diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 48acd9b3..72fc3b78 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -96,6 +96,7 @@ http { /install/web.html ", <{{path|/js/redirect.js}}>; rel=modulepreload; integrity={{integrity|/js/redirect.js}}"; /releases.html ", <{{path|/js/redirect.js}}>; rel=modulepreload; integrity={{integrity|/js/redirect.js}}"; /usage.html ", <{{path|/js/redirect.js}}>; rel=modulepreload; integrity={{integrity|/js/redirect.js}}"; + /build.html ", <{{path|/js/redirect.js}}>; rel=modulepreload; integrity={{integrity|/js/redirect.js}}"; } server { diff --git a/static/build.html b/static/build.html index c8260be5..ce8c4531 100644 --- a/static/build.html +++ b/static/build.html @@ -28,6 +28,7 @@ + {{js|/js/redirect.js}}
@@ -80,7 +81,7 @@
  • @@ -606,27 +607,15 @@ cd ../.. the keys in tmpfs to perform signing.

    -
    -

    Enabling updatable APEX components

    +
    +

    APEX components

    -

    GrapheneOS uses the TARGET_FLATTEN_APEX := true format to - include APEX components as part of the base OS and disables support for - out-of-band APEX component updates. This reduces complexity and attack - surface along with simplifying key management since there aren't a bunch - of additional components to sign. GrapheneOS has no use for out-of-band - updates to APEX components since we update the OS for each device and - don't need partial out-of-band updates for portable components.

    - -

    APEX components that aren't flattened are a signed APK (used to verify - updates) with an embedded filesystem image signed with an AVB key (for - verified boot). Our release signing scripts has support for signing - non-flattened APEX components with the releasekey and AVB key for the - device. This secures it but wouldn't be usable for shipping out-of-band - updates to APEX components across multiple devices. You could switch to - using a single shared APEX APK signing key and AVB signing key. You'll - also need to add parameters for additional device-specific APEX components - not included in our release signing script which was set up based on the - Pixel 6 and Pixel 6 Pro.

    +

    GrapheneOS currently doesn't use out-of-date updates to APEX + components, so these are all signed with the OS releasekey and verified + boot key to avoid needing many extra pairs of keys. Each APEX needs an APK + signing key and verified boot signing key. If you want to ship out-of-band + updates to APEX components, you'll need to deal with this and you should + make a separate pair of keys for each one.

    Consult the upstream documentation on generating these keys. It will likely be covered here in the future, especially if non-flattened APEX diff --git a/static/js/redirect.js b/static/js/redirect.js index 3e43d8d7..8bc575e0 100644 --- a/static/js/redirect.js +++ b/static/js/redirect.js @@ -24,6 +24,8 @@ const redirects = new Map([ ["/install/cli#fastboot-as-non-root", "/install/cli#flashing-as-non-root"], ["/install/web#fastboot-as-non-root", "/install/web#flashing-as-non-root"], + ["/build#enabling-updatable-apex-components", "/build#apex-components"], + // legacy devices ["/releases#marlin-stable", "/faq#legacy-devices"], ["/releases#marlin-beta", "/faq#legacy-devices"],