Skip to content

Instantly share code, notes, and snippets.

@brandsimon

brandsimon/Readme.md

Last active Feb 20, 2021
Embed
What would you like to do?
Lineage Cheeseburger secure build

A secure LineageOS Chesseburger build

  • user build instead of userdebug build
  • all signing keys are private keys
  • use LineageOS recovery

Buildsystem

Use Debian 10 and install these packages. You need ~300 GB available space.

apt-get install bc bison build-essential ccache curl flex g++-multilib gcc-multilib git gnupg gperf imagemagick lib32ncurses5-dev lib32readline-dev lib32z1-dev liblz4-tool libncurses5 libncurses5-dev libsdl1.2-dev libssl-dev libxml2 libxml2-utils lzop pngcrush rsync schedtool squashfs-tools xsltproc zip zlib1g-dev fastboot adb libwxgtk3.0-dev git repo openjdk-11-jdk python3-protobuf brotli

Build

mkdir -p android/lineage ~/.android-certs/
cd android/lineage
repo init -u https://github.com/LineageOS/android.git -b lineage-16.0
repo sync

echo "Dont set a password for the verity key"
subject='/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
for x in releasekey platform shared media networkstack testkey verity; do
        # $ANDROID_BUILD_TOP/development/tools/make_key
        development/tools/make_key ~/.android-certs/"$x" "$subject"
done

source build/envsetup.sh
echo "Extract cheeseburger blob, see: https://wiki.lineageos.org/extracting_blobs_from_zips.html"
tar xf ~/cheeseburger_blob_clean.tar -C vendor/
breakfast lineage_cheeseburger-user

mka generate_verity_key
# $ANDROID_HOST_OUT/bin/generate_verity_key
out/host/linux-x86/bin/generate_verity_key -convert ~/.android-certs/verity.x509.pem ~/.android-certs/verity

# remove key to be sure to not use it
rm vendor/lineage/build/target/product/security/lineage.x509.pem
# Add releasekey to recovery, to be able to update via sideload
mkdir -p vendor/lineage-priv/keys/
echo "PRODUCT_EXTRA_RECOVERY_KEYS := " > vendor/lineage-priv/keys/keys.mk
echo "PRODUCT_OTA_PUBLIC_KEYS := ${HOME}/.android-certs/releasekey.x509.pem" >> vendor/lineage-priv/keys/keys.mk
cp ~/.android-certs/verity.x509.pem kernel/oneplus/msm8998/certs/verity.x509.pem

export USE_CCACHE=1 CCACHE_EXEC=/usr/bin/ccache CCACHE_COMPRESS=1
ccache -M 50G
mka target-files-package otatools
./build/tools/releasetools/sign_target_files_apks -o --default_key_mappings ~/.android-certs --replace_verity_public_key ~/.android-certs/verity.pub --replace_verity_private_key ~/.android-certs/verity --replace_verity_keyid ~/.android-certs/verity.x509.pem $OUT/obj/PACKAGING/target_files_intermediates/*-target_files-*.zip signed-target_files.zip
./build/tools/releasetools/ota_from_target_files -k ~/.android-certs/releasekey --block --backup=true signed-target_files.zip signed-ota_update.zip
ls signed-ota_update.zip $OUT/recovery.img

Additional info

Update recovery

To update the recovery you can set the option persist.sys.recovery_update=true

echo "PRODUCT_PROPERTY_OVERRIDES += persist.sys.recovery_update=true" >> vendor/lineage-priv/keys/keys.mk
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment