From d183c966c571a2fe48d37bf066ee00d241cb3add Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 9 May 2019 16:11:33 -0400 Subject: [PATCH] add header links to build documentation --- static/build.html | 90 +++++++++++++++++++++++++++++++++++++---------- 1 file changed, 72 insertions(+), 18 deletions(-) diff --git a/static/build.html b/static/build.html index 27bb09e5..64d7dfc6 100644 --- a/static/build.html +++ b/static/build.html @@ -34,7 +34,10 @@

Build

-

Build dependencies

+

+ Build dependencies + +

-

Downloading source code

+

+ Downloading source code + +

Since this is syncing the sources for the entire operating system and application layer, it will use a lot of bandwidth and storage space.

@@ -53,7 +59,10 @@ for developing a feature. It's easier to port between stable tags that are known to work properly than dealing with a moving target.

-

Development branch

+

+ Development branch + +

The pie branch is currently used for all supported devices:

@@ -66,7 +75,10 @@ repo sync -j32 repo sync command again as many times as needed for it to fully succeed.

-

Stable release

+

+ Stable release + +

Pick a specific build for a device from the releases page and download the source tree. Note that some devices use different Android Open Source @@ -100,7 +112,10 @@ cd ../..

Note that the repo command itself takes care of updating itself and uses gpg to verify by default.

-

Updating and switching branches/tags

+

+ Updating and switching branches or tags + +

To update the source tree, run the repo init command again to select the branch or tag and then run repo sync -j32 again. You may need to add @@ -110,7 +125,10 @@ cd ../.. need to run repo init again to continue down the same branch since GrapheneOS only provides a stable history via tags.

-

Chromium and WebView

+

+ Chromium and WebView + +

Before building GrapheneOS, you need to build Chromium for the WebView and optionally the standalone browser app. GrapheneOS uses a hardened fork of @@ -160,7 +178,10 @@ git am ../chromium_patches/*.patch the standalone WebView isn't whitelisted in frameworks/base/core/res/res/xml/config_webview_packages.

-

Kernel

+

+ Kernel + +

The kernel needs to be built in advance, since it uses a separate build system.

@@ -185,7 +206,10 @@ git submodule update --init releases require building the verity public key into the kernel so the keys need to be generated per the instructions below before building the kernel.

-

Setting up the OS build environment

+

+ Setting up the OS build environment + +

The build has to be done from bash as envsetup.sh is not compatible with other shells like zsh.

@@ -203,7 +227,10 @@ git submodule update --init should be user builds as they are significantly more secure and don't make additional performance sacrifices to improve debugging.

-

Reproducible builds

+

+ Reproducible builds + +

To reproduce a past build, you need to export BUILD_DATETIME and BUILD_NUMBER to the values set for the past build. These can be obtained @@ -218,7 +245,10 @@ git submodule update --init different keys you need to stick to comparing everything other than the signatures.

-

Extracting vendor files for Pixel devices

+

+ Extracting vendor files for Pixel devices + +

This section does not apply to devices where no extra vendor files are required (HiKey, HiKey 960, emulator, generic targets).

@@ -240,7 +270,10 @@ mv vendor/android-prepare-vendor/DEVICE/BUILD_ID/vendor/google_devices/* vendor/

Note that android-prepare-vendor is non-deterministic unless a timestamp parameter is passed with --timestamp (seconds since Epoch).

-

Building

+

+ Building + +

Incremental builds (i.e. starting from the old build) usually work for development and are the normal way to develop changes. However, there are cases where changes are @@ -256,7 +289,10 @@ mv vendor/android-prepare-vendor/DEVICE/BUILD_ID/vendor/google_devices/* vendor/ 

make target-files-package -j20
-

Faster builds for development use only

+

+ Faster builds for development use only + +

The normal production build process involves building a target files package to be resigned with secure release keys and then converted into factory images and/or an @@ -276,7 +312,10 @@ mv vendor/android-prepare-vendor/DEVICE/BUILD_ID/vendor/google_devices/* vendor/ lot more sense to test it with proper signing keys rather than the default public test keys.

-

Generating release signing keys

+

+ Generating release signing keys + +

Keys need to be generated for resigning completed builds from the publicly available test keys. The keys must then be reused for subsequent builds and cannot be @@ -298,7 +337,10 @@ mv vendor/android-prepare-vendor/DEVICE/BUILD_ID/vendor/google_devices/* vendor/ releases require building the verity public key into the kernel, so this needs to be done before building the kernel

-

Android Verified Boot 1.0

+

+ Android Verified Boot 1.0 + +

To generate keys for marlin (you should use unique keys per device variant):

@@ -323,7 +365,10 @@ out/host/linux-x86/bin/generate_verity_key -convert keys/marlin/verity.x509.pem

The same kernel and device repository is used for the Pixel and Pixel XL. There's no separate sailfish kernel.

-

Android Verified Boot 2.0 (AVB)

+

+ Android Verified Boot 2.0 (AVB) + +

To generate keys for crosshatch (you should use unique keys per device variant):

@@ -341,7 +386,10 @@ cd ../..

The avb_pkmd.bin file isn't needed for generating a signed release but rather to set the public key used by the device to enforce verified boot.

-

Generating signed factory images and full update packages

+

+ Generating signed factory images and full update packages + +

Build the tool needed to generate A/B updates:

@@ -359,13 +407,19 @@ cd ../.. incremental updates from those to the most recent signed target_files zip.

-

Prebuilt code

+

+ Prebuilt code + +

Like the Android Open Source Project, GrapheneOS contains some code that's built separately and then bundled into the source tree as binaries. This section will be gradually expanded to cover building all of it. -

Prebuilt apps

+

+ Prebuilt apps + +

The Auditor app is simply built from the latest upstream tag and bundled as an apk into external/ repositories. There are no modifications to it for GrapheneOS.