security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity
hakurei.app/static/install/web.html
Danny Lin e582d6ca45 web-install: Implement Android reconnection callback 
On Android, Chromium does not support automatic reconnection. The user
must manually pair the device after every reboot in order for
fastboot.js to reconnect to it. Unfortunately, this requires the user of
the library to get involved because USB device connction requests are
only allowed as the result of explicit user action, so we need to add a
reconnect request callback for the user to handle.
2021-01-29 22:15:04 -05:00

279 lines
16 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>Web | Install | GrapheneOS</title>
<meta name="description" content="Web-based installer for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility."/>
<meta name="theme-color" content="#212121"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="GrapheneOS web install guide"/>
<meta property="og:description" content="Web-based installer for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/install/web"/>
<link rel="canonical" href="https://grapheneos.org/install/web"/>
<link rel="icon" sizes="16x16 24x24 32x32 48x48 64x64" type="image/vnd.microsoft.icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/mask-icon.svg"/>
<link rel="mask-icon" href="/mask-icon.svg" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
<link rel="stylesheet" href="/grapheneos.css?29"/>
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<script type="module" src="/js/redirect.js?9"></script>
<script type="module" src="/js/fastboot/dist/fastboot.min.mjs?1"></script>
<script type="module" src="/js/web-install.js?5"></script>
</head>
<body>
<header>
<nav id="site-menu">
<ul>
<li><a href="/">GrapheneOS</a></li>
<li><a href="/features">Features</a></li>
<li><a href="/install/">Install</a></li>
<li><a href="/build">Build</a></li>
<li><a href="/usage">Usage</a></li>
<li><a href="/faq">FAQ</a></li>
<li><a href="/releases">Releases</a></li>
<li><a href="/source">Source</a></li>
<li><a href="/articles/">Articles</a></li>
<li><a href="/donate">Donate</a></li>
<li><a href="/contact">Contact</a></li>
</ul>
</nav>
</header>
<main id="web-install">
<h1><a href="#web-install">Web install</a></h1>
<p>This is an <strong>experimental</strong> WebUSB-based installer for GrapheneOS.
Consider using the <a href="/install/cli">command-line installation guide</a> until
this has been more thoroughly tested.</p>
<section id="prerequisites">
<h2><a href="#prerequisites">Prerequisites</a></h2>
<p>You should have at least 2GB of free memory available and 8GB of free storage
space.</p>
<p>You need a USB cable for attaching the device to a laptop or desktop. Whenever
possible, use the high quality standards compliant USB-C cable packaged with the
device. If your computer doesn't have any USB-C ports, you'll need a high quality
USB-C to USB-A cable. You should avoid using a USB hub such as the front panel on
a desktop computer case. Connect directly to a rear port on a desktop or the ports
on a laptop. Many widely distributed USB cables and hubs are broken and are the
most common source of issues for installing GrapheneOS.</p>
<p>Installing from an OS in a virtual machine is not recommended. USB passthrough
is often not reliable. To rule out these problems, install from an OS running on
bare metal. Virtual machines are also often configured to have overly limited
memory and storage space.</p>
<p>Windows 10, macOS Big Sur, Arch Linux, Debian buster and Ubuntu 20.04 LTS are the
officially supported operating systems for installing GrapheneOS. You should make sure
your operating system is up-to-date before proceeding with these instructions. Older
versions and other Linux distributions usually work, but if you encounter problems try
using one of the officially supported options.</p>
<p>For this web-based installation process, the latest stable release of Chromium,
Chrome or Microsoft Edge is recommended. Other Chromium-based browsers will likely
work but these are the ones that we test.</p>
<p>You need one of the officially supported devices. To make sure that the device can
be unlocked to install GrapheneOS, avoid carrier variants of the devices. Carrier
variants of Pixels use the same stock OS and firmware with a non-zero carrier id
flashed onto the persist partition in the factory. The carrier id activates
carrier-specific configuration in the stock OS including disabling carrier and
bootloader unlocking. The carrier may be able to remotely disable this, but their
support staff may not be aware and they probably won't do it. Get a carrier agnostic
device to avoid the risk and potential hassle. If you CAN figure out a way to unlock a
carrier device, it isn't a problem as GrapheneOS can just ignore the carrier id
and the hardware is the same.</p>
<p>It's best practice to update the stock OS on the device to make sure it's running
the latest firmware before proceeding with these instructions. This avoids running
into bugs, missing features or other differences in older firmware versions. You can
either update the device via over-the-air updates or sideload a full update, which for
Pixel phones can be obtained from the
<a href="https://developers.google.com/android/ota">full update package page</a>.</p>
</section>
<section id="enabling-oem-unlocking">
<h2><a href="#enabling-oem-unlocking">Enabling OEM unlocking</a></h2>
<p>OEM unlocking needs to be enabled from within the operating system.</p>
<p>Enable the developer options menu by going to Settings ➔ About phone and
pressing on the build number menu entry until developer mode is enabled.</p>
<p>Next, go to Settings ➔ System ➔ Advanced ➔ Developer options and toggle on the
'Enable OEM unlocking' setting. This requires internet access on devices with Google
Play services as part of Factory Reset Protection (FRP) for anti-theft protection.</p>
</section>
<section id="flashing-as-non-root">
<h2><a href="#flashing-as-non-root">Flashing as non-root</a></h2>
<p>On Linux, in order for to connect to a device as non-root, the appropriate udev
rules need to be set up. This is not an issue on either macOS or Windows.</p>
<p>On Arch Linux, install the <code>android-udev</code> package. On Debian and
Ubuntu, install the <code>android-sdk-platform-tools-common</code> package.</p>
</section>
<section id="connecting-phone">
<h2><a href="#connecting-phone">Connecting the phone</a></h2>
<p>Connect the phone to the computer. On Linux, you'll need to do this again if
you didn't have the udev rules set up when you connected it.</p>
</section>
<section id="unlocking-the-bootloader">
<h2><a href="#unlocking-the-bootloader">Unlocking the bootloader</a></h2>
<p>First, boot into the bootloader interface. You can do this by turning off the
device and then turning it on by holding both the Volume Down and Power buttons.</p>
<p>Unlock the bootloader to allow flashing the OS and firmware:</p>
<button id="unlock-bootloader-button" disabled="disabled">Unlock bootloader</button>
<p>The command needs to be confirmed on the device and will wipe all data. Use one
of the volume keys to switch the selection to accepting it and the power button to
confirm.</p>
<p><strong id="unlock-bootloader-status"></strong></p>
</section>
<section id="obtaining-factory-images">
<h2><a href="#obtaining-factory-images">Obtaining factory images</a></h2>
<p>You need to obtain the GrapheneOS factory images for your device to proceed with
the installation process.</p>
<p>Press the button below to start the download:</p>
<button id="download-release-button" disabled="disabled">Download release</button>
<p><strong id="download-release-status"></strong></p>
</section>
<section id="flashing-factory-images">
<h2><a href="#flashing-factory-images">Flashing factory images</a></h2>
<p>The initial install will be performed by flashing the factory images. This will
replace the existing OS installation and wipe all the existing data.</p>
<button id="flash-release-button" disabled="disabled">Flash release</button>
<p>Wait for the flashing process to complete. It will automatically handle
flashing the firmware, rebooting into the bootloader interface, flashing the core
OS, rebooting into the userspace fastboot mode, flashing the rest of the OS and
finally rebooting back into the bootloader interface. Avoid interacting with the
device until flashing is finished and the device is back at the bootloader menu.
Then, proceed to <a href="#locking-the-bootloader">locking the bootloader</a>
before using the device as locking wipes the data again.</p>
<p>
<strong id="flash-release-status"></strong>
<!-- This appears as part of the status -->
<button id="flash-reconnect-button" style="display: none;"><strong>Reconnect device</strong></button>
</p>
</section>
<section id="locking-the-bootloader">
<h2><a href="#locking-the-bootloader">Locking the bootloader</a></h2>
<p>Locking the bootloader is important as it enables full verified boot. It also
prevents using fastboot to flash, format or erase partitions. Verified boot will
detect modifications to any of the OS partitions and it will prevent reading any
modified / corrupted data. If changes are detected, error correction data is used
to attempt to obtain the original data at which point it's verified again which
makes verified boot robust to non-malicious corruption.</p>
<p>In the bootloader interface, set it to locked:</p>
<button id="lock-bootloader-button" disabled="disabled">Lock bootloader</button>
<p>The command needs to be confirmed on the device and will wipe all data. Use one
of the volume buttons to switch the selection to accepting it and the power button
to confirm.</p>
<p><strong id="lock-bootloader-status"></strong></p>
</section>
<section id="post-installation">
<h2><a href="#post-installation">Post-installation</a></h2>
<section id="booting">
<h3><a href="#booting">Booting</a></h3>
<p>You've now successfully installed GrapheneOS and can boot it. Pressing the
power button with the default Start option selected in the bootloader menu
will boot the OS.</p>
</section>
<section id="disabling-oem-unlocking">
<h3><a href="#disabling-oem-unlocking">Disabling OEM unlocking</a></h3>
<p>OEM unlocking can be disabled again in the developer settings menu within the
operating system after booting it up again.</p>
</section>
<section id="verifying-installation">
<h3><a href="#verifying-installation">Verifying installation</a></h3>
<p>Verified boot authenticates and validates the firmware images and OS from the
hardware root of trust. Since GrapheneOS supports full verified boot, the OS images
are entirely verified. However, it's possible that the computer you used to flash the
OS was compromised, leading to flashing a malicious verified boot public key and
images. To detect this kind of attack, you can use the Auditor app included in
GrapheneOS in the Auditee mode and verify it with another Android device in the
Auditor mode.</p>
<p>The Auditor app works best once it's already paired with a device and has
pinned a persistent hardware-backed key and the attestation certificate chain.
However, it can still provide a bit of security for the initial verification
via the attestation root. Ideally, you should also do this before connecting
the device to the network, so an attacker can't proxy to another device (which
stops being possible after the initial verification). Further protection
against proxying the initial pairing will be provided in the future via
optional support for ID attestation to include the serial number in the
hardware verified information to allow checking against the one on the box /
displayed in the bootloader. See the <a href="https://attestation.app/tutorial">Auditor tutorial</a>
for a guide.</p>
<p>After the initial verification, which results in pairing, performing verification
against between the same Auditor and Auditee (as long as the app data hasn't been
cleared) will provide strong validation of the identity and integrity of the
device. That makes it best to get the pairing done right after installation. You can
also consider setting up the optional remote attestation service.</p>
</section>
<section id="further-information">
<h3><a href="#further-information">Further information</a></h3>
<p>Please look through the <a href="/usage">usage guide</a> and
<a href="/faq">FAQ</a> for more information. If you have further questions not
covered by the site, join the <a href="/contact#community">official GrapheneOS
chat channels</a> and ask the questions in the appropriate channel.</p>
</section>
</section>
</main>
<footer>
<a href="/"><img src="/logo.png" width="512" height="512" alt=""/>GrapheneOS</a>
<ul id="social">
<li><a href="https://twitter.com/GrapheneOS">Twitter</a></li>
<li><a href="https://github.com/GrapheneOS">GitHub</a></li>
<li><a href="https://reddit.com/r/GrapheneOS">Reddit</a></li>
<li><a href="https://www.linkedin.com/company/grapheneos/">LinkedIn</a></li>
</ul>
</footer>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink