allowed for 32-bit ARM
    
    - It's incompatible with PAN emulation for arm32 kernels.
    - This is already implicitly tested when checking for
    CONFIG_CPU_SW_DOMAIN_PAN.
    
    Bug: 109828784, 74078653, 79088532, 73728376
    Test: n/a
    Change-Id: Idb6a96d6f8c13a959b4bdc2c5580294beeff2d7c
    
  95. CDD: Allow escrow keys to unlock CE storage.
    
    - Much of the purpose of escrow keys is to allow storage
      to be unlocked when a user forgets their LSKF, so we
      must allow this in CDD.
    
    Bug: 111561428
    Test: Documentation change.
    Change-Id: I0de44228e35728713405a8d84ec3b8e6f8a9ecbf
    
  96. Merge "CCD: Add recommendations for Full Stack Integrity" into pi-dev
  97. Merge "CDD: Require to include only the data with 'DEST_AUTO' in the incident report" into pi-dev
  98. CDD: Recommend metadata encryption
    
    - Tighten the security.
    
    Bug: 73662717
    Test: Compiled and inspected HTML
    Change-Id: Ib2be403ef2db8525c9ad579a289eca79132696e9
    
  99. CDD: MUST NOT send user's private data off the device without the user's consent
    
    - Ensure that user's private data is protected and is not sent off the device without user's consent.
    
    Bug: 74620344
    Change-Id: I41559d7d3903ea3d44d1471abe896ad7698ef6be
    Test: N/A
    
  100. CDD: Require to include only the data with 'DEST_AUTO' in the incident report
    
    Ensure that the data other than `DEST_AUTO` is not included in the report for
    privacy protection. As fields or messages annotated with DEST_AUTO
    can be sent by automatic means, without per-sending user consent. The user
    still must have previously accepted a consent to share this information.
    
    Bug: 76161779
    Test: N/A
    Change-Id: I813c96d43395b092ab0e8681893cf205723d26bb