security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

use explicit sections in the install guide

Browse Source
This commit is contained in:
Daniel Micay 2020-12-06 11:54:32 -05:00
parent 4e0a222974
commit 5bad5e1b03
1 changed files with 247 additions and 247 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
static/install.html
View File

@ -78,9 +78,8 @@
</ul> </ul>
</nav> </nav>
<h2 id="prerequisites"> <section id="prerequisites">
<a href="#prerequisites">Prerequisites</a> <h2><a href="#prerequisites">Prerequisites</a></h2>
</h2>
<p>You should have at least 2GB of free memory available.</p> <p>You should have at least 2GB of free memory available.</p>
@ -111,9 +110,8 @@
<p>These instructions use command-line tools. On Windows, use PowerShell rather than <p>These instructions use command-line tools. On Windows, use PowerShell rather than
the legacy Command Prompt.</p> the legacy Command Prompt.</p>
<h3 id="obtaining-fastboot"> <section id="obtaining-fastboot">
<a href="#obtaining-fastboot">Obtaining fastboot</a> <h3><a href="#obtaining-fastboot">Obtaining fastboot</a></h3>
</h3>
<p>You need an updated copy of the <code>fastboot</code> tool and it needs to be <p>You need an updated copy of the <code>fastboot</code> tool and it needs to be
included in your <code>PATH</code> environment variable. You can run <code>fastboot included in your <code>PATH</code> environment variable. You can run <code>fastboot
@ -138,9 +136,8 @@
check in the flashing script will prevent accidentally using these.</li> check in the flashing script will prevent accidentally using these.</li>
</ul> </ul>
<h4 id="standalone-platform-tools"> <section id="standalone-platform-tools">
<a href="#standalone-platform-tools">Standalone platform-tools</a> <h4><a href="#standalone-platform-tools">Standalone platform-tools</a></h4>
</h4>
<p>If your operating system doesn't make a proper version of fastboot available, <p>If your operating system doesn't make a proper version of fastboot available,
consider using the consider using the
@ -187,10 +184,11 @@ Installed as /home/username/downloads/platform-tools/fastboot</pre>
<p>This is a temporary change to <code>PATH</code> for the current shell and will need <p>This is a temporary change to <code>PATH</code> for the current shell and will need
to be done again if you open a new terminal. Make sure that the <code>fastboot</code> to be done again if you open a new terminal. Make sure that the <code>fastboot</code>
command works in the current shell before trying to run the flashing script.</p> command works in the current shell before trying to run the flashing script.</p>
</section>
</section>
<h3 id="obtaining-signify"> <section id="obtaining-signify">
<a href="#obtaining-signify">Obtaining signify</a> <h3><a href="#obtaining-signify">Obtaining signify</a></h3>
</h3>
<p>To verify the download of the OS beyond the security offered by HTTPS, you can use <p>To verify the download of the OS beyond the security offered by HTTPS, you can use
the signify tool. If you do not have a way to obtain signify from a package repository the signify tool. If you do not have a way to obtain signify from a package repository
@ -216,10 +214,11 @@ Installed as /home/username/downloads/platform-tools/fastboot</pre>
tool for generating mail signatures (not cryptographic signatures)</a> with the final tool for generating mail signatures (not cryptographic signatures)</a> with the final
releases from 2003-2004 made directly by the developer via the Debian package without releases from 2003-2004 made directly by the developer via the Debian package without
upstream releases. Please pressure them to correct this usability issue.</p> upstream releases. Please pressure them to correct this usability issue.</p>
</section>
</section>
<h2 id="enabling-oem-unlocking"> <section id="enabling-oem-unlocking">
<a href="#enabling-oem-unlocking">Enabling OEM unlocking</a> <h2><a href="#enabling-oem-unlocking">Enabling OEM unlocking</a></h2>
</h2>
<p>OEM unlocking needs to be enabled from within the operating system.</p> <p>OEM unlocking needs to be enabled from within the operating system.</p>
@ -229,10 +228,10 @@ Installed as /home/username/downloads/platform-tools/fastboot</pre>
<p>Next, go to Settings ➔ System ➔ Advanced ➔ Developer options and toggle on the <p>Next, go to Settings ➔ System ➔ Advanced ➔ Developer options and toggle on the
'Enable OEM unlocking' setting. This requires internet access on devices with Google 'Enable OEM unlocking' setting. This requires internet access on devices with Google
Play services as part of Factory Reset Protection (FRP) for anti-theft protection.</p> Play services as part of Factory Reset Protection (FRP) for anti-theft protection.</p>
</section>
<h2 id="unlocking-the-bootloader"> <section id="unlocking-the-bootloader">
<a href="#unlocking-the-bootloader">Unlocking the bootloader</a> <h2><a href="#unlocking-the-bootloader">Unlocking the bootloader</a></h2>
</h2>
<p>First, boot into the bootloader interface. You can do this by turning off the <p>First, boot into the bootloader interface. You can do this by turning off the
device and then turning it on by holding both the Volume Down and Power buttons.</p> device and then turning it on by holding both the Volume Down and Power buttons.</p>
@ -242,10 +241,10 @@ Installed as /home/username/downloads/platform-tools/fastboot</pre>
<pre>fastboot flashing unlock</pre> <pre>fastboot flashing unlock</pre>
<p>The command needs to be confirmed on the device and will wipe all data.</p> <p>The command needs to be confirmed on the device and will wipe all data.</p>
</section>
<h2 id="obtaining-factory-images"> <section id="obtaining-factory-images">
<a href="#obtaining-factory-images">Obtaining factory images</a> <h2><a href="#obtaining-factory-images">Obtaining factory images</a></h2>
</h2>
<p>You need to obtain the GrapheneOS factory images for your device to proceed with <p>You need to obtain the GrapheneOS factory images for your device to proceed with
the installation process.</p> the installation process.</p>
@ -290,10 +289,10 @@ curl -O https://releases.grapheneos.org/sunfish-factory-2020.11.05.18.zip.sig</p
<p>This will output <code>verified</code> if verification is successful. If something <p>This will output <code>verified</code> if verification is successful. If something
goes wrong, it will output an error message rather than <code>verified</code>.</p> goes wrong, it will output an error message rather than <code>verified</code>.</p>
</section>
<h2 id="flashing-factory-images"> <section id="flashing-factory-images">
<a href="#flashing-factory-images">Flashing factory images</a> <h2><a href="#flashing-factory-images">Flashing factory images</a></h2>
</h2>
<p>The initial install will be performed by flashing the factory images. This will <p>The initial install will be performed by flashing the factory images. This will
replace the existing OS installation and wipe all the existing data.</p> replace the existing OS installation and wipe all the existing data.</p>
@ -325,9 +324,8 @@ curl -O https://releases.grapheneos.org/sunfish-factory-2020.11.05.18.zip.sig</p
<p>Wait for the flashing process to complete and proceed to <a href="#locking-the-bootloader">locking the bootloader</a> <p>Wait for the flashing process to complete and proceed to <a href="#locking-the-bootloader">locking the bootloader</a>
before using the device as locking wipes the data again.</p> before using the device as locking wipes the data again.</p>
<h3 id="troubleshooting"> <section id="troubleshooting">
<a href="#troubleshooting">Troubleshooting</a> <h3><a href="#troubleshooting">Troubleshooting</a></h3>
</h3>
<p>A common issue on Linux distributions is that they mount the default temporary file <p>A common issue on Linux distributions is that they mount the default temporary file
directory <code>/tmp</code> as tmpfs which results in it being backed by memory and directory <code>/tmp</code> as tmpfs which results in it being backed by memory and
@ -355,10 +353,11 @@ TMPDIR="$PWD/tmp" ./flash-all.sh</pre>
motherboard, and never use a USB hub for flashing. <em>Never install from a virtual motherboard, and never use a USB hub for flashing. <em>Never install from a virtual
machine;</em> USB passthrough in software emulation may be broken or inadequate and this machine;</em> USB passthrough in software emulation may be broken or inadequate and this
can cause the flashing to fail.</p> can cause the flashing to fail.</p>
</section>
</section>
<h2 id="locking-the-bootloader"> <section id="locking-the-bootloader">
<a href="#locking-the-bootloader">Locking the bootloader</a> <h2><a href="#locking-the-bootloader">Locking the bootloader</a></h2>
</h2>
<p>Locking the bootloader is important as it enables full verified boot. It also <p>Locking the bootloader is important as it enables full verified boot. It also
prevents using fastboot to flash, format or erase partitions. Verified boot will prevents using fastboot to flash, format or erase partitions. Verified boot will
@ -376,17 +375,17 @@ TMPDIR="$PWD/tmp" ./flash-all.sh</pre>
reset.</p> reset.</p>
<p>Unlocking the bootloader again will perform a factory reset.</p> <p>Unlocking the bootloader again will perform a factory reset.</p>
</section>
<h2 id="disabling-oem-unlocking"> <section id="disabling-oem-unlocking">
<a href="#disabling-oem-unlocking">Disabling OEM unlocking</a> <h2><a href="#disabling-oem-unlocking">Disabling OEM unlocking</a></h2>
</h2>
<p>OEM unlocking can be disabled again in the developer settings menu within the <p>OEM unlocking can be disabled again in the developer settings menu within the
operating system after booting it up again.</p> operating system after booting it up again.</p>
</section>
<h2 id="verifying-installation"> <section id="verifying-installation">
<a href="#verifying-installation">Verifying installation</a> <h2><a href="#verifying-installation">Verifying installation</a></h2>
</h2>
<p>Verified boot authenticates and validates the firmware images and OS from the <p>Verified boot authenticates and validates the firmware images and OS from the
hardware root of trust. Since GrapheneOS supports full verified boot, the OS images hardware root of trust. Since GrapheneOS supports full verified boot, the OS images
@ -410,10 +409,10 @@ TMPDIR="$PWD/tmp" ./flash-all.sh</pre>
cleared) will provide strong validation of the identity and integrity of the cleared) will provide strong validation of the identity and integrity of the
device. That makes it best to get the pairing done right after installation. You can device. That makes it best to get the pairing done right after installation. You can
also consider setting up the optional remote attestation service.</p> also consider setting up the optional remote attestation service.</p>
</section>
<h2 id="replacing-grapheneos-with-the-stock-os"> <section id="replacing-grapheneos-with-the-stock-os">
<a href="#replacing-grapheneos-with-the-stock-os">Replacing GrapheneOS with the stock OS</a> <h2><a href="#replacing-grapheneos-with-the-stock-os">Replacing GrapheneOS with the stock OS</a></h2>
</h2>
<p>Installation of the stock OS via the stock factory images is the same process <p>Installation of the stock OS via the stock factory images is the same process
described above. However, before locking, there's an additional step to fully revert described above. However, before locking, there's an additional step to fully revert
@ -425,6 +424,7 @@ TMPDIR="$PWD/tmp" ./flash-all.sh</pre>
Android Verified Boot key to untrust it:</p> Android Verified Boot key to untrust it:</p>
<pre>fastboot erase avb_custom_key</pre> <pre>fastboot erase avb_custom_key</pre>
</section>
</main> </main>
<footer> <footer>
<a href="/"><img src="/logo.png" width="512" height="512" alt=""/>GrapheneOS</a> <a href="/"><img src="/logo.png" width="512" height="512" alt=""/>GrapheneOS</a>