this post was submitted on 19 Oct 2024
6 points (100.0% liked)

Privacy

1 readers
16 users here now

Everything about privacy (the confidentiality pillar of security) -- but not restricted to infosec. Offline privacy is also relevant here.

founded 1 year ago
MODERATORS
[email protected]
6
GrapheneOS version 2024101801 released: (grapheneos.social)
submitted 3 weeks ago by [email protected] to c/[email protected]
16 comments fedilink hide all child comments
 

GrapheneOS version 2024101801 released:

https://grapheneos.org/releases#2024101801

See the linked release notes for a summary of the improvements over the previous release.

Forum discussion thread:

https://discuss.grapheneos.org/d/16564-grapheneos-version-2024101801-released

#GrapheneOS #privacy #security

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 0 points 3 weeks ago (8 children)

@daedaevibin

> I was simply wondering why GrapheneOS didn't provide a ***pkmd.bin file as well

This is wrong and it's not clear where you get the idea that we don't use it. We were the first alternate OS using verified boot and DivestOS implemented it based on our documentation and scripts. We were the ones to reverse engineer the firmware, discover the avb_custom_key support and submitted the documentation to AOSP for it.

> avb_custom_key partition

It is not a partition.

[–] [email protected] 1 points 3 weeks ago (3 children)

@[email protected]

> It seems to be a more efficient way to get it into the system for verification properly instead of other methods I've seen.

There is no other way to flash a key to the secure element for verified boot. That is how verified boot is implemented for an alternate OS. Both of our install processes flash the verified boot public key after flashing the OS. We were the first ones to ever use this functionality before they had official documentation, and we made the initial AOSP docs.

[–] [email protected] 0 points 3 weeks ago (2 children)

@GrapheneOS ah, got it. I see, like everything else since you don't seem to provide direct downloads you just have it all flashed at one time through the web interface (or whatever is being used). Right?

[–] [email protected] 0 points 3 weeks ago (1 children)

@daedaevibin It's included in the installation zip and flashed by either the web installer or the command-line flashing script included inside of the zip (flash-all.sh). We previously added the AVB public key to the standard factory images zip format but we recently moved to our own improved install zip format which we generate by converting factory images. Our own format is more efficient and allows installing significantly faster while using less memory and storage, that's all.

[–] [email protected] 1 points 3 weeks ago

@[email protected] We do provide direct downloads, which are available at https://grapheneos.org/releases#devices. Our CLI install process is documented at https://grapheneos.org/install/cli. The install zip is used for both CLI and web install. It includes the verified boot public key. There's no reason to make people flash it by hand with an extra command, we just flash it after flashing all the firmware and OS images.

load more comments (4 replies)