security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

split out APEX signing section

Browse Source
This commit is contained in:
Daniel Micay 2019-09-26 18:37:25 -04:00
parent 3eb93f1680
commit 1d26065b8a
1 changed files with 24 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
static/build.html
View File

@ -571,17 +571,30 @@ cd ../..</pre>
<pre>cd keys/crosshatch <pre>cd keys/crosshatch
../../development/tools/make_key networkstack '/CN=GrapheneOS/'</pre> ../../development/tools/make_key networkstack '/CN=GrapheneOS/'</pre>
<p>GrapheneOS disables updatable APEX components for the officially supported <h3 id="enabling-updatable-apex-components">
devices and targets inheriting from the mainline target. GrapheneOS uses the <a href="#enabling-updatable-apex-components">Enabling updatable APEX components</a>
<code>TARGET_FLATTEN_APEX := true</code> format to include APEX components as part of </h3>
the base OS without supporting out-of-band updates. <strong>If you don't disable updatable
APEX packages, you need to generate an APK and AVB key for each APEX component and <p>GrapheneOS disables updatable APEX components for the officially supported devices
extend the GrapheneOS release.sh script to pass the appropriate parameters to replace and targets inheriting from the mainline target, so APEX signing keys are not needed
the APK and AVB keys for each APEX component.</strong> APEX components that are not flattened and this section can be ignored for unmodified builds.</p>
are a signed APK (used for verify updates) with an embedded filesystem using verified
boot with the AVB key. Each APEX package must have a unique set of keys. GrapheneOS <p>GrapheneOS uses the <code>TARGET_FLATTEN_APEX := true</code> format to include APEX
has no use for these out-of-band updates at this time and flattening APEX components components as part of the base OS without supporting out-of-band updates.</p>
avoids needing a bunch of extra keys and complexity.</p>
<p><strong>If you don't disable updatable APEX packages, you need to generate an APK and
AVB key for each APEX component and extend the GrapheneOS release.sh script to pass
the appropriate parameters to replace the APK and AVB keys for each APEX
component.</strong></p>
<p>APEX components that are not flattened are a signed APK (used to verify updates)
with an embedded filesystem image signed with an AVB key (for verified boot). Each
APEX package must have a unique set of keys. GrapheneOS has no use for these
out-of-band updates at this time and flattening APEX components avoids needing a bunch
of extra keys and complexity.</p>
<p>For now, consult the upstream documentation on generating these keys. It will be
covered here in the future.</p>
<h2 id="generating-signed-factory-images-and-full-update-packages"> <h2 id="generating-signed-factory-images-and-full-update-packages">
<a href="#generating-signed-factory-images-and-full-update-packages">Generating signed factory images and full update packages</a> <a href="#generating-signed-factory-images-and-full-update-packages">Generating signed factory images and full update packages</a>