diff --git a/README.md b/README.md index cab8b11..24c1089 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,8 @@ About **The OmniROM Project**'s nightly builds, making use of deltas when possible, to reduce the size of the download. -There's no reason you couldn't use it for weeklies or monthlies as well though! +There's no reason you couldn't use it for weeklies or monthlies or milestones as +well though! License @@ -31,17 +32,6 @@ and so we also re-sign the decompressed ZIPs with the same keys used to build Android. We create a second diff between the unsigned and re-signed ZIP file, so if needed the client can re-create a properly signed ZIP file. -At the time of this writing, that signature is not actually used. This is -because **OmniROM** doesn't use the public platform test keys, but private keys -specific to **OmniROM**. The recovery running on your device will most likely -not be built with these keys, and thus whole-file signature checking will -fail anyway (if enabled). So to save a bit of processing, this feature is -turned off by default. The needed files are generated and the client knows how -to deal with them, so enabling this feature is just a configuration switch away. - -**TODO** Update this signature documentation and "secure mode". Signature -verification can now be enabled. - The produced delta files are pushed to the public download server, and the current build is saved to a private location to serve as input for the next differential run. @@ -60,10 +50,70 @@ if you don't update for a number of builds, it can still reconstruct the latest build by chaining the deltas. It will check each delta if we already have intermediate files present - perhaps we already performed the work for the last build but never flashed it, for example. Based on all this information it will -device to either reconstruct the final flashable ZIP, or just download the +decide to either reconstruct the final flashable ZIP, or just download the latest full OTA and flash that. -Flashing is currently tested only against **TWRP**. + +Compatibility +------------- + +**OpenDelta** is developed for use with **TWRP**, and uses scripting to +accomplish its tasks. Other recoveries with *full* **OpenRecoveryScript** +*may* work as well, but are not tested against. + +**CWM** is not officially supported by **OpenDelta**, though if not +operating in **secure mode**, a script that *may* work with +*community-built* **CWM** versions is generated as well. *Official* +**CWM** builds (acquired from the CWM website or installed by +*ROM Manager*) are **not supported** as they disable scripting +capabilities. Even *if* this script works with your build, you may encounter +it using the wrong storage paths, failing verification, producing various +errors, etc. + + +Security +-------- + +The OTA ZIPs that **OpenDelta** downloads or re-generates are stored on +either internal or external storage. These locations are not secure, as any +malicious app can write to these locations, and with some careful timing +place its own update to be flashed instead of our update, thus gaining +full system access. + +Additionally, **OpenDelta** conveniently flashes ZIPs located in the +**FlashAfterUpdate** subfolder of its storage. A malicious app could add +its own ZIPs to the list, thus gaining full system access. + +**OpenDelta** has the capability to re-generate OTA ZIPs fully signed with +your private keys (without knowing them). Assuming you aren't using a set +of publicly known keys to sign your ZIPs (ouch!), this can be used to make +your update secure. + +Chances are that the recovery you are using does not have your public key +built-in for whole-file verification purposes, and thus verification would fail. +This is why **OpenDelta** also provides the capability to inject your public +key into the recovery. This public key is provided to the recovery through +the /cache partition, which non-privileged apps cannot write to. + +These features combined allows the recovery to verify the update signature +securely without the chance of a malicious app hijacking either the update +or the keys. However, this feature **only** works with **TWRP**, and the +signatures will not be checked by non-*OpenRecoveryScript* recoveries. It +also leaves open the **FlashAfterUpdate** hole, as ZIPs stored there by +the user will (likely) not be signed with the same keys as your update, +and thus their origins cannot be verified. + +If **OpenDelta** is configured with all the needed parts to re-generate the +OTA ZIPs fully signed, and verify the signatures in recovery, then **secure +mode** becomes available (whether or not it is enabled by default is also +a configuration switch). In **secure mode**, the public key injection and +signature verification features are enabled, additional ZIPs from the +**FlashAfterUpdate** subfolder will **not** be flashed, and the +**CWM**-compatibile script will **not** be generated. Unless your recovery +is compromised, this should provide for fully secure flashing. + +Of course, the user has the option to enable or disable this feature from the +actionbar menu. Bad builds