Add ability to remove non-stock key via WebUSB.

2021-03-01 19:55:57 +00:00 · 2021-03-01 19:55:57 +00:00 · 3e44e17ea8
commit 3e44e17ea8
parent 780f47e61e
2 changed files with 33 additions and 1 deletions
--- a/static/install/web.html
+++ b/static/install/web.html
@ -28,7 +28,7 @@
        <link rel="license" href="/LICENSE.txt"/>
        <script type="module" src="/js/redirect.js?9"></script>
        <script type="module" src="/js/fastboot/dist/fastboot.min.mjs?7"></script>
-        <script type="module" src="/js/web-install.js?12"></script>
+        <script type="module" src="/js/web-install.js?13"></script>
    </head>
    <body>
        <header>
@ -80,6 +80,7 @@
                            <li><a href="#booting">Booting</a></li>
                            <li><a href="#disabling-oem-unlocking">Disabling OEM unlocking</a></li>
                            <li><a href="#verifying-installation">Verifying installation</a></li>
+                            <li><a href="#replacing-grapheneos-with-the-stock-os">Replacing GrapheneOS with the stock OS</a></li>
                            <li><a href="#further-information">Further information</a></li>
                        </ul>
                    </li>
@ -333,6 +334,23 @@
                    also consider setting up the optional remote attestation service.</p>
                </section>

+                <section id="replacing-grapheneos-with-the-stock-os">
+                    <h3><a href="#replacing-grapheneos-with-the-stock-os">Replacing GrapheneOS with the stock OS</a></h3>
+
+                    <p>Installation of the stock OS via the stock factory images is the same process
+                    described above. However, before locking, there's an additional step to fully revert
+                    the device to a clean factory state.</p>
+
+                    <p>The GrapheneOS factory images flash a non-stock Android Verified Boot key which
+                    needs to be erased to fully revert back to a stock device state. After flashing the
+                    stock factory images and before locking the bootloader, you should erase the custom
+                    Android Verified Boot key to untrust it:</p>
+
+                    <button id="remove-custom-key-button" disabled="disabled">Remove non-stock key</button>
+
+                    <p><strong id="remove-custom-key-status"></strong></p>
+                </section>
+
                <section id="further-information">
                    <h3><a href="#further-information">Further information</a></h3>

--- a/static/js/web-install.js
+++ b/static/js/web-install.js
@ -207,6 +207,19 @@ async function flashRelease(setProgress) {
    return `Flashed ${latestZip} to device.`;
 }

+async function eraseNonStockKey(setProgress) {
+    await ensureConnected(setProgress);
+
+    setProgress("Erasing key...");
+    try {
+        await device.runCommand("erase:avb_custom_key");
+    } catch (error) {
+        console.log(error);
+        throw error;
+    }
+    return "Key erased.";
+}
+
 async function lockBootloader(setProgress) {
    await ensureConnected(setProgress);

@ -281,6 +294,7 @@ if ("usb" in navigator) {
    addButtonHook("download-release", downloadRelease);
    addButtonHook("flash-release", flashRelease);
    addButtonHook("lock-bootloader", lockBootloader);
+    addButtonHook("remove-custom-key", eraseNonStockKey);
 } else {
    console.log("WebUSB unavailable");
 }