diff --git a/aosp_diff/preliminary/build/make/0004-Update-security_patch_level-string.patch b/aosp_diff/preliminary/build/make/0004-Update-security_patch_level-string.patch
index ee453e1081..f47fe5e008 100644
--- a/aosp_diff/preliminary/build/make/0004-Update-security_patch_level-string.patch
+++ b/aosp_diff/preliminary/build/make/0004-Update-security_patch_level-string.patch
@@ -20,7 +20,7 @@ index 419ff1aadc..fbbe777754 100644
      #  It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
      #  If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
 -    PLATFORM_SECURITY_PATCH := 2023-05-05
-+    PLATFORM_SECURITY_PATCH := 2024-08-01
++    PLATFORM_SECURITY_PATCH := 2024-09-01
  endif
  
  include $(BUILD_SYSTEM)/version_util.mk
diff --git a/aosp_diff/preliminary/frameworks/av/0033-omx-check-HDR10-info-param-size.bulletin.patch b/aosp_diff/preliminary/frameworks/av/0033-omx-check-HDR10-info-param-size.bulletin.patch
new file mode 100644
index 0000000000..7791d4f037
--- /dev/null
+++ b/aosp_diff/preliminary/frameworks/av/0033-omx-check-HDR10-info-param-size.bulletin.patch
@@ -0,0 +1,37 @@
+From 9c087eac3e4ffbb0e369e59d30dd96a1d86e89f7 Mon Sep 17 00:00:00 2001
+From: Wonsik Kim <wonsik@google.com>
+Date: Fri, 28 Jun 2024 00:33:51 +0000
+Subject: [PATCH] omx: check HDR10+ info param size
+
+Bug: 329641908
+Test: presubmit
+Flag: EXEMPT security fix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:53298956ba6bb8f147a632d7aaed8566dfc203ee)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f816148a719d2a3bbf432f11da98b3d5fa7de74f)
+Merged-In: I72523e1de61e5f947174272b732e170e1c2964df
+Change-Id: I72523e1de61e5f947174272b732e170e1c2964df
+---
+ media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
+index 418302389d..4ab5d10609 100644
+--- a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
++++ b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
+@@ -619,6 +619,13 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::getConfig(
+                 if (!isValidOMXParam(outParams)) {
+                     return OMX_ErrorBadParameter;
+                 }
++                if (offsetof(DescribeHDR10PlusInfoParams, nValue) + outParams->nParamSize >
++                    outParams->nSize) {
++                    ALOGE("b/329641908: too large param size; nParamSize=%u nSize=%u",
++                          outParams->nParamSize, outParams->nSize);
++                    android_errorWriteLog(0x534e4554, "329641908");
++                    return OMX_ErrorBadParameter;
++                }
+ 
+                 outParams->nParamSizeUsed = info->size();
+ 
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/preliminary/frameworks/base/99_0209-DO-NOT-MERGE-Ignore-Sanitized-uri-scheme-by-removing.patch b/aosp_diff/preliminary/frameworks/base/99_0209-DO-NOT-MERGE-Ignore-Sanitized-uri-scheme-by-removing.patch
new file mode 100644
index 0000000000..96e43ab029
--- /dev/null
+++ b/aosp_diff/preliminary/frameworks/base/99_0209-DO-NOT-MERGE-Ignore-Sanitized-uri-scheme-by-removing.patch
@@ -0,0 +1,85 @@
+From 5258b4797cbb000819fa7bbc1821351e2d8a7749 Mon Sep 17 00:00:00 2001
+From: Kiran Ramachandra <kiranmr@google.com>
+Date: Thu, 30 May 2024 21:21:12 +0000
+Subject: [PATCH] DO NOT MERGE Ignore - Sanitized uri scheme by removing scheme
+ delimiter
+
+Initially considered removing unsupported characters as per IANA guidelines, but this could break applications that use custom schemes with asterisks. Instead, opted to remove only the "://" to minimize disruption
+
+Bug: 261721900
+Test: atest FrameworksCoreTests:android.net.UriTest
+
+No-Typo-Check: The unit test is specifically written to test few cases, string "http://https://" is not a typo
+
+NOTE FOR REVIEWERS - original patch and result patch are not identical.
+PLEASE REVIEW CAREFULLY.
+Diffs between the patches:
+     @AsbSecurityTest(cveBugId = 261721900)
+> +    @SmallTest
+> +    public void testSchemeSanitization() {
+> +        Uri uri = new Uri.Builder()
+> +                .scheme("http://https://evil.com:/te:st/")
+> +                .authority("google.com").path("one/way").build();
+> +        assertEquals("httphttpsevil.com:/te:st/", uri.getScheme());
+> +        assertEquals("httphttpsevil.com:/te:st/://google.com/one/way", uri.toString());
+> +    }
+> +
+
+Original patch:
+ diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java
+old mode 100644
+new mode 100644
+---
+ core/java/android/net/Uri.java                    |  6 +++++-
+ core/tests/coretests/src/android/net/UriTest.java | 11 +++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java
+index 3da696ad0bc7..f0262e9f7566 100644
+--- a/core/java/android/net/Uri.java
++++ b/core/java/android/net/Uri.java
+@@ -1388,7 +1388,11 @@ public abstract class Uri implements Parcelable, Comparable<Uri> {
+          * @param scheme name or {@code null} if this is a relative Uri
+          */
+         public Builder scheme(String scheme) {
+-            this.scheme = scheme;
++            if (scheme != null) {
++                this.scheme = scheme.replace("://", "");
++            } else {
++                this.scheme = null;
++            }
+             return this;
+         }
+ 
+diff --git a/core/tests/coretests/src/android/net/UriTest.java b/core/tests/coretests/src/android/net/UriTest.java
+index 89632a46267e..fd12e519e8f8 100644
+--- a/core/tests/coretests/src/android/net/UriTest.java
++++ b/core/tests/coretests/src/android/net/UriTest.java
+@@ -18,6 +18,7 @@ package android.net;
+ 
+ import android.content.ContentUris;
+ import android.os.Parcel;
++import android.platform.test.annotations.AsbSecurityTest;
+ 
+ import androidx.test.filters.SmallTest;
+ 
+@@ -88,6 +89,16 @@ public class UriTest extends TestCase {
+         assertNull(u.getHost());
+     }
+ 
++    @AsbSecurityTest(cveBugId = 261721900)
++    @SmallTest
++    public void testSchemeSanitization() {
++        Uri uri = new Uri.Builder()
++                .scheme("http://https://evil.com:/te:st/")
++                .authority("google.com").path("one/way").build();
++        assertEquals("httphttpsevil.com:/te:st/", uri.getScheme());
++        assertEquals("httphttpsevil.com:/te:st/://google.com/one/way", uri.toString());
++    }
++
+     @SmallTest
+     public void testStringUri() {
+         assertEquals("bob lee",
+-- 
+2.34.1
+
diff --git a/aosp_diff/preliminary/frameworks/base/99_0210-RESTRICT-AUTOMERGE-Delete-keystore-keys-from-RecoveryService-reb.bulletin.patch b/aosp_diff/preliminary/frameworks/base/99_0210-RESTRICT-AUTOMERGE-Delete-keystore-keys-from-RecoveryService-reb.bulletin.patch
new file mode 100644
index 0000000000..6ddbd4a014
--- /dev/null
+++ b/aosp_diff/preliminary/frameworks/base/99_0210-RESTRICT-AUTOMERGE-Delete-keystore-keys-from-RecoveryService-reb.bulletin.patch
@@ -0,0 +1,141 @@
+From 17aa5aaa5f9c97a3de16b4af7dc758555e4687cf Mon Sep 17 00:00:00 2001
+From: Nikolay Elenkov <nikolayelenkov@google.com>
+Date: Sun, 30 Jun 2024 06:23:00 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Delete keystore keys from
+ RecoveryService.rebootRecoveryWithCommand()
+
+Adds deleteSecrets() to RecoverySystemService. This method is called
+from rebootRecoveryWithCommand () before the --wipe_data command is
+passed to recovery and the device is force-rebooted.
+
+deleteSecerts() calls IKeystoreMaintenance.deleteAllKeys() in order to
+quickly destroy the keys protecting the synthetic password blobs
+used to derive FBE encryption keys.
+
+The intent is to make FBE-encrypted data unrecoverable even if the full
+data wipe in recovery is interrupted or skipped.
+
+Bug: 324321147
+Test: Manual - System -> Reset options -> Erase all data.
+Test: Hold VolDown key to interrupt reboot and stop at bootloader
+screen.
+Test: fastboot oem bcd wipe command && fastboot oem bcd wipe recovery
+Test: fastboot reboot
+Test: Device reboots into recovery and prompts to factory reset:
+Test: 'Cannot load Android system. Your data may be corrupt. ...'
+(cherry picked from https://android-review.googlesource.com/q/commit:0d00031851e9f5d8ef93947205a7e8b5257f0d8d)
+Ignore-AOSP-First: Security fix backport
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dfbaa7295390de97ae2e8b154cc9be5512108ac4)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d020a38e4148a642e2f06363e27cce60097efa5d)
+Merged-In: I5eb8e97f3ae1a18d5e7e7c2c7eca048ebff3440a
+Change-Id: I5eb8e97f3ae1a18d5e7e7c2c7eca048ebff3440a
+---
+ .../security/AndroidKeyStoreMaintenance.java  | 22 +++++++++++++++++++
+ .../recoverysystem/RecoverySystemService.java | 19 ++++++++++++++++
+ 2 files changed, 41 insertions(+)
+
+diff --git a/keystore/java/android/security/AndroidKeyStoreMaintenance.java b/keystore/java/android/security/AndroidKeyStoreMaintenance.java
+index 919a93b8f107..b2d1755bb860 100644
+--- a/keystore/java/android/security/AndroidKeyStoreMaintenance.java
++++ b/keystore/java/android/security/AndroidKeyStoreMaintenance.java
+@@ -18,8 +18,10 @@ package android.security;
+ 
+ import android.annotation.NonNull;
+ import android.annotation.Nullable;
++import android.os.RemoteException;
+ import android.os.ServiceManager;
+ import android.os.ServiceSpecificException;
++import android.os.StrictMode;
+ import android.security.maintenance.IKeystoreMaintenance;
+ import android.system.keystore2.Domain;
+ import android.system.keystore2.KeyDescriptor;
+@@ -183,4 +185,24 @@ public class AndroidKeyStoreMaintenance {
+             return SYSTEM_ERROR;
+         }
+     }
++
++    /**
++    * Deletes all keys in all KeyMint devices.
++    * Called by RecoverySystem before rebooting to recovery in order to delete all KeyMint keys,
++    * including synthetic password protector keys (used by LockSettingsService), as well as keys
++    * protecting DE and metadata encryption keys (used by vold). This ensures that FBE-encrypted
++    * data is unrecoverable even if the data wipe in recovery is interrupted or skipped.
++    */
++    public static void deleteAllKeys() throws KeyStoreException {
++        StrictMode.noteDiskWrite();
++        try {
++            getService().deleteAllKeys();
++        } catch (RemoteException | NullPointerException e) {
++            throw new KeyStoreException(SYSTEM_ERROR,
++                    "Failure to connect to Keystore while trying to delete all keys.");
++        } catch (ServiceSpecificException e) {
++            throw new KeyStoreException(e.errorCode,
++                    "Keystore error while trying to delete all keys.");
++        }
++    }
+ }
+diff --git a/services/core/java/com/android/server/recoverysystem/RecoverySystemService.java b/services/core/java/com/android/server/recoverysystem/RecoverySystemService.java
+index 13218731af70..23941bc338b8 100644
+--- a/services/core/java/com/android/server/recoverysystem/RecoverySystemService.java
++++ b/services/core/java/com/android/server/recoverysystem/RecoverySystemService.java
+@@ -52,6 +52,7 @@ import android.os.ShellCallback;
+ import android.os.SystemProperties;
+ import android.provider.DeviceConfig;
+ import android.sysprop.ApexProperties;
++import android.security.AndroidKeyStoreMaintenance;
+ import android.util.ArrayMap;
+ import android.util.ArraySet;
+ import android.util.FastImmutableArraySet;
+@@ -66,6 +67,7 @@ import com.android.internal.widget.RebootEscrowListener;
+ import com.android.server.LocalServices;
+ import com.android.server.SystemService;
+ import com.android.server.pm.ApexManager;
++import com.android.server.utils.Slogf;
+ 
+ import libcore.io.IoUtils;
+ 
+@@ -117,6 +119,8 @@ public class RecoverySystemService extends IRecoverySystem.Stub implements Reboo
+     static final String LSKF_CAPTURED_TIMESTAMP_PREF = "lskf_captured_timestamp";
+     static final String LSKF_CAPTURED_COUNT_PREF = "lskf_captured_count";
+ 
++    static final String RECOVERY_WIPE_DATA_COMMAND = "--wipe_data";
++
+     private final Injector mInjector;
+     private final Context mContext;
+ 
+@@ -511,17 +515,32 @@ public class RecoverySystemService extends IRecoverySystem.Stub implements Reboo
+     @Override // Binder call
+     public void rebootRecoveryWithCommand(String command) {
+         if (DEBUG) Slog.d(TAG, "rebootRecoveryWithCommand: [" + command + "]");
++
++        boolean isForcedWipe = command != null && command.contains(RECOVERY_WIPE_DATA_COMMAND);
+         synchronized (sRequestLock) {
+             if (!setupOrClearBcb(true, command)) {
+                 return;
+             }
+ 
++            if (isForcedWipe) {
++                deleteSecrets();
++            }
++
+             // Having set up the BCB, go ahead and reboot.
+             PowerManager pm = mInjector.getPowerManager();
+             pm.reboot(PowerManager.REBOOT_RECOVERY);
+         }
+     }
+ 
++    private static void deleteSecrets() {
++        Slogf.w(TAG, "deleteSecrets");
++        try {
++            AndroidKeyStoreMaintenance.deleteAllKeys();
++        } catch (android.security.KeyStoreException e) {
++            Log.wtf(TAG, "Failed to delete all keys from keystore.", e);
++        }
++    }
++
+     private void enforcePermissionForResumeOnReboot() {
+         if (mContext.checkCallingOrSelfPermission(android.Manifest.permission.RECOVERY)
+                 != PackageManager.PERMISSION_GRANTED
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/preliminary/packages/apps/Settings/0027-Replace-getCallingActivity-with-getLaunchedFromPackage-.bulletin.patch b/aosp_diff/preliminary/packages/apps/Settings/0027-Replace-getCallingActivity-with-getLaunchedFromPackage-.bulletin.patch
new file mode 100644
index 0000000000..5f855b7fe2
--- /dev/null
+++ b/aosp_diff/preliminary/packages/apps/Settings/0027-Replace-getCallingActivity-with-getLaunchedFromPackage-.bulletin.patch
@@ -0,0 +1,176 @@
+From 7c9a51580aaa78775069af7615392a93c4405921 Mon Sep 17 00:00:00 2001
+From: Jason Chiu <chiujason@google.com>
+Date: Wed, 31 Jan 2024 16:29:01 +0800
+Subject: [PATCH] Replace getCallingActivity() with getLaunchedFromPackage()
+
+getLaunchedFromPackage() reports who launched this Activity or built
+PendingIntent used to launch it, whereas getCallingActivity() reports
+who will get result of Activity.
+
+Bug: 316891059
+Test: robotest, manual
+(cherry picked from commit ddc11bc03ab48e885f652b89df5f92ff283bcd4a)
+(cherry picked from commit 8bdbb580da847d82f16fb57883a01a5e65ffa696)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c7a8127d3bb6010617e507c03f7207dd50082953)
+Merged-In: If97018c2741caef622f0596bbfeaa42ef1788b78
+Change-Id: If97018c2741caef622f0596bbfeaa42ef1788b78
+---
+ .../settings/search/SearchFeatureProvider.java |  2 +-
+ .../search/SearchFeatureProviderImpl.java      | 18 ++++++++----------
+ .../search/SearchResultTrampoline.java         | 13 ++++++-------
+ .../search/SearchFeatureProviderImplTest.java  | 15 ++++++++-------
+ 4 files changed, 23 insertions(+), 25 deletions(-)
+
+diff --git a/src/com/android/settings/search/SearchFeatureProvider.java b/src/com/android/settings/search/SearchFeatureProvider.java
+index 1785361d3b..c4141e91f7 100644
+--- a/src/com/android/settings/search/SearchFeatureProvider.java
++++ b/src/com/android/settings/search/SearchFeatureProvider.java
+@@ -56,7 +56,7 @@ public interface SearchFeatureProvider {
+      * @throws IllegalArgumentException when caller is null
+      * @throws SecurityException        when caller is not allowed to launch search result page
+      */
+-    void verifyLaunchSearchResultPageCaller(Context context, @NonNull ComponentName caller)
++    void verifyLaunchSearchResultPageCaller(@NonNull Context context, @NonNull String callerPackage)
+             throws SecurityException, IllegalArgumentException;
+ 
+     /**
+diff --git a/src/com/android/settings/search/SearchFeatureProviderImpl.java b/src/com/android/settings/search/SearchFeatureProviderImpl.java
+index 6f90970905..3a62ddfb67 100644
+--- a/src/com/android/settings/search/SearchFeatureProviderImpl.java
++++ b/src/com/android/settings/search/SearchFeatureProviderImpl.java
+@@ -17,13 +17,14 @@
+ 
+ package com.android.settings.search;
+ 
+-import android.content.ComponentName;
+ import android.content.Context;
+ import android.content.Intent;
+ import android.net.Uri;
+ import android.provider.Settings;
+ import android.text.TextUtils;
+ 
++import androidx.annotation.NonNull;
++
+ import com.android.settingslib.search.SearchIndexableResources;
+ import com.android.settingslib.search.SearchIndexableResourcesMobile;
+ 
+@@ -32,21 +33,18 @@ import com.android.settingslib.search.SearchIndexableResourcesMobile;
+  */
+ public class SearchFeatureProviderImpl implements SearchFeatureProvider {
+ 
+-    private static final String TAG = "SearchFeatureProvider";
+-
+     private SearchIndexableResources mSearchIndexableResources;
+ 
+     @Override
+-    public void verifyLaunchSearchResultPageCaller(Context context, ComponentName caller) {
+-        if (caller == null) {
++    public void verifyLaunchSearchResultPageCaller(@NonNull Context context,
++            @NonNull String callerPackage) {
++        if (TextUtils.isEmpty(callerPackage)) {
+             throw new IllegalArgumentException("ExternalSettingsTrampoline intents "
+                     + "must be called with startActivityForResult");
+         }
+-        final String packageName = caller.getPackageName();
+-        final boolean isSettingsPackage = TextUtils.equals(packageName, context.getPackageName())
+-                || TextUtils.equals(getSettingsIntelligencePkgName(context), packageName);
+-        final boolean isAllowlistedPackage =
+-                isSignatureAllowlisted(context, caller.getPackageName());
++        final boolean isSettingsPackage = TextUtils.equals(callerPackage, context.getPackageName())
++                || TextUtils.equals(getSettingsIntelligencePkgName(context), callerPackage);
++        final boolean isAllowlistedPackage = isSignatureAllowlisted(context, callerPackage);
+         if (isSettingsPackage || isAllowlistedPackage) {
+             return;
+         }
+diff --git a/src/com/android/settings/search/SearchResultTrampoline.java b/src/com/android/settings/search/SearchResultTrampoline.java
+index 5e710293c2..2c6fd67a2f 100644
+--- a/src/com/android/settings/search/SearchResultTrampoline.java
++++ b/src/com/android/settings/search/SearchResultTrampoline.java
+@@ -20,7 +20,6 @@ import static com.android.settings.SettingsActivity.EXTRA_SHOW_FRAGMENT_ARGUMENT
+ import static com.android.settings.SettingsActivity.EXTRA_SHOW_FRAGMENT_TAB;
+ 
+ import android.app.Activity;
+-import android.content.ComponentName;
+ import android.content.Intent;
+ import android.os.Bundle;
+ import android.provider.Settings;
+@@ -51,11 +50,11 @@ public class SearchResultTrampoline extends Activity {
+     protected void onCreate(Bundle savedInstanceState) {
+         super.onCreate(savedInstanceState);
+ 
+-        final ComponentName callingActivity = getCallingActivity();
++        final String callerPackage = getLaunchedFromPackage();
+         // First make sure caller has privilege to launch a search result page.
+         FeatureFactory.getFactory(this)
+                 .getSearchFeatureProvider()
+-                .verifyLaunchSearchResultPageCaller(this, callingActivity);
++                .verifyLaunchSearchResultPageCaller(this, callerPackage);
+         // Didn't crash, proceed and launch the result as a subsetting.
+         Intent intent = getIntent();
+         final String highlightMenuKey = intent.getStringExtra(
+@@ -99,7 +98,7 @@ public class SearchResultTrampoline extends Activity {
+ 
+         if (!ActivityEmbeddingUtils.isEmbeddingActivityEnabled(this)) {
+             startActivity(intent);
+-        } else if (isSettingsIntelligence(callingActivity)) {
++        } else if (isSettingsIntelligence(callerPackage)) {
+             if (FeatureFlagUtils.isEnabled(this, FeatureFlags.SETTINGS_SEARCH_ALWAYS_EXPAND)) {
+                 startActivity(SettingsActivity.getTrampolineIntent(intent, highlightMenuKey)
+                         .setClass(this, DeepLinkHomepageActivityInternal.class)
+@@ -132,9 +131,9 @@ public class SearchResultTrampoline extends Activity {
+         finish();
+     }
+ 
+-    private boolean isSettingsIntelligence(ComponentName callingActivity) {
+-        return callingActivity != null && TextUtils.equals(
+-                callingActivity.getPackageName(),
++    private boolean isSettingsIntelligence(String callerPackage) {
++        return TextUtils.equals(
++                callerPackage,
+                 FeatureFactory.getFactory(this).getSearchFeatureProvider()
+                         .getSettingsIntelligencePkgName(this));
+     }
+diff --git a/tests/robotests/src/com/android/settings/search/SearchFeatureProviderImplTest.java b/tests/robotests/src/com/android/settings/search/SearchFeatureProviderImplTest.java
+index f3496001d0..8a7419bb1b 100644
+--- a/tests/robotests/src/com/android/settings/search/SearchFeatureProviderImplTest.java
++++ b/tests/robotests/src/com/android/settings/search/SearchFeatureProviderImplTest.java
+@@ -20,7 +20,6 @@ package com.android.settings.search;
+ import static com.google.common.truth.Truth.assertThat;
+ 
+ import android.app.settings.SettingsEnums;
+-import android.content.ComponentName;
+ import android.content.Intent;
+ import android.content.pm.ActivityInfo;
+ import android.content.pm.ResolveInfo;
+@@ -131,20 +130,22 @@ public class SearchFeatureProviderImplTest {
+ 
+     @Test(expected = SecurityException.class)
+     public void verifyLaunchSearchResultPageCaller_badCaller_shouldCrash() {
+-        final ComponentName cn = new ComponentName("pkg", "class");
+-        mProvider.verifyLaunchSearchResultPageCaller(mActivity, cn);
++        final String packageName = "pkg";
++
++        mProvider.verifyLaunchSearchResultPageCaller(mActivity, packageName);
+     }
+ 
+     @Test
+     public void verifyLaunchSearchResultPageCaller_settingsCaller_shouldNotCrash() {
+-        final ComponentName cn = new ComponentName(mActivity.getPackageName(), "class");
+-        mProvider.verifyLaunchSearchResultPageCaller(mActivity, cn);
++        final String packageName = mActivity.getPackageName();
++
++        mProvider.verifyLaunchSearchResultPageCaller(mActivity, packageName);
+     }
+ 
+     @Test
+     public void verifyLaunchSearchResultPageCaller_settingsIntelligenceCaller_shouldNotCrash() {
+         final String packageName = mProvider.getSettingsIntelligencePkgName(mActivity);
+-        final ComponentName cn = new ComponentName(packageName, "class");
+-        mProvider.verifyLaunchSearchResultPageCaller(mActivity, cn);
++
++        mProvider.verifyLaunchSearchResultPageCaller(mActivity, packageName);
+     }
+ }
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/preliminary/packages/apps/Settings/0028-Limit-wifi-item-edit-content-s-max-length-to-500.bulletin.patch b/aosp_diff/preliminary/packages/apps/Settings/0028-Limit-wifi-item-edit-content-s-max-length-to-500.bulletin.patch
new file mode 100644
index 0000000000..dd5f022adf
--- /dev/null
+++ b/aosp_diff/preliminary/packages/apps/Settings/0028-Limit-wifi-item-edit-content-s-max-length-to-500.bulletin.patch
@@ -0,0 +1,31 @@
+From ec74247a0568ec1ea3ccff823d458f349b07c1a3 Mon Sep 17 00:00:00 2001
+From: Chaohui Wang <chaohuiw@google.com>
+Date: Thu, 2 Nov 2023 11:43:00 +0800
+Subject: [PATCH] Limit wifi item edit content's max length to 500
+
+Bug: 293199910
+Test: manual - on "Add network"
+
+(cherry picked from commit 855053ca4124f2d515b21c469096f8c18bd4829d)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:092668676af741719d50ac0f121a8f8461aa21ad)
+Merged-In: I303b8c6e0f3c3a1174a047ba98f302042e5db9ae
+Change-Id: I303b8c6e0f3c3a1174a047ba98f302042e5db9ae
+---
+ res/values/styles.xml | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/res/values/styles.xml b/res/values/styles.xml
+index f147ce9890..23a0e74773 100644
+--- a/res/values/styles.xml
++++ b/res/values/styles.xml
+@@ -148,6 +148,7 @@
+         <item name="android:textAppearance">@android:style/TextAppearance.DeviceDefault.Medium</item>
+         <item name="android:textColorHint">?android:attr/textColorSecondary</item>
+         <item name="android:minHeight">@dimen/min_tap_target_size</item>
++        <item name="android:maxLength">500</item>
+     </style>
+ 
+     <style name="wifi_section">
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/preliminary/packages/apps/Settings/0029-Ignore-fragment-attr-from-ext-authenticator-resource.bulletin.patch b/aosp_diff/preliminary/packages/apps/Settings/0029-Ignore-fragment-attr-from-ext-authenticator-resource.bulletin.patch
new file mode 100644
index 0000000000..53bf9790bd
--- /dev/null
+++ b/aosp_diff/preliminary/packages/apps/Settings/0029-Ignore-fragment-attr-from-ext-authenticator-resource.bulletin.patch
@@ -0,0 +1,114 @@
+From 834bc38427021adec27a3abb040426080f1796ec Mon Sep 17 00:00:00 2001
+From: Chris Antol <cantol@google.com>
+Date: Tue, 4 Jun 2024 17:00:46 +0000
+Subject: [PATCH] Ignore fragment attr from ext authenticator resource
+
+Bug: 341886134
+Test: Unit Test
+Test: Manual - see ticket for steps
+Flag: EXEMPT <security>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2cb9b10ed97b1b9b29661115789605a762f3c2ef)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:24e2f2d2f65d233527e1f50e3e215c266f040792)
+Merged-In: Id91c2b3b6d16ba3702ee2cd6723365a4db52863b
+Change-Id: Id91c2b3b6d16ba3702ee2cd6723365a4db52863b
+---
+ .../accounts/AccountTypePreferenceLoader.java | 55 +++++++++++++++++++
+ 1 file changed, 55 insertions(+)
+
+diff --git a/src/com/android/settings/accounts/AccountTypePreferenceLoader.java b/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
+index 42bb34a0ee..73583ea859 100644
+--- a/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
++++ b/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
+@@ -32,6 +32,10 @@ import android.os.UserHandle;
+ import android.text.TextUtils;
+ import android.util.Log;
+ 
++import androidx.annotation.NonNull;
++import androidx.annotation.Nullable;
++import androidx.annotation.VisibleForTesting;
++import androidx.collection.ArraySet;
+ import androidx.preference.Preference;
+ import androidx.preference.Preference.OnPreferenceClickListener;
+ import androidx.preference.PreferenceFragmentCompat;
+@@ -45,6 +49,8 @@ import com.android.settings.utils.LocalClassLoaderContextThemeWrapper;
+ import com.android.settingslib.accounts.AuthenticatorHelper;
+ import com.android.settingslib.core.instrumentation.Instrumentable;
+ 
++import java.util.Set;
++
+ /**
+  * Class to load the preference screen to be added to the settings page for the specific account
+  * type as specified in the account-authenticator.
+@@ -82,6 +88,7 @@ public class AccountTypePreferenceLoader {
+             try {
+                 desc = mAuthenticatorHelper.getAccountTypeDescription(accountType);
+                 if (desc != null && desc.accountPreferencesId != 0) {
++                    Set<String> fragmentAllowList = generateFragmentAllowlist(parent);
+                     // Load the context of the target package, then apply the
+                     // base Settings theme (no references to local resources)
+                     // and create a context theme wrapper so that we get the
+@@ -97,6 +104,12 @@ public class AccountTypePreferenceLoader {
+                     themedCtx.getTheme().setTo(baseTheme);
+                     prefs = mFragment.getPreferenceManager().inflateFromResource(themedCtx,
+                             desc.accountPreferencesId, parent);
++                    // Ignore Fragments provided dynamically, as these are coming from external
++                    // applications which must not have access to internal Settings' fragments.
++                    // These preferences are rendered into Settings, so they also won't have access
++                    // to their own Fragments, meaning there is no acceptable usage of
++                    // android:fragment here.
++                    filterBlockedFragments(prefs, fragmentAllowList);
+                 }
+             } catch (PackageManager.NameNotFoundException e) {
+                 Log.w(TAG, "Couldn't load preferences.xml file from " + desc.packageName);
+@@ -181,6 +194,48 @@ public class AccountTypePreferenceLoader {
+         }
+     }
+ 
++    // Build allowlist from existing Fragments in PreferenceGroup
++    @VisibleForTesting
++    Set<String> generateFragmentAllowlist(@Nullable PreferenceGroup prefs) {
++        Set<String> fragmentAllowList = new ArraySet<>();
++        if (prefs == null) {
++            return fragmentAllowList;
++        }
++
++        for (int i = 0; i < prefs.getPreferenceCount(); i++) {
++            Preference pref = prefs.getPreference(i);
++            if (pref instanceof PreferenceGroup) {
++                fragmentAllowList.addAll(generateFragmentAllowlist((PreferenceGroup) pref));
++            }
++
++            String fragmentName = pref.getFragment();
++            if (!TextUtils.isEmpty(fragmentName)) {
++                fragmentAllowList.add(fragmentName);
++            }
++        }
++        return fragmentAllowList;
++    }
++
++    // Block clicks on any Preference with android:fragment that is not contained in the allowlist
++    @VisibleForTesting
++    void filterBlockedFragments(@Nullable PreferenceGroup prefs,
++            @NonNull Set<String> allowedFragments) {
++        if (prefs == null) {
++            return;
++        }
++        for (int i = 0; i < prefs.getPreferenceCount(); i++) {
++            Preference pref = prefs.getPreference(i);
++            if (pref instanceof PreferenceGroup) {
++                filterBlockedFragments((PreferenceGroup) pref, allowedFragments);
++            }
++
++            String fragmentName = pref.getFragment();
++            if (fragmentName != null && !allowedFragments.contains(fragmentName)) {
++                pref.setOnPreferenceClickListener(preference -> true);
++            }
++        }
++    }
++
+     /**
+      * Determines if the supplied Intent is safe. A safe intent is one that is
+      * will launch a exported=true activity or owned by the same uid as the
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/preliminary/packages/apps/Settings/0030-RESTRICT-AUTOMERGE-Restrict-Settings-Homepage-prior-to-provision.bulletin.patch b/aosp_diff/preliminary/packages/apps/Settings/0030-RESTRICT-AUTOMERGE-Restrict-Settings-Homepage-prior-to-provision.bulletin.patch
new file mode 100644
index 0000000000..d3ed45bd0b
--- /dev/null
+++ b/aosp_diff/preliminary/packages/apps/Settings/0030-RESTRICT-AUTOMERGE-Restrict-Settings-Homepage-prior-to-provision.bulletin.patch
@@ -0,0 +1,43 @@
+From 787f1f5c2e133dc6a64d91015802ce0d6b4e7ca2 Mon Sep 17 00:00:00 2001
+From: Chris Antol <cantol@google.com>
+Date: Mon, 25 Mar 2024 23:49:35 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Restrict Settings Homepage prior to
+ provisioning
+
+Bug: 327749022
+Test: manual test
+1. factory reset + launch Settings via ADB during Setup -> verify app closes
+2. factory reset + bypass Setup + tap Settings icon in launcher -> verify app closes
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:70a5a0fd353cc6203d2926627de93786155ae5bc)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:477d4a8d6ba390ed0f9b150ca271966cd967820a)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d83f47397e61d5ec04866af20efcb935a58cbdff)
+Merged-In: I8cbe38109ebf88a0f68f3917e95468a81c6463c1
+Change-Id: I8cbe38109ebf88a0f68f3917e95468a81c6463c1
+---
+ .../settings/homepage/SettingsHomepageActivity.java    | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/com/android/settings/homepage/SettingsHomepageActivity.java b/src/com/android/settings/homepage/SettingsHomepageActivity.java
+index b3f84d68e0..3d00613246 100644
+--- a/src/com/android/settings/homepage/SettingsHomepageActivity.java
++++ b/src/com/android/settings/homepage/SettingsHomepageActivity.java
+@@ -174,6 +174,16 @@ public class SettingsHomepageActivity extends FragmentActivity implements
+     protected void onCreate(Bundle savedInstanceState) {
+         super.onCreate(savedInstanceState);
+ 
++        // Ensure device is provisioned in order to access Settings home
++        // TODO(b/331254029): This should later be replaced in favor of an allowlist
++        boolean unprovisioned = android.provider.Settings.Global.getInt(getContentResolver(),
++                android.provider.Settings.Global.DEVICE_PROVISIONED, 0) == 0;
++        if (unprovisioned) {
++            Log.e(TAG, "Device is not provisioned, exiting Settings");
++            finish();
++            return;
++        }
++
+         mIsEmbeddingActivityEnabled = ActivityEmbeddingUtils.isEmbeddingActivityEnabled(this);
+         if (mIsEmbeddingActivityEnabled) {
+             final UserManager um = getSystemService(UserManager.class);
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/preliminary/packages/modules/Bluetooth/59_0059-Fix-permission-bypasses-to-multiple-methods.patch b/aosp_diff/preliminary/packages/modules/Bluetooth/59_0059-Fix-permission-bypasses-to-multiple-methods.patch
new file mode 100644
index 0000000000..3c925cf127
--- /dev/null
+++ b/aosp_diff/preliminary/packages/modules/Bluetooth/59_0059-Fix-permission-bypasses-to-multiple-methods.patch
@@ -0,0 +1,93 @@
+From 566a6b523e3f553ea2726fc989d0b0af20b18070 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Mon, 6 May 2024 17:32:14 +0000
+Subject: [PATCH] Fix permission bypasses to multiple methods
+
+Researcher reports that some BT calls across Binder are validating only
+BT's own permissions and not the calling app's permissions.  On
+investigation this seems to be due to a missing null check in several BT
+permissions checks, which allows a malicious app to pass in a null
+AttributionSource and therefore produce a stub AttributionSource chain
+which does not properly check for the caller's permissions.
+
+Add null checks.
+
+Bug: 242996380
+Test: atest UtilsTest
+Test: researcher POC
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ed63d97fd6537f539fdde1413bff86a30f80a7b5)
+Merged-In: I7a11e11257b85dc0752396490abfc79b1c383204
+Change-Id: I7a11e11257b85dc0752396490abfc79b1c383204
+---
+ .../app/src/com/android/bluetooth/Utils.java  | 32 +++++++++----------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/android/app/src/com/android/bluetooth/Utils.java b/android/app/src/com/android/bluetooth/Utils.java
+index dc2c79aac5..fe0307e222 100644
+--- a/android/app/src/com/android/bluetooth/Utils.java
++++ b/android/app/src/com/android/bluetooth/Utils.java
+@@ -466,10 +466,10 @@ public final class Utils {
+         }
+         // STOPSHIP(b/188391719): enable this security enforcement
+         // attributionSource.enforceCallingUid();
+-        AttributionSource currentAttribution = new AttributionSource
+-                .Builder(context.getAttributionSource())
+-                .setNext(attributionSource)
+-                .build();
++        AttributionSource currentAttribution =
++                new AttributionSource.Builder(context.getAttributionSource())
++                        .setNext(Objects.requireNonNull(attributionSource))
++                        .build();
+         PermissionManager pm = context.getSystemService(PermissionManager.class);
+         if (pm == null) {
+             return false;
+@@ -718,10 +718,10 @@ public final class Utils {
+             Log.e(TAG, "Permission denial: Location is off.");
+             return false;
+         }
+-        AttributionSource currentAttribution = new AttributionSource
+-                .Builder(context.getAttributionSource())
+-                .setNext(attributionSource)
+-                .build();
++        AttributionSource currentAttribution =
++                new AttributionSource.Builder(context.getAttributionSource())
++                        .setNext(Objects.requireNonNull(attributionSource))
++                        .build();
+         // STOPSHIP(b/188391719): enable this security enforcement
+         // attributionSource.enforceCallingUid();
+         PermissionManager pm = context.getSystemService(PermissionManager.class);
+@@ -752,10 +752,10 @@ public final class Utils {
+             return false;
+         }
+ 
+-        final AttributionSource currentAttribution = new AttributionSource
+-                .Builder(context.getAttributionSource())
+-                .setNext(attributionSource)
+-                .build();
++        final AttributionSource currentAttribution =
++                new AttributionSource.Builder(context.getAttributionSource())
++                        .setNext(Objects.requireNonNull(attributionSource))
++                        .build();
+         // STOPSHIP(b/188391719): enable this security enforcement
+         // attributionSource.enforceCallingUid();
+         PermissionManager pm = context.getSystemService(PermissionManager.class);
+@@ -790,10 +790,10 @@ public final class Utils {
+             return false;
+         }
+ 
+-        AttributionSource currentAttribution = new AttributionSource
+-                .Builder(context.getAttributionSource())
+-                .setNext(attributionSource)
+-                .build();
++        AttributionSource currentAttribution =
++                new AttributionSource.Builder(context.getAttributionSource())
++                        .setNext(Objects.requireNonNull(attributionSource))
++                        .build();
+         // STOPSHIP(b/188391719): enable this security enforcement
+         // attributionSource.enforceCallingUid();
+         PermissionManager pm = context.getSystemService(PermissionManager.class);
+-- 
+2.34.1
+
diff --git a/aosp_diff/preliminary/packages/modules/Bluetooth/60_0060-Disallow-connect-with-Secure-Connections-downgrade.bulletin.patch b/aosp_diff/preliminary/packages/modules/Bluetooth/60_0060-Disallow-connect-with-Secure-Connections-downgrade.bulletin.patch
new file mode 100644
index 0000000000..f47b3a484c
--- /dev/null
+++ b/aosp_diff/preliminary/packages/modules/Bluetooth/60_0060-Disallow-connect-with-Secure-Connections-downgrade.bulletin.patch
@@ -0,0 +1,331 @@
+From 8c36bb8ecdeb72ddb06297547393fbec43caeecf Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Mon, 22 Apr 2024 21:41:53 +0000
+Subject: [PATCH] Add support for checking security downgrade
+
+As a guard against the BLUFFS attack, we will need to check the security
+parameters of incoming connections against cached values and disallow
+connection if these parameters are downgraded or changed from their
+cached values.
+
+Future CLs will add checks during connection.  This CL adds the
+functions that will be needed to perform those checks and the necessary
+mocks.
+Currently supported checks are : IO capabilities (must be an exact match),
+Secure Connections capability (must not be a downgrade), and session key
+length (must not be a downgrade).  Maximum session key length, which was
+previously not cached, has been added to the device security manager
+cache.
+
+To QA: This CL is a logical no-op by itself.  Tests should be performed as described in ag/25815924 and ag/25815925/
+
+Bug: 314331379
+Test: m libbluetooth
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3cf3d9d98909787748e6135733b42be0c67e9333)
+Merged-In: I972fd4a3a4d4566968d097df9f27396a821fb24f
+Change-Id: I972fd4a3a4d4566968d097df9f27396a821fb24f
+---
+ system/btif/src/btif_storage.cc               |  31 ++++++
+ system/include/hardware/bluetooth.h           |  14 +++
+ system/service/logging_helpers.cc             |   2 +
+ system/stack/btm/btm_sec.cc                   | 103 ++++++++++++++++++
+ system/stack/btm/btm_sec.h                    |  23 ++++
+ system/stack/include/sec_hci_link_interface.h |   3 +
+ system/test/mock/mock_stack_btm_sec.cc        |   8 ++
+ 7 files changed, 184 insertions(+)
+
+diff --git a/system/btif/src/btif_storage.cc b/system/btif/src/btif_storage.cc
+index 41fa4df5fb..ae81bd1a38 100644
+--- a/system/btif/src/btif_storage.cc
++++ b/system/btif/src/btif_storage.cc
+@@ -92,10 +92,13 @@ using bluetooth::groups::DeviceGroups;
+ #define BTIF_STORAGE_KEY_ADAPTER_SCANMODE "ScanMode"
+ #define BTIF_STORAGE_KEY_LOCAL_IO_CAPS "LocalIOCaps"
+ #define BTIF_STORAGE_KEY_LOCAL_IO_CAPS_BLE "LocalIOCapsBLE"
++#define BTIF_STORAGE_KEY_MAX_SESSION_KEY_SIZE "MaxSessionKeySize"
+ #define BTIF_STORAGE_KEY_ADAPTER_DISC_TIMEOUT "DiscoveryTimeout"
+ #define BTIF_STORAGE_KEY_GATT_CLIENT_SUPPORTED "GattClientSupportedFeatures"
+ #define BTIF_STORAGE_KEY_GATT_CLIENT_DB_HASH "GattClientDatabaseHash"
+ #define BTIF_STORAGE_KEY_GATT_SERVER_SUPPORTED "GattServerSupportedFeatures"
++#define BTIF_STORAGE_KEY_SECURE_CONNECTIONS_SUPPORTED \
++  "SecureConnectionsSupported"
+ #define BTIF_STORAGE_DEVICE_GROUP_BIN "DeviceGroupBin"
+ #define BTIF_STORAGE_CSIS_AUTOCONNECT "CsisAutoconnect"
+ #define BTIF_STORAGE_CSIS_SET_INFO_BIN "CsisSetInfoBin"
+@@ -281,6 +284,14 @@ static int prop2cfg(const RawAddress* remote_bd_addr, bt_property_t* prop) {
+       btif_config_set_int(bdstr, BT_CONFIG_KEY_REMOTE_VER_SUBVER,
+                           info->sub_ver);
+     } break;
++    case BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED:
++      btif_config_set_int(bdstr, BTIF_STORAGE_KEY_SECURE_CONNECTIONS_SUPPORTED,
++                          *(uint8_t*)prop->val);
++      break;
++    case BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE:
++      btif_config_set_int(bdstr, BTIF_STORAGE_KEY_MAX_SESSION_KEY_SIZE,
++                          *(uint8_t*)prop->val);
++      break;
+ 
+     default:
+       BTIF_TRACE_ERROR("Unknown prop type:%d", prop->type);
+@@ -407,6 +418,26 @@ static int cfg2prop(const RawAddress* remote_bd_addr, bt_property_t* prop) {
+       }
+     } break;
+ 
++    case BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED: {
++      int val;
++
++      if (prop->len >= (int)sizeof(uint8_t)) {
++        ret = btif_config_get_int(
++            bdstr, BTIF_STORAGE_KEY_SECURE_CONNECTIONS_SUPPORTED, &val);
++        *(uint8_t*)prop->val = (uint8_t)val;
++      }
++    } break;
++
++    case BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE: {
++      int val;
++
++      if (prop->len >= (int)sizeof(uint8_t)) {
++        ret = btif_config_get_int(bdstr, BTIF_STORAGE_KEY_MAX_SESSION_KEY_SIZE,
++                                  &val);
++        *(uint8_t*)prop->val = (uint8_t)val;
++      }
++    } break;
++
+     default:
+       BTIF_TRACE_ERROR("Unknow prop type:%d", prop->type);
+       return false;
+diff --git a/system/include/hardware/bluetooth.h b/system/include/hardware/bluetooth.h
+index 96e425ca24..81a410832f 100644
+--- a/system/include/hardware/bluetooth.h
++++ b/system/include/hardware/bluetooth.h
+@@ -339,6 +339,20 @@ typedef enum {
+    */
+   BT_PROPERTY_REMOTE_IS_COORDINATED_SET_MEMBER,
+ 
++  /**
++   * Description - Whether remote device supports Secure Connections mode
++   * Access mode - GET and SET.
++   * Data Type - uint8_t.
++   */
++  BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED,
++
++  /**
++   * Description - Maximum observed session key for remote device
++   * Access mode - GET and SET.
++   * Data Type - uint8_t.
++   */
++  BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE,
++
+   BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP = 0xFF,
+ } bt_property_type_t;
+ 
+diff --git a/system/service/logging_helpers.cc b/system/service/logging_helpers.cc
+index 78a24e600f..0c3644d2ba 100644
+--- a/system/service/logging_helpers.cc
++++ b/system/service/logging_helpers.cc
+@@ -118,6 +118,8 @@ const char* BtPropertyText(const bt_property_type_t prop) {
+     CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_VERSION_INFO);
+     CASE_RETURN_TEXT(BT_PROPERTY_LOCAL_LE_FEATURES);
+     CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP);
++    CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED);
++    CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE);
+     default:
+       return "Invalid property";
+   }
+diff --git a/system/stack/btm/btm_sec.cc b/system/stack/btm/btm_sec.cc
+index 6ec6d16297..0716bcd486 100644
+--- a/system/stack/btm/btm_sec.cc
++++ b/system/stack/btm/btm_sec.cc
+@@ -207,6 +207,109 @@ static bool btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) {
+   return (false);
+ }
+ 
++/*******************************************************************************
++ *
++ * Function         btm_sec_is_device_sc_downgrade
++ *
++ * Description      Check for a stored device record matching the candidate
++ *                  device, and return true if the stored device has reported
++ *                  that it supports Secure Connections mode and the candidate
++ *                  device reports that it does not.  Otherwise, return false.
++ *
++ * Returns          bool
++ *
++ ******************************************************************************/
++static bool btm_sec_is_device_sc_downgrade(uint16_t hci_handle,
++                                           bool secure_connections_supported) {
++  if (secure_connections_supported) return false;
++
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return false;
++
++  uint8_t property_val = 0;
++  bt_property_t property = {
++      .type = BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED,
++      .len = sizeof(uint8_t),
++      .val = &property_val};
++
++  bt_status_t cached =
++      btif_storage_get_remote_device_property(&p_dev_rec->bd_addr, &property);
++
++  if (cached == BT_STATUS_FAIL) return false;
++
++  return (bool)property_val;
++}
++
++/*******************************************************************************
++ *
++ * Function         btm_sec_store_device_sc_support
++ *
++ * Description      Save Secure Connections support for this device to file
++ *
++ ******************************************************************************/
++
++static void btm_sec_store_device_sc_support(uint16_t hci_handle,
++                                            bool secure_connections_supported) {
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return;
++
++  uint8_t property_val = (uint8_t)secure_connections_supported;
++  bt_property_t property = {
++      .type = BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED,
++      .len = sizeof(uint8_t),
++      .val = &property_val};
++
++  btif_storage_set_remote_device_property(&p_dev_rec->bd_addr, &property);
++}
++
++/*******************************************************************************
++ *
++ * Function         btm_sec_is_session_key_size_downgrade
++ *
++ * Description      Check if there is a stored device record matching this
++ *                  handle, and return true if the stored record has a lower
++ *                  session key size than the candidate device.
++ *
++ * Returns          bool
++ *
++ ******************************************************************************/
++bool btm_sec_is_session_key_size_downgrade(uint16_t hci_handle,
++                                           uint8_t key_size) {
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return false;
++
++  uint8_t property_val = 0;
++  bt_property_t property = {.type = BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE,
++                            .len = sizeof(uint8_t),
++                            .val = &property_val};
++
++  bt_status_t cached =
++      btif_storage_get_remote_device_property(&p_dev_rec->bd_addr, &property);
++
++  if (cached == BT_STATUS_FAIL) return false;
++
++  return property_val > key_size;
++}
++
++/*******************************************************************************
++ *
++ * Function         btm_sec_update_session_key_size
++ *
++ * Description      Store the max session key size to disk, if possible.
++ *
++ ******************************************************************************/
++void btm_sec_update_session_key_size(uint16_t hci_handle, uint8_t key_size) {
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return;
++
++  uint8_t property_val = key_size;
++  bt_property_t property = {.type = BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE,
++                            .len = sizeof(uint8_t),
++                            .val = &property_val};
++
++  btif_storage_set_remote_device_property(&p_dev_rec->bd_addr, &property);
++}
++
+ /*******************************************************************************
+  *
+  * Function         access_secure_service_from_temp_bond
+diff --git a/system/stack/btm/btm_sec.h b/system/stack/btm/btm_sec.h
+index 8b92d5d78c..a48dbb2282 100644
+--- a/system/stack/btm/btm_sec.h
++++ b/system/stack/btm/btm_sec.h
+@@ -805,5 +805,28 @@ void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
+ void btm_sec_cr_loc_oob_data_cback_event(const RawAddress& address,
+                                          tSMP_LOC_OOB_DATA loc_oob_data);
+ 
++/*******************************************************************************
++ *
++ * Function         btm_sec_is_session_key_size_downgrade
++ *
++ * Description      Check if there is a stored device record matching this
++ *                  handle, and return true if the stored record has a lower
++ *                  session key size than the candidate device.
++ *
++ * Returns          bool
++ *
++ ******************************************************************************/
++bool btm_sec_is_session_key_size_downgrade(uint16_t hci_handle,
++                                           uint8_t key_size);
++
++/*******************************************************************************
++ *
++ * Function         btm_sec_update_session_key_size
++ *
++ * Description      Store the max session key size to disk, if possible.
++ *
++ ******************************************************************************/
++void btm_sec_update_session_key_size(uint16_t hci_handle, uint8_t key_size);
++
+ // Return DEV_CLASS (uint8_t[3]) of bda. If record doesn't exist, create one.
+ const uint8_t* btm_get_dev_class(const RawAddress& bda);
+diff --git a/system/stack/include/sec_hci_link_interface.h b/system/stack/include/sec_hci_link_interface.h
+index b5dda7f407..6d859fd82f 100644
+--- a/system/stack/include/sec_hci_link_interface.h
++++ b/system/stack/include/sec_hci_link_interface.h
+@@ -37,6 +37,8 @@ void btm_sec_auth_complete(uint16_t handle, tHCI_STATUS status);
+ void btm_sec_disconnected(uint16_t handle, tHCI_STATUS reason, std::string);
+ void btm_sec_encrypt_change(uint16_t handle, tHCI_STATUS status,
+                             uint8_t encr_enable);
++bool btm_sec_is_session_key_size_downgrade(uint16_t hci_handle,
++                                           uint8_t key_size);
+ void btm_sec_link_key_notification(const RawAddress& p_bda,
+                                    const Octet16& link_key, uint8_t key_type);
+ void btm_sec_link_key_request(const uint8_t* p_event);
+@@ -46,4 +48,5 @@ void btm_sec_rmt_name_request_complete(const RawAddress* bd_addr,
+                                        const uint8_t* bd_name,
+                                        tHCI_STATUS status);
+ void btm_sec_update_clock_offset(uint16_t handle, uint16_t clock_offset);
++void btm_sec_update_session_key_size(uint16_t hci_handle, uint8_t key_size);
+ void btm_simple_pair_complete(const uint8_t* p);
+diff --git a/system/test/mock/mock_stack_btm_sec.cc b/system/test/mock/mock_stack_btm_sec.cc
+index 56a0db187b..7b5f9e4d4c 100644
+--- a/system/test/mock/mock_stack_btm_sec.cc
++++ b/system/test/mock/mock_stack_btm_sec.cc
+@@ -113,6 +113,11 @@ bool btm_sec_is_a_bonded_dev(const RawAddress& bda) {
+   mock_function_count_map[__func__]++;
+   return false;
+ }
++bool btm_sec_is_session_key_size_downgrade(uint16_t hci_handle,
++                                           uint8_t key_size) {
++  mock_function_count_map[__func__]++;
++  return false;
++}
+ bool is_sec_state_equal(void* data, void* context) {
+   mock_function_count_map[__func__]++;
+   return false;
+@@ -313,6 +318,9 @@ void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
+ void btm_sec_update_clock_offset(uint16_t handle, uint16_t clock_offset) {
+   mock_function_count_map[__func__]++;
+ }
++void btm_sec_update_session_key_size(uint16_t hci_handle, uint8_t key_size) {
++  mock_function_count_map[__func__]++;
++}
+ void btm_simple_pair_complete(const uint8_t* p) {
+   mock_function_count_map[__func__]++;
+ }
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/preliminary/packages/modules/Bluetooth/61_0061-Disallow-connect-with-Secure-Connections-downgrade.bulletin.patch b/aosp_diff/preliminary/packages/modules/Bluetooth/61_0061-Disallow-connect-with-Secure-Connections-downgrade.bulletin.patch
new file mode 100644
index 0000000000..b0be4aff1e
--- /dev/null
+++ b/aosp_diff/preliminary/packages/modules/Bluetooth/61_0061-Disallow-connect-with-Secure-Connections-downgrade.bulletin.patch
@@ -0,0 +1,64 @@
+From bfc38f93dbf52550ccd1ef6eca748e3d4e984792 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Mon, 22 Apr 2024 21:46:27 +0000
+Subject: [PATCH] Disallow connect with Secure Connections downgrade
+
+As a guard against the BLUFFS attack, check security parameters of
+incoming connections against cached values and disallow connection if
+these parameters are downgraded or changed from their cached values.
+
+This CL adds the connection-time check for Secure Connections mode.
+
+Bug: 314331379
+Test: m libbluetooth
+Test: manual
+
+To test this CL, please ensure that BR/EDR initial connections and reconnections  (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types.  Basic validation of LE bonding functionality should be done as well.
+
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f20fdd9b3225a6084f6b666172817fe0a89f0679)
+Merged-In: I9130476600d31b59608e0e419b5136d255174265
+Change-Id: I9130476600d31b59608e0e419b5136d255174265
+---
+ system/stack/btm/btm_sec.cc | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/system/stack/btm/btm_sec.cc b/system/stack/btm/btm_sec.cc
+index 0716bcd486..73c98aa868 100644
+--- a/system/stack/btm/btm_sec.cc
++++ b/system/stack/btm/btm_sec.cc
+@@ -4077,6 +4077,13 @@ void btm_sec_link_key_notification(const RawAddress& p_bda,
+     }
+   }
+ 
++  if (p_dev_rec->is_bond_type_persistent() &&
++      (p_dev_rec->is_device_type_br_edr() ||
++       p_dev_rec->is_device_type_dual_mode())) {
++    btm_sec_store_device_sc_support(p_dev_rec->get_br_edr_hci_handle(),
++                                    p_dev_rec->SupportsSecureConnections());
++  }
++
+   /* If name is not known at this point delay calling callback until the name is
+    */
+   /* resolved. Unless it is a HID Device and we really need to send all link
+@@ -5153,6 +5160,16 @@ void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
+   tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
+   if (p_dev_rec == nullptr) return;
+ 
++  // Drop the connection here if the remote attempts to downgrade from Secure
++  // Connections mode.
++  if (btm_sec_is_device_sc_downgrade(hci_handle, sc_supported)) {
++    acl_set_disconnect_reason(HCI_ERR_HOST_REJECT_SECURITY);
++    btm_sec_send_hci_disconnect(
++        p_dev_rec, HCI_ERR_AUTH_FAILURE, hci_handle,
++        "attempted to downgrade from Secure Connections mode");
++    return;
++  }
++
+   p_dev_rec->remote_feature_received = true;
+   p_dev_rec->remote_supports_hci_role_switch = hci_role_switch_supported;
+ 
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/preliminary/packages/modules/Bluetooth/62_0062-Disallow-connect-with-key-length-downgrade.bulletin.patch b/aosp_diff/preliminary/packages/modules/Bluetooth/62_0062-Disallow-connect-with-key-length-downgrade.bulletin.patch
new file mode 100644
index 0000000000..637620cc41
--- /dev/null
+++ b/aosp_diff/preliminary/packages/modules/Bluetooth/62_0062-Disallow-connect-with-key-length-downgrade.bulletin.patch
@@ -0,0 +1,60 @@
+From 1ef66c4cc29e13fae7986a6a01b3ae5c717f2ee4 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Mon, 22 Apr 2024 21:56:48 +0000
+Subject: [PATCH] Disallow connect with key length downgrade
+
+As a guard against the BLUFFS attack, check security parameters of
+incoming connections against cached values and disallow connection if
+these parameters are downgraded or changed from their cached values.
+
+This CL adds the connection-time check for session key length.
+
+To test, please validate that bonding can be established and
+reestablished against devices with session key lengths of 7 and 16 bits,
+that session key lengths of less than 7 bits are refused, and that basic
+LE bonding functionality still works.  If it is possible to configure a
+remote device to establish a bond with a session key length of 16 bits
+and then reduce that key length to <16 bits before reconnection, this
+should fail.
+
+Bug: 314331379
+Test: m libbluetooth
+Test: manual
+
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d6e9fdf182afb57cecac6c56603aa20d758090a4)
+Merged-In: I27be1f93598820a0f2a7154ba83f5b041878c21f
+Change-Id: I27be1f93598820a0f2a7154ba83f5b041878c21f
+---
+ system/stack/btu/btu_hcif.cc | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/system/stack/btu/btu_hcif.cc b/system/stack/btu/btu_hcif.cc
+index 9c31772625..6a4aecd667 100644
+--- a/system/stack/btu/btu_hcif.cc
++++ b/system/stack/btu/btu_hcif.cc
+@@ -1038,6 +1038,20 @@ static void read_encryption_key_size_complete_after_encryption_change(uint8_t st
+     return;
+   }
+ 
++  if (btm_sec_is_session_key_size_downgrade(handle, key_size)) {
++    LOG_ERROR(
++        "encryption key size lower than cached value, disconnecting. "
++        "handle: 0x%x attempted key size: %d",
++        handle, key_size);
++    acl_disconnect_from_handle(
++        handle, HCI_ERR_HOST_REJECT_SECURITY,
++        "stack::btu::btu_hcif::read_encryption_key_size_complete_after_"
++        "encryption_change Key Size Downgrade");
++    return;
++  }
++
++  btm_sec_update_session_key_size(handle, key_size);
++
+   // good key size - succeed
+   btm_acl_encrypt_change(handle, static_cast<tHCI_STATUS>(status),
+                          1 /* enable */);
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/preliminary/packages/services/Telecomm/0013-Unbind-CallScreeningService-when-timeout-reached-.bulletin.patch b/aosp_diff/preliminary/packages/services/Telecomm/0013-Unbind-CallScreeningService-when-timeout-reached-.bulletin.patch
new file mode 100644
index 0000000000..3c3fcd73b7
--- /dev/null
+++ b/aosp_diff/preliminary/packages/services/Telecomm/0013-Unbind-CallScreeningService-when-timeout-reached-.bulletin.patch
@@ -0,0 +1,46 @@
+From 32ca481ed405bf8dfeb833a8a3507da8c5bc686d Mon Sep 17 00:00:00 2001
+From: Pranav Madapurmath <pmadapurmath@google.com>
+Date: Tue, 11 Jun 2024 15:51:39 +0000
+Subject: [PATCH] Unbind CallScreeningService when timeout reached.
+
+In a vulnerability, the exploiter showed that an app which implements a
+service with role holding ROLE_CALL_SCREENING can be used to keep a
+service alive. The assumption is that the CallScreeningService class
+uses MSG_SCREEN_CALL to screen the call and results in the service being
+unbound for outgoing calls once screening completes. However, a vanilla
+service which holds the ROLE_CALL_SCREENING role can still be used as
+the default call screening app which keeps the service alive.
+
+This CL ensures that after the timeout is reached that we try to unbind
+the service if possible.
+
+Bug: 300904123
+Test: Manual test to verify that onDestroy is called for the service
+after the timeout is reached.
+
+(cherry picked from commit 9d97cd5825066ac8e15bbf97f6755663c5341afb)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d57f25311acb7fb887fb0296364526345cc905bb)
+Merged-In: I30d276867c571ece113106d3b363fce99d64f441
+Change-Id: I30d276867c571ece113106d3b363fce99d64f441
+---
+ .../android/server/telecom/CallScreeningServiceHelper.java    | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/com/android/server/telecom/CallScreeningServiceHelper.java b/src/com/android/server/telecom/CallScreeningServiceHelper.java
+index 5c9ca84d1..747408cd8 100644
+--- a/src/com/android/server/telecom/CallScreeningServiceHelper.java
++++ b/src/com/android/server/telecom/CallScreeningServiceHelper.java
+@@ -176,6 +176,10 @@ public class CallScreeningServiceHelper {
+                             Log.w(TAG, "Cancelling call id process due to timeout");
+                         }
+                         mFuture.complete(null);
++                        mContext.unbindService(serviceConnection);
++                    } catch (IllegalArgumentException e) {
++                        Log.i(this, "Exception when unbinding service %s : %s", serviceConnection,
++                                e.getMessage());
+                     } finally {
+                         Log.endSession();
+                     }
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+
diff --git a/aosp_diff/preliminary/system/sepolicy/12_0012-Allow-system_server-to-call-IKeystoreMaintenance-deleteAllKeys-.bulletin.patch b/aosp_diff/preliminary/system/sepolicy/12_0012-Allow-system_server-to-call-IKeystoreMaintenance-deleteAllKeys-.bulletin.patch
new file mode 100644
index 0000000000..e61ba5b38e
--- /dev/null
+++ b/aosp_diff/preliminary/system/sepolicy/12_0012-Allow-system_server-to-call-IKeystoreMaintenance-deleteAllKeys-.bulletin.patch
@@ -0,0 +1,54 @@
+From c655e9cfd454769246caa2c6fd194416b3330530 Mon Sep 17 00:00:00 2001
+From: Nikolay Elenkov <nikolayelenkov@google.com>
+Date: Wed, 26 Jun 2024 08:01:46 +0000
+Subject: [PATCH] Allow system_server to call
+ IKeystoreMaintenance.deleteAllKeys()
+
+This allows RecoverySystem to destroy all synthetic blob protector keys
+and make FBE-encrypted data unrecoverable even if data wipe in recovery
+is interrupted or skipped.
+
+Bug: 324321147
+Test: Manual - System -> Reset options -> Erase all data.
+Test: Hold VolDown key to interrupt reboot and stop at bootloader
+screen.
+Test: fastboot oem bcd wipe command && fastboot oem bcd wipe recovery
+Test: fastboot reboot
+Test: Device reboots into recovery and prompts to factory reset:
+Test: 'Cannot load Android system. Your data may be corrupt. ...
+(cherry picked from https://android-review.googlesource.com/q/commit:3941b6874350fb1c8558fcd539ec0ec5038c1d7e)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:72313f580e19af6fbbe95187881c4771a0f2416b)
+Merged-In: I5be2f9e8314d36448994f4f14ff585ded7095c8c
+Change-Id: I5be2f9e8314d36448994f4f14ff585ded7095c8c
+---
+ prebuilts/api/33.0/private/system_server.te | 1 +
+ private/system_server.te                    | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
+index 0f72c7fcf..a1eab0354 100644
+--- a/prebuilts/api/33.0/private/system_server.te
++++ b/prebuilts/api/33.0/private/system_server.te
+@@ -957,6 +957,7 @@ allow system_server keystore:keystore2 {
+ 	clear_ns
+ 	clear_uid
+ 	get_state
++	delete_all_keys
+ 	lock
+ 	pull_metrics
+ 	reset
+diff --git a/private/system_server.te b/private/system_server.te
+index 0f72c7fcf..a1eab0354 100644
+--- a/private/system_server.te
++++ b/private/system_server.te
+@@ -957,6 +957,7 @@ allow system_server keystore:keystore2 {
+ 	clear_ns
+ 	clear_uid
+ 	get_state
++	delete_all_keys
+ 	lock
+ 	pull_metrics
+ 	reset
+-- 
+2.46.0.rc2.264.g509ed76dc8-goog
+