Build
++ Build +
- Build dependencies - ¶ + Build dependencies
- x86_64 Linux build environment (macOS is not supported, unlike AOSP which @@ -53,8 +54,7 @@
- Downloading source code - ¶ + Downloading source code
Since this is syncing the sources for the entire operating system and application @@ -65,8 +65,7 @@ work properly than dealing with a moving target.
- Development branch - ¶ + Development branch
The pie branch is currently used for all supported devices:
@@ -81,8 +80,7 @@ repo sync -j32 succeed.- Stable release - ¶ + Stable release
Pick a specific build for a device from the releases page @@ -118,8 +116,7 @@ cd ../.. verify by default.
- Updating and switching branches or tags - ¶ + Updating and switching branches or tags
To update the source tree, run the repo init command again to select
@@ -131,8 +128,7 @@ cd ../..
GrapheneOS only provides a stable history via tags.
- Browser and WebView - ¶ + Browser and WebView
Before building GrapheneOS, you need to build Chromium for the WebView and @@ -184,8 +180,7 @@ git am ../chromium_patches/*.patchframeworks/base/core/res/res/xml/config_webview_packages.
- Kernel - ¶ + Kernel
The kernel needs to be built in advance, since it uses a separate build system.
@@ -212,8 +207,7 @@ git submodule update --init generated per the instructions below before building the kernel.- Setting up the OS build environment - ¶ + Setting up the OS build environment
The build has to be done from bash as envsetup.sh is not compatible with other @@ -233,8 +227,7 @@ git submodule update --init make additional performance sacrifices to improve debugging.
- Reproducible builds - ¶ + Reproducible builds
To reproduce a past build, you need to export BUILD_DATETIME and
@@ -251,8 +244,7 @@ git submodule update --init
signatures.
- Extracting vendor files for Pixel devices - ¶ + Extracting vendor files for Pixel devices
This section does not apply to devices where no extra vendor files are required (HiKey, HiKey 960, emulator, generic targets).
@@ -276,8 +268,7 @@ mv vendor/android-prepare-vendor/DEVICE/BUILD_ID/vendor/google_devices/* vendor/ passed with--timestamp (seconds since Epoch).
- Building - ¶ + Building
Incremental builds (i.e. starting from the old build) usually work for development @@ -295,8 +286,7 @@ mv vendor/android-prepare-vendor/DEVICE/BUILD_ID/vendor/google_devices/* vendor/
make target-files-package -j20
- Faster builds for development use only - ¶ + Faster builds for development use only
The normal production build process involves building a target files package to be @@ -318,8 +308,7 @@ mv vendor/android-prepare-vendor/DEVICE/BUILD_ID/vendor/google_devices/* vendor/ keys.
- Generating release signing keys - ¶ + Generating release signing keys
Keys need to be generated for resigning completed builds from the publicly @@ -343,8 +332,7 @@ mv vendor/android-prepare-vendor/DEVICE/BUILD_ID/vendor/google_devices/* vendor/ done before building the kernel
- Android Verified Boot 1.0 - ¶ + Android Verified Boot 1.0
To generate keys for marlin (you should use unique keys per device variant):
@@ -371,8 +359,7 @@ out/host/linux-x86/bin/generate_verity_key -convert keys/marlin/verity.x509.pem no separate sailfish kernel.- Android Verified Boot 2.0 (AVB) - ¶ + Android Verified Boot 2.0 (AVB)
To generate keys for crosshatch (you should use unique keys per device @@ -392,8 +379,7 @@ cd ../.. rather to set the public key used by the device to enforce verified boot.
- Generating signed factory images and full update packages - ¶ + Generating signed factory images and full update packages
Build the tool needed to generate A/B updates:
@@ -413,8 +399,7 @@ cd ../.. zip.- Prebuilt code - ¶ + Prebuilt code
Like the Android Open Source Project, GrapheneOS contains some code that's built @@ -422,25 +407,21 @@ cd ../.. gradually expanded to cover building all of it.- Prebuilt apps - ¶ + Prebuilt apps
The Auditor app is simply built from the latest upstream tag and bundled as an apk into external/ repositories. There are no modifications to it for GrapheneOS.
- Testing - ¶ + Testing
- Compatibility Test Suite - ¶ + Compatibility Test Suite
- Download - ¶ + Download
Testing with the Compatibility Test Suite (CTS) can be done by either building the @@ -453,8 +434,7 @@ cd ../.. CTS Media Files also needs to be downloaded from that section.
- Setup - ¶ + Setup
You'll need a device attached to your computer with ADB enabled along with the Android SDK installed. The build-tools and platform-tools packages need to be @@ -495,8 +475,7 @@ export PATH="$PATH:$HOME/sdk/tools:$HOME/sdk/tools/bin:$HOME/sdk/platform-tools:
- Run modules - ¶ + Run modules
Run the test harness:
diff --git a/static/contact.html b/static/contact.html index 38a79f61..0df58b14 100644 --- a/static/contact.html +++ b/static/contact.html @@ -20,7 +20,7 @@ - + @@ -38,7 +38,9 @@Contact
++ Contact +
You can contact contact@grapheneos.org for topics related to GrapheneOS. The security@grapheneos.org address can be used for high priority security issues. The email address of @@ -49,16 +51,14 @@ @DanielMicay and is primarily focused on the privacy and security research/engineering work on GrapheneOS.
- Community - ¶ + Community
The main forum currently used to discuss the project is the official /r/GrapheneOS subreddit on Reddit.
The main IRC channel is #grapheneos on irc.freenode.net. The channel is bridged to Matrix and is available at #grapheneos:matrix.org for Matrix users.
- Reporting issues - ¶ + Reporting issues
- OS issue tracker diff --git a/static/donate.html b/static/donate.html index 33ad7e5c..bdd0c9bc 100644 --- a/static/donate.html +++ b/static/donate.html @@ -20,7 +20,7 @@ - + @@ -38,10 +38,11 @@
Donate
++ Donate +
- Bitcoin - ¶ + Bitcoin
You can send Bitcoin donations to the following address to support this project:
- PayPal - ¶ + PayPal
PayPal donations can be sent to danielmicay@gmail.com. Please mention GrapheneOS in the donation description to allow for proper record keeping, since PayPal diff --git a/static/grapheneos.css b/static/grapheneos.css index 4be5a2ad..48166f3e 100644 --- a/static/grapheneos.css +++ b/static/grapheneos.css @@ -26,6 +26,10 @@ a:hover { text-decoration: underline; } +h1 a, h1 a:visited, h2 a, h2 a:visited, h3 a, h3 a:visited, h4 a, h4 a:visited, h5 a, h5 a:visited, h6 a, h6 a:visited { + color: rgba(0, 0, 0, 0.87); /* 87% black */ +} + pre { overflow-x: auto; } diff --git a/static/index.html b/static/index.html index 94c451e5..da4db289 100644 --- a/static/index.html +++ b/static/index.html @@ -20,7 +20,7 @@ - + @@ -38,7 +38,9 @@
GrapheneOS
++ GrapheneOS +
GrapheneOS is an open source privacy and security focused mobile OS with Android app compatibility.
Official Releases are available on the releases page and @@ -57,8 +59,7 @@
The sources are available via the manifest on GitHub.
- Early stage of development - ¶ + Early stage of development
GrapheneOS is a privacy / security research and engineering project that has been under way for over 5 years. It recently became rebranded as GrapheneOS and is taking a @@ -76,8 +77,7 @@ for the project to have a strong development team with proper infrastructure behind it.
- Roadmap - ¶ + Roadmap
Details on the roadmap of the project will be posted on the site in the near future. In the long term, it aims to move beyond a hardened fork of the Android Open @@ -89,8 +89,7 @@ limited to research and submitting suggestions and bug reports upstream. In the long term, the project will need to move into the hardware space.
- Device support - ¶ + Device support
In the current early stage of the project, GrapheneOS provides production releases for the Pixel, Pixel XL, Pixel 2, Pixel 2 XL, Pixel 3 and Pixel 3 XL. It will support diff --git a/static/install.html b/static/install.html index fe53443e..b6a248d1 100644 --- a/static/install.html +++ b/static/install.html @@ -20,7 +20,7 @@ - + @@ -38,10 +38,11 @@
Install
++ Install +
- Prerequisites - ¶ + Prerequisites
You should have at least 2GB of free memory available.
You need the unlocked variant of one of the supported devices, not a locked carrier @@ -66,8 +67,7 @@ from several years ago are still shipped by Linux distributions like Debian and lack the compatibility detection of modern versions so they can soft brick devices.
- Enabling OEM unlocking - ¶ + Enabling OEM unlocking
OEM unlocking needs to be enabled from within the operating system.
Enable the developer settings menu by going to Settings ➔ System ➔ About phone and @@ -76,8 +76,7 @@ 'Enable OEM unlocking' setting. This requires internet access on devices with Google Play Services.
- Unlocking the bootloader - ¶ + Unlocking the bootloader
First, boot into the bootloader interface. You can do this by turning off the device and then turning it on by holding both the Volume Down and Power buttons.
@@ -85,8 +84,7 @@fastboot flashing unlock
The command needs to be confirmed on the device.
- Obtaining factory images - ¶ + Obtaining factory images
The initial install will be performed by flashing the factory images. This will replace the existing OS installation and wipe all the existing data.
@@ -96,8 +94,7 @@ gpg --verify blueline-factory-2019.04.01.19.zip.sig blueline-factory-2019.04.01.19.zipWhen this signing key is replaced, the new key will be signed with it.
- Flashing factory images - ¶ + Flashing factory images
Reboot into the bootloader interface to begin the flashing procedure.
Next, extract the factory images and run the script to flash them. Note that the @@ -115,8 +112,7 @@ TMPDIR="$PWD/tmp" ./flash-all.sh
You should now proceed to locking the bootloader before using the device as locking wipes the data again.
- Locking the bootloader - ¶ + Locking the bootloader
Locking the bootloader is important as it enables full verified boot. It also prevents using fastboot to flash, format or erase partitions. Verified boot will @@ -131,14 +127,12 @@ TMPDIR="$PWD/tmp" ./flash-all.sh reset.
Unlocking the bootloader again will perform a factory reset.
- Disabling OEM unlocking - ¶ + Disabling OEM unlocking
OEM unlocking can be disabled again in the developer settings menu within the operating system after booting it up again.
- Verifying installation - ¶ + Verifying installation
Verified boot authenticates and validates the firmware images and OS from the hardware root of trust. Since GrapheneOS supports full verified boot, the OS images @@ -162,8 +156,7 @@ TMPDIR="$PWD/tmp" ./flash-all.sh device. That makes it best to get the pairing done right after installation. You can also consider setting up the optional remote attestation service.
- Replacing GrapheneOS with the stock OS - ¶ + Replacing GrapheneOS with the stock OS
Installation of the stock OS via the stock factory images is the same process described above. However, before locking, there's an additional step to fully revert diff --git a/static/releases.html b/static/releases.html index 6d7efe8a..2382d843 100644 --- a/static/releases.html +++ b/static/releases.html @@ -20,7 +20,7 @@ - + @@ -38,7 +38,9 @@
Releases
++ Releases +
These releases are available as both tags in the source code repositories and official builds.
The factory images are used for the initial installation and can be verified with
@@ -70,14 +72,12 @@
Version: PQ3A.190505.002.2019.05.18.20 Version: PQ3A.190505.002.2019.05.18.20 Version: PQ3A.190505.001.2019.05.18.20 Version: PQ3A.190505.001.2019.05.18.20 Version: PQ3A.190505.001.2019.05.18.20 Version: PQ3A.190505.001.2019.05.18.20 Version: PQ3A.190505.002.2019.05.18.20 Version: PQ3A.190505.002.2019.05.18.20 Version: PQ3A.190505.001.2019.05.18.20 Version: PQ3A.190505.001.2019.05.18.20 Version: PQ3A.190505.001.2019.05.18.20 Version: PQ3A.190505.001.2019.05.18.20 List of tagged releases. Snapshot releases without tags such as early releases of
the project and early device support releases are not listed. Tags: Tags: Tags: Tags:
- Stable channel
- ¶
+ Stable channel
- Pixel 3 XL
- ¶
+ Pixel 3 XL
@@ -88,8 +88,7 @@
- Pixel 3
- ¶
+ Pixel 3
@@ -100,8 +99,7 @@
- Pixel 2 XL
- ¶
+ Pixel 2 XL
@@ -112,8 +110,7 @@
- Pixel 2
- ¶
+ Pixel 2
@@ -124,8 +121,7 @@
- Pixel XL (legacy)
- ¶
+ Pixel XL (legacy)
@@ -137,7 +133,7 @@
Pixel (legacy)
- ¶
+ Pixel (legacy)
@@ -150,14 +146,12 @@
- Beta channel
- ¶
+ Beta channel
- Pixel 3 XL
- ¶
+ Pixel 3 XL
@@ -168,8 +162,7 @@
- Pixel 3
- ¶
+ Pixel 3
@@ -180,8 +173,7 @@
- Pixel 2 XL
- ¶
+ Pixel 2 XL
@@ -192,8 +184,7 @@
- Pixel 2
- ¶
+ Pixel 2
@@ -204,8 +195,7 @@
- Pixel XL (legacy)
- ¶
+ Pixel XL (legacy)
@@ -216,8 +206,7 @@
- Pixel (legacy)
- ¶
+ Pixel (legacy)
@@ -229,16 +218,14 @@
- Changelog
- ¶
+ Changelog
- 2019.05.18.20
- ¶
+ 2019.05.18.20
- 2019.05.08.15
- ¶
+ 2019.05.08.15
- 2019.05.07.00
- ¶
+ 2019.05.07.00
- 2019.04.01.19
- ¶
+ 2019.04.01.19
- 2019.03.05.03 - ¶ + 2019.03.05.03
Tags:
diff --git a/static/source.html b/static/source.html index db3bc556..1be77961 100644 --- a/static/source.html +++ b/static/source.html @@ -20,7 +20,7 @@ - + @@ -38,7 +38,9 @@Source
++ Source +
- OS issue tracker
- Website repository and issue tracker diff --git a/static/usage.html b/static/usage.html index ce0e8a78..dfbe4b52 100644 --- a/static/usage.html +++ b/static/usage.html @@ -20,7 +20,7 @@ - + @@ -38,19 +38,19 @@
Usage
++ Usage +
This guide is still very new and will be filled with lots of additional content over time.
- Auditor - ¶ + Auditor
See the tutorial page on the site for the attestation sub-project.
- Updates - ¶ + Updates
The update system implements automatic background updates. It checks for updates @@ -79,8 +79,7 @@
Release changelogs are available in a section on the releases page.
- Settings - ¶ + Settings
The settings are available in the Settings app in System ➔ Advanced ➔ Update @@ -106,8 +105,7 @@ if it's left completely idle.
- Security - ¶ + Security
The update server isn't a trusted party since updates are signed and verified along @@ -123,8 +121,7 @@ the Stable and Beta channels.
- Disabling - ¶ + Disabling
It's highly recommended to leave automatic updates enabled and to configure the @@ -135,8 +132,7 @@ updates.
- Default connections - ¶ + Default connections
GrapheneOS makes connections to the outside world to test connectivity, detect