security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

drop legacy info on APEX components

Browse Source
This commit is contained in:
Daniel Micay 2023-06-27 22:47:07 -04:00
parent 5220461d57
commit 7bf9b26716
3 changed files with 13 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
nginx/nginx.conf
View File

@ -96,6 +96,7 @@ http {
/install/web.html ", <{{path|/js/redirect.js}}>; rel=modulepreload; integrity={{integrity|/js/redirect.js}}"; /install/web.html ", <{{path|/js/redirect.js}}>; rel=modulepreload; integrity={{integrity|/js/redirect.js}}";
/releases.html ", <{{path|/js/redirect.js}}>; rel=modulepreload; integrity={{integrity|/js/redirect.js}}"; /releases.html ", <{{path|/js/redirect.js}}>; rel=modulepreload; integrity={{integrity|/js/redirect.js}}";
/usage.html ", <{{path|/js/redirect.js}}>; rel=modulepreload; integrity={{integrity|/js/redirect.js}}"; /usage.html ", <{{path|/js/redirect.js}}>; rel=modulepreload; integrity={{integrity|/js/redirect.js}}";
/build.html ", <{{path|/js/redirect.js}}>; rel=modulepreload; integrity={{integrity|/js/redirect.js}}";
} }
server { server {

31
static/build.html
View File

@ -28,6 +28,7 @@
<link rel="manifest" href="/manifest.webmanifest"/> <link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/> <link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/> <link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
{{js|/js/redirect.js}}
</head> </head>
<body> <body>
<header> <header>
@ -80,7 +81,7 @@
<ul> <ul>
<li><a href="#migration-to-android-13">Migration to Android 13</a></li> <li><a href="#migration-to-android-13">Migration to Android 13</a></li>
<li><a href="#encrypting-keys">Encrypting keys</a></li> <li><a href="#encrypting-keys">Encrypting keys</a></li>
<li><a href="#enabling-updatable-apex-components">Enabling updatable APEX components</a></li> <li><a href="#apex-components">APEX components</a></li>
</ul> </ul>
</li> </li>
<li> <li>
@ -606,27 +607,15 @@ cd ../..</pre>
the keys in tmpfs to perform signing.</p> the keys in tmpfs to perform signing.</p>
</section> </section>
<section id="enabling-updatable-apex-components"> <section id="apex-components">
<h4><a href="#enabling-updatable-apex-components">Enabling updatable APEX components</a></h4> <h4><a href="#apex-components">APEX components</a></h4>
<p>GrapheneOS uses the <code>TARGET_FLATTEN_APEX := true</code> format to <p>GrapheneOS currently doesn't use out-of-date updates to APEX
include APEX components as part of the base OS and disables support for components, so these are all signed with the OS releasekey and verified
out-of-band APEX component updates. This reduces complexity and attack boot key to avoid needing many extra pairs of keys. Each APEX needs an APK
surface along with simplifying key management since there aren't a bunch signing key and verified boot signing key. If you want to ship out-of-band
of additional components to sign. GrapheneOS has no use for out-of-band updates to APEX components, you'll need to deal with this and you should
updates to APEX components since we update the OS for each device and make a separate pair of keys for each one.</p>
don't need partial out-of-band updates for portable components.</p>
<p>APEX components that aren't flattened are a signed APK (used to verify
updates) with an embedded filesystem image signed with an AVB key (for
verified boot). Our release signing scripts has support for signing
non-flattened APEX components with the releasekey and AVB key for the
device. This secures it but wouldn't be usable for shipping out-of-band
updates to APEX components across multiple devices. You could switch to
using a single shared APEX APK signing key and AVB signing key. You'll
also need to add parameters for additional device-specific APEX components
not included in our release signing script which was set up based on the
Pixel 6 and Pixel 6 Pro.</p>
<p>Consult the upstream documentation on generating these keys. It will <p>Consult the upstream documentation on generating these keys. It will
likely be covered here in the future, especially if non-flattened APEX likely be covered here in the future, especially if non-flattened APEX

2
static/js/redirect.js
View File

@ -24,6 +24,8 @@ const redirects = new Map([
["/install/cli#fastboot-as-non-root", "/install/cli#flashing-as-non-root"], ["/install/cli#fastboot-as-non-root", "/install/cli#flashing-as-non-root"],
["/install/web#fastboot-as-non-root", "/install/web#flashing-as-non-root"], ["/install/web#fastboot-as-non-root", "/install/web#flashing-as-non-root"],
["/build#enabling-updatable-apex-components", "/build#apex-components"],
// legacy devices // legacy devices
["/releases#marlin-stable", "/faq#legacy-devices"], ["/releases#marlin-stable", "/faq#legacy-devices"],
["/releases#marlin-beta", "/faq#legacy-devices"], ["/releases#marlin-beta", "/faq#legacy-devices"],