security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

drop legacy info on APEX components

Browse Source
This commit is contained in:
Daniel Micay 2023-06-27 22:47:07 -04:00
parent 5220461d57
commit 7bf9b26716
3 changed files with 13 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
nginx/nginx.conf
View File

@ -96,6 +96,7 @@ http {
/install/web.html ", <{{path|/js/redirect.js}}>; rel=modulepreload; integrity={{integrity|/js/redirect.js}}";
/releases.html ", <{{path|/js/redirect.js}}>; rel=modulepreload; integrity={{integrity|/js/redirect.js}}";
/usage.html ", <{{path|/js/redirect.js}}>; rel=modulepreload; integrity={{integrity|/js/redirect.js}}";
/build.html ", <{{path|/js/redirect.js}}>; rel=modulepreload; integrity={{integrity|/js/redirect.js}}";
}
server {

31
static/build.html
View File

@ -28,6 +28,7 @@
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
{{js|/js/redirect.js}}
</head>
<body>
<header>
@ -80,7 +81,7 @@
<ul>
<li><a href="#migration-to-android-13">Migration to Android 13</a></li>
<li><a href="#encrypting-keys">Encrypting keys</a></li>
<li><a href="#enabling-updatable-apex-components">Enabling updatable APEX components</a></li>
<li><a href="#apex-components">APEX components</a></li>
</ul>
</li>
<li>
@ -606,27 +607,15 @@ cd ../..</pre>
the keys in tmpfs to perform signing.</p>
</section>
<section id="enabling-updatable-apex-components">
<h4><a href="#enabling-updatable-apex-components">Enabling updatable APEX components</a></h4>
<section id="apex-components">
<h4><a href="#apex-components">APEX components</a></h4>
<p>GrapheneOS uses the <code>TARGET_FLATTEN_APEX := true</code> format to
include APEX components as part of the base OS and disables support for
out-of-band APEX component updates. This reduces complexity and attack
surface along with simplifying key management since there aren't a bunch
of additional components to sign. GrapheneOS has no use for out-of-band
updates to APEX components since we update the OS for each device and
don't need partial out-of-band updates for portable components.</p>
<p>APEX components that aren't flattened are a signed APK (used to verify
updates) with an embedded filesystem image signed with an AVB key (for
verified boot). Our release signing scripts has support for signing
non-flattened APEX components with the releasekey and AVB key for the
device. This secures it but wouldn't be usable for shipping out-of-band
updates to APEX components across multiple devices. You could switch to
using a single shared APEX APK signing key and AVB signing key. You'll
also need to add parameters for additional device-specific APEX components
not included in our release signing script which was set up based on the
Pixel 6 and Pixel 6 Pro.</p>
<p>GrapheneOS currently doesn't use out-of-date updates to APEX
components, so these are all signed with the OS releasekey and verified
boot key to avoid needing many extra pairs of keys. Each APEX needs an APK
signing key and verified boot signing key. If you want to ship out-of-band
updates to APEX components, you'll need to deal with this and you should
make a separate pair of keys for each one.</p>
<p>Consult the upstream documentation on generating these keys. It will
likely be covered here in the future, especially if non-flattened APEX

2
static/js/redirect.js
View File

@ -24,6 +24,8 @@ const redirects = new Map([
["/install/cli#fastboot-as-non-root", "/install/cli#flashing-as-non-root"],
["/install/web#fastboot-as-non-root", "/install/web#flashing-as-non-root"],
["/build#enabling-updatable-apex-components", "/build#apex-components"],
// legacy devices
["/releases#marlin-stable", "/faq#legacy-devices"],
["/releases#marlin-beta", "/faq#legacy-devices"],