security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity
hakurei.app/static/install.html
Daniel Micay cce6d66b10 make it harder to mess up obtaining fastboot 
This removes the link to the platform-tools releases page to discourage
using another approach to downloading and extracting it. The most common
mistake made by users is doing this their own way and ending up without
fastboot in their shell's path.
2020-12-23 18:15:26 -05:00

465 lines
27 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>Install | GrapheneOS</title>
<meta name="description" content="Installation instructions for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility."/>
<meta name="theme-color" content="#212121"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="GrapheneOS install documentation"/>
<meta property="og:description" content="Installation instructions for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:url" content="https://grapheneos.org/install"/>
<meta property="og:site_name" content="GrapheneOS"/>
<link rel="icon" sizes="16x16 24x24 32x32 48x48 64x64" type="image/vnd.microsoft.icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/mask-icon.svg"/>
<link rel="mask-icon" href="/mask-icon.svg" color="#1a1a1a"/>
<link rel="stylesheet" href="/grapheneos.css?27"/>
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="canonical" href="https://grapheneos.org/install"/>
<link rel="license" href="/LICENSE.txt"/>
</head>
<body>
<header>
<nav id="site-menu">
<ul>
<li><a href="/">GrapheneOS</a></li>
<li><a href="/features">Features</a></li>
<li aria-current="page"><a href="/install">Install</a></li>
<li><a href="/build">Build</a></li>
<li><a href="/usage">Usage</a></li>
<li><a href="/faq">FAQ</a></li>
<li><a href="/releases">Releases</a></li>
<li><a href="/source">Source</a></li>
<li><a href="/donate">Donate</a></li>
<li><a href="/contact">Contact</a></li>
</ul>
</nav>
</header>
<main id="install">
<h1><a href="#install">Install</a></h1>
<p>This is a guide on installing GrapheneOS for the officially supported devices. It
can be followed for both the official releases and custom builds.</p>
<nav id="table-of-contents">
<h2><a href="#table-of-contents">Table of contents</a></h2>
<ul>
<li>
<a href="#prerequisites">Prerequisites</a>
<ul>
<li>
<a href="#obtaining-fastboot">Obtaining fastboot</a>
<ul>
<li><a href="#standalone-platform-tools">Standalone platform-tools</a></li>
</ul>
</li>
<li><a href="#obtaining-signify">Obtaining signify</a></li>
</ul>
</li>
<li><a href="#enabling-oem-unlocking">Enabling OEM unlocking</a></li>
<li><a href="#unlocking-the-bootloader">Unlocking the bootloader</a></li>
<li><a href="#obtaining-factory-images">Obtaining factory images</a></li>
<li>
<a href="#flashing-factory-images">Flashing factory images</a>
<ul>
<li><a href="#troubleshooting">Troubleshooting</a></li>
</ul>
</li>
<li><a href="#locking-the-bootloader">Locking the bootloader</a></li>
<li>
<a href="#post-installation">Post-installation</a>
<ul>
<li><a href="#disabling-oem-unlocking">Disabling OEM unlocking</a></li>
<li><a href="#verifying-installation">Verifying installation</a></li>
<li><a href="#replacing-grapheneos-with-the-stock-os">Replacing GrapheneOS with the stock OS</a></li>
<li><a href="#further-information">Further information</a></li>
</ul>
</li>
</ul>
</nav>
<section id="prerequisites">
<h2><a href="#prerequisites">Prerequisites</a></h2>
<p>You should have at least 2GB of free memory available.</p>
<p>You need a USB cable for attaching the device to a laptop or desktop. If it
doesn't have a USB-C port, you'll need a high quality USB-C to USB-A cable. Avoid
low quality USB hubs and cables including the low quality front panel hubs on many
desktop computers.</p>
<p>Windows 10, macOS Catalina, Arch Linux, Debian buster and Ubuntu 20.04 LTS are the
officially supported operating systems for installing GrapheneOS. You should make sure
your operating system is up-to-date before proceeding with these instructions. Older
versions and other Linux distributions usually work, but if you encounter problems try
using one of the officially supported options.</p>
<p>You need one of the officially supported devices. To make sure that the device can
be unlocked to install GrapheneOS, avoid carrier variants of the devices. Carrier
variants of Pixels use the same stock OS and firmware with a non-zero carrier id
flashed onto the persist partition in the factory. The carrier id activates
carrier-specific configuration in the stock OS including disabling carrier and
bootloader unlocking. The carrier may be able to remotely disable this, but their
support staff may not be aware and they probably won't do it. Get a carrier agnostic
device to avoid the risk and potential hassle. If you CAN figure out a way to unlock a
carrier device, it isn't a problem as GrapheneOS can just ignore the carrier id and
it's otherwise the same.</p>
<p>It's best practice to update the stock OS on the device to make sure it's running
the latest firmware before proceeding with these instructions. This avoids running
into bugs, missing features or other differences in older firmware versions. You can
either update the device via over-the-air updates or sideload a full update, which for
Pixel phones can be obtained from the
<a href="https://developers.google.com/android/ota">full update package page</a>.</p>
<p>These instructions use command-line tools. On Windows, use PowerShell rather than
the legacy Command Prompt.</p>
<section id="obtaining-fastboot">
<h3><a href="#obtaining-fastboot">Obtaining fastboot</a></h3>
<p>You need an updated copy of the <code>fastboot</code> tool and the
directory containing it needs to be included in the <code>PATH</code>
environment variable. You can run <code>fastboot --version</code> to determine
the current version. It must be at least <code>29.0.6</code>. You can use a
distribution package for this, but most of them mistakenly package development
snapshots of fastboot, clobber the standard version scheme for platform-tools
(adb, fastboot, etc.) with their own scheme and don't keep it up-to-date
despite that being crucial.</p>
<p>List of distribution packages:</p>
<ul>
<li>Arch Linux: <code>android-tools</code> provides fastboot and other useful
tools not required for installation such as adb. <code>android-udev</code>
provides udev rules allowing fastboot and adb to work in local sessions
without root.</li>
<li>Debian and Ubuntu: <code>android-sdk-platform-tools-common</code> provides
udev rules allowing fastboot and adb to work in local sessions without root.
The udev rules in Debian and Ubuntu are out-of-date, but it has the necessary
entries for Pixel phones. The adb and fastboot packages are currently both
broken and far too out-of-date to be any use, so avoid those. The version
check in the flashing script will prevent accidentally using these.</li>
</ul>
<section id="standalone-platform-tools">
<h4><a href="#standalone-platform-tools">Standalone platform-tools</a></h4>
<!-- https://developer.android.com/studio/releases/platform-tools -->
<p>If your operating system doesn't include a usable version of fastboot,
you can use the official standalone releases of platform-tools. This is
our recommendation for most users. The flashing process won't work unless
you follow these instructions including setting up PATH. If you close and
reopen the terminal after doing this, you'll need to set PATH again in the
new terminal.</p>
<p>To download, verify and extract the standalone platform-tools on Linux:</p>
<pre>curl -O https://dl.google.com/android/repository/platform-tools_r30.0.5-linux.zip
echo 'd6d72d006c03bd55d49b6cef9f00295db02f0a31da10e121427e1f4cb43e7cb9 platform-tools_r30.0.5-linux.zip' | sha256sum -c
unzip platform-tools_r30.0.5-linux.zip</pre>
<p>To download, verify and extract the standalone platform-tools on macOS:</p>
<pre>curl -O https://dl.google.com/android/repository/eabcd8b4b7ab518c6af9c941af8494072f17ec4b.platform-tools_r30.0.5-darwin.zip
echo 'SHA256 (eabcd8b4b7ab518c6af9c941af8494072f17ec4b.platform-tools_r30.0.5-darwin.zip) = e5780bad71a53cf9d693e1053a0748f49e4a67cc1f71d16a94ab4c943af3345f' | shasum -c
tar xvf eabcd8b4b7ab518c6af9c941af8494072f17ec4b.platform-tools_r30.0.5-darwin.zip</pre>
<p>To download, verify and extract the standalone platform-tools on Windows:</p>
<pre>curl.exe -O https://dl.google.com/android/repository/platform-tools_r30.0.5-windows.zip
(Get-FileHash platform-tools_r30.0.5-windows.zip).hash -eq "549ba2bdc31f335eb8a504f005f77606a479cc216d6b64a3e8b64c780003661f"
tar xvf platform-tools_r30.0.5-windows.zip</pre>
<p>Next, add the tools to your <code>PATH</code> in the current shell so they can be
used without referencing them by file path, enabling usage by the flashing script.</p>
<p>On Linux and macOS:</p>
<pre>export PATH="$PWD/platform-tools:$PATH"</pre>
<p>On Windows:</p>
<pre>$env:Path = "$pwd\platform-tools;$env:Path"</pre>
<p>Sample output from <code>fastboot --version</code> afterwards:</p>
<pre>fastboot version 30.0.5-6877874
Installed as /home/username/downloads/platform-tools/fastboot</pre>
<p>This is a temporary change to <code>PATH</code> for the current shell and will need
to be done again if you open a new terminal. Make sure that the <code>fastboot</code>
command works in the current shell before trying to run the flashing script.</p>
</section>
</section>
<section id="obtaining-signify">
<h3><a href="#obtaining-signify">Obtaining signify</a></h3>
<p>To verify the download of the OS beyond the security offered by HTTPS, you can use
the signify tool. If you do not have a way to obtain signify from a package repository
you're already trusting, it does not make sense to use it. GrapheneOS releases are
hosted on our servers and we do not have third party mirrors. A compromised signify
would be able to compromise your OS and the GrapheneOS download due to the lack of an
application security model on traditional operating systems. It would be worse than
not trying to verify the signatures. It's far less likely that our servers would be
compromised than someone's GitHub account or GitHub itself. You're already trusting
these installation instructions from our site, which is hosted on the same static web
server infrastructure as the releases.</p>
<p>List of distribution packages:</p>
<ul>
<li>Arch Linux: <code>signify</code></li>
<li>Debian: <code>signify-openbsd</code> with the command renamed to <code>signify-openbsd</code></li>
<li>Ubuntu: <code>signify-openbsd</code> with the command renamed to <code>signify-openbsd</code></li>
</ul>
<p>On Debian-based distributions, the <code>signify</code> package and command are an
<a href="http://signify.sourceforge.net/" rel="nofollow">unmaintained mail-related
tool for generating mail signatures (not cryptographic signatures)</a> with the final
releases from 2003-2004 made directly by the developer via the Debian package without
upstream releases. Please pressure them to correct this usability issue.</p>
</section>
</section>
<section id="enabling-oem-unlocking">
<h2><a href="#enabling-oem-unlocking">Enabling OEM unlocking</a></h2>
<p>OEM unlocking needs to be enabled from within the operating system.</p>
<p>Enable the developer options menu by going to Settings ➔ About phone and
pressing on the build number menu entry until developer mode is enabled.</p>
<p>Next, go to Settings ➔ System ➔ Advanced ➔ Developer options and toggle on the
'Enable OEM unlocking' setting. This requires internet access on devices with Google
Play services as part of Factory Reset Protection (FRP) for anti-theft protection.</p>
</section>
<section id="unlocking-the-bootloader">
<h2><a href="#unlocking-the-bootloader">Unlocking the bootloader</a></h2>
<p>First, boot into the bootloader interface. You can do this by turning off the
device and then turning it on by holding both the Volume Down and Power buttons.</p>
<p>Unlock the bootloader to allow flashing the OS and firmware:</p>
<pre>fastboot flashing unlock</pre>
<p>The command needs to be confirmed on the device and will wipe all data.</p>
</section>
<section id="obtaining-factory-images">
<h2><a href="#obtaining-factory-images">Obtaining factory images</a></h2>
<p>You need to obtain the GrapheneOS factory images for your device to proceed with
the installation process.</p>
<p>You can either download the files with your browser or using a command like
<code>curl</code>. It's generally easier to use the command-line since you're already
using it for the rest of the installation process, so these instructions use
<code>curl</code>.</p>
<p>On Windows, remove PowerShell's legacy curl alias for the current shell to avoid
needing to reference it as <code>curl.exe</code> instead of <code>curl</code>:</p>
<pre>Remove-Item Alias:Curl</pre>
<p>Download <a href="https://releases.grapheneos.org/factory.pub">the factory images
public key (factory.pub)</a> in order to verify the factory images:</p>
<pre>curl -O https://releases.grapheneos.org/factory.pub</pre>
<p>This is the content of <code>factory.pub</code>:</p>
<pre>untrusted comment: GrapheneOS factory images public key
RWQZW9NItOuQYJ86EooQBxScfclrWiieJtAO9GpnfEjKbCO/3FriLGX3</pre>
<p>The public key has also been published via the official
<a href="https://twitter.com/GrapheneOS/status/1145259815851253762">@GrapheneOS Twitter
account</a>,
<a href="https://www.reddit.com/r/GrapheneOS/comments/c7gb3f/grapheneos_factory_images_are_now_signed_with/esewpm9">the /u/GrapheneOS
Reddit account</a> and <a href="https://github.com/GrapheneOS/releases.grapheneos.org/blob/master/static/factory.pub">is available on GitHub</a>.
When the current signing key is replaced, the new key will be signed with it.</p>
<p>Download the factory images for the device from <a href="/releases">the releases
page</a>. For example, to download the 2020.12.12.03 release for the Pixel 4a (sunfish):</p>
<pre>curl -O https://releases.grapheneos.org/sunfish-factory-2020.12.12.03.zip
curl -O https://releases.grapheneos.org/sunfish-factory-2020.12.12.03.zip.sig</pre>
<p>Verify the factory images using the signature if you were able to obtain
<code>signify</code> from trusted package repositories (see above), otherwise
continue on to the next section without this:</p>
<pre>signify -Cqp factory.pub -x sunfish-factory-2020.12.12.03.zip.sig &amp;&amp; echo verified</pre>
<p>This will output <code>verified</code> if verification is successful. If something
goes wrong, it will output an error message rather than <code>verified</code>.</p>
</section>
<section id="flashing-factory-images">
<h2><a href="#flashing-factory-images">Flashing factory images</a></h2>
<p>The initial install will be performed by flashing the factory images. This will
replace the existing OS installation and wipe all the existing data.</p>
<p>Next, extract the factory images.</p>
<p>On Linux:</p>
<pre>unzip sunfish-factory-2020.12.12.03.zip</pre>
<p>On macOS and Windows:</p>
<pre>tar xvf sunfish-factory-2020.12.12.03.zip</pre>
<p>Move into the directory:</p>
<pre>cd sunfish-factory-2020.12.12.03</pre>
<p>Flash the images with the flash-all script in the directory.</p>
<p>On Linux and macOS:</p>
<pre>./flash-all.sh</pre>
<p>On Windows:</p>
<pre>./flash-all.bat</pre>
<p>Wait for the flashing process to complete and proceed to <a href="#locking-the-bootloader">locking the bootloader</a>
before using the device as locking wipes the data again.</p>
<section id="troubleshooting">
<h3><a href="#troubleshooting">Troubleshooting</a></h3>
<p>A common issue on Linux distributions is that they mount the default temporary file
directory <code>/tmp</code> as tmpfs which results in it being backed by memory and
swap rather than persistent storage. By default, the size is 50% of the available
virtual memory. This is often not enough for the flashing process, especially since
<code>/tmp</code> is shared between applications and users. To use a different
temporary directory if your <code>/tmp</code> doesn't have enough space available:</p>
<pre>mkdir tmp
TMPDIR="$PWD/tmp" ./flash-all.sh</pre>
<p>A majority of failed flashes tend to be caused by substandard USB connectors,
plugging in via hubs or bad cables which aren't properly up to the USB standard. The
scrollback from a failed flash will contain valuable diagnostic information which
is essential in knowing where and how the process went wrong.</p>
<p>Front I/O ports on desktop computer cases and USB 3.1 or USB C on many laptops
often aren't implemented properly or are broken in subtle ways, which may cause flashing
to fail even on a USB port that works for other peripherals. Older Linux kernels that
predate version 5 may have inadequate or patchwork support for USB C or USB 3. If you
are installing from a Linux distribution, ensure your distribution uses a modern
kernel.</p>
<p>Always use a high quality USB A to USB C cable with a rear USB port directly on your
motherboard, and never use a USB hub for flashing. <em>Never install from a virtual
machine;</em> USB passthrough in software emulation may be broken or inadequate and this
can cause the flashing to fail.</p>
</section>
</section>
<section id="locking-the-bootloader">
<h2><a href="#locking-the-bootloader">Locking the bootloader</a></h2>
<p>Locking the bootloader is important as it enables full verified boot. It also
prevents using fastboot to flash, format or erase partitions. Verified boot will
detect modifications to any of the OS partitions and it will prevent reading any
modified / corrupted data. If changes are detected, error correction data is used
to attempt to obtain the original data at which point it's verified again which
makes verified boot robust to non-malicious corruption.</p>
<p>In the bootloader interface, set it to locked:</p>
<pre>fastboot flashing lock</pre>
<p>The command needs to be confirmed on the device and will wipe all data.</p>
</section>
<section id="post-installation">
<h2><a href="#post-installation">Post-installation</a></h2>
<section id="disabling-oem-unlocking">
<h3><a href="#disabling-oem-unlocking">Disabling OEM unlocking</a></h3>
<p>OEM unlocking can be disabled again in the developer settings menu within the
operating system after booting it up again.</p>
</section>
<section id="verifying-installation">
<h3><a href="#verifying-installation">Verifying installation</a></h3>
<p>Verified boot authenticates and validates the firmware images and OS from the
hardware root of trust. Since GrapheneOS supports full verified boot, the OS images
are entirely verified. However, it's possible that the computer you used to flash the
OS was compromised, leading to flashing a malicious verified boot public key and
images. To detect this kind of attack, you can use the Auditor app included in
GrapheneOS in the Auditee mode and verify it with another Android device in the
Auditor mode. The Auditor app works best once it's already paired with a device and
has pinned a persistent hardware-backed key and the attestation certificate chain.
However, it can still provide a bit of security for the initial verification via the
attestation root. Ideally, you should also do this before connecting the device to the
network, so an attacker can't proxy to another device (which stops being possible
after the initial verification). Further protection against proxying the initial
pairing will be provided in the future via optional support for ID attestation to
include the serial number in the hardware verified information to allow checking
against the one on the box / displayed in the bootloader. See the
<a href="https://attestation.app/tutorial">Auditor tutorial</a> for a guide.</p>
<p>After the initial verification, which results in pairing, performing verification
against between the same Auditor and Auditee (as long as the app data hasn't been
cleared) will provide strong validation of the identity and integrity of the
device. That makes it best to get the pairing done right after installation. You can
also consider setting up the optional remote attestation service.</p>
</section>
<section id="replacing-grapheneos-with-the-stock-os">
<h3><a href="#replacing-grapheneos-with-the-stock-os">Replacing GrapheneOS with the stock OS</a></h3>
<p>Installation of the stock OS via the stock factory images is the same process
described above. However, before locking, there's an additional step to fully revert
the device to a clean factory state.</p>
<p>The GrapheneOS factory images flash a non-stock Android Verified Boot key which
needs to be erased to fully revert back to a stock device state. After flashing the
stock factory images and before locking the bootloader, you should erase the custom
Android Verified Boot key to untrust it:</p>
<pre>fastboot erase avb_custom_key</pre>
</section>
<section id="further-information">
<h3><a href="#further-information">Further information</a></h3>
<p>Please look through the <a href="/usage">usage guide</a> and
<a href="/faq">FAQ</a> for more information. If you have further questions not
covered by the site, join the <a href="/contact#community">official GrapheneOS
chat channels</a> and ask the questions in the appropriate channel.</p>
</section>
</section>
</main>
<footer>
<a href="/"><img src="/logo.png" width="512" height="512" alt=""/>GrapheneOS</a>
<ul id="social">
<li><a href="https://twitter.com/GrapheneOS">Twitter</a></li>
<li><a href="https://github.com/GrapheneOS">GitHub</a></li>
<li><a href="https://reddit.com/r/GrapheneOS">Reddit</a></li>
</ul>
</footer>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink