Update README with new security features
This commit is contained in:
parent
ac09391b5b
commit
b69236396c
78
README.md
78
README.md
|
@ -5,7 +5,8 @@ About
|
|||
**The OmniROM Project**'s nightly builds, making use of deltas when possible,
|
||||
to reduce the size of the download.
|
||||
|
||||
There's no reason you couldn't use it for weeklies or monthlies as well though!
|
||||
There's no reason you couldn't use it for weeklies or monthlies or milestones as
|
||||
well though!
|
||||
|
||||
|
||||
License
|
||||
|
@ -31,17 +32,6 @@ and so we also re-sign the decompressed ZIPs with the same keys used to build
|
|||
Android. We create a second diff between the unsigned and re-signed ZIP file,
|
||||
so if needed the client can re-create a properly signed ZIP file.
|
||||
|
||||
At the time of this writing, that signature is not actually used. This is
|
||||
because **OmniROM** doesn't use the public platform test keys, but private keys
|
||||
specific to **OmniROM**. The recovery running on your device will most likely
|
||||
not be built with these keys, and thus whole-file signature checking will
|
||||
fail anyway (if enabled). So to save a bit of processing, this feature is
|
||||
turned off by default. The needed files are generated and the client knows how
|
||||
to deal with them, so enabling this feature is just a configuration switch away.
|
||||
|
||||
**TODO** Update this signature documentation and "secure mode". Signature
|
||||
verification can now be enabled.
|
||||
|
||||
The produced delta files are pushed to the public download server, and the
|
||||
current build is saved to a private location to serve as input for the next
|
||||
differential run.
|
||||
|
@ -60,10 +50,70 @@ if you don't update for a number of builds, it can still reconstruct the latest
|
|||
build by chaining the deltas. It will check each delta if we already have
|
||||
intermediate files present - perhaps we already performed the work for the last
|
||||
build but never flashed it, for example. Based on all this information it will
|
||||
device to either reconstruct the final flashable ZIP, or just download the
|
||||
decide to either reconstruct the final flashable ZIP, or just download the
|
||||
latest full OTA and flash that.
|
||||
|
||||
Flashing is currently tested only against **TWRP**.
|
||||
|
||||
Compatibility
|
||||
-------------
|
||||
|
||||
**OpenDelta** is developed for use with **TWRP**, and uses scripting to
|
||||
accomplish its tasks. Other recoveries with *full* **OpenRecoveryScript**
|
||||
*may* work as well, but are not tested against.
|
||||
|
||||
**CWM** is not officially supported by **OpenDelta**, though if not
|
||||
operating in **secure mode**, a script that *may* work with
|
||||
*community-built* **CWM** versions is generated as well. *Official*
|
||||
**CWM** builds (acquired from the CWM website or installed by
|
||||
*ROM Manager*) are **not supported** as they disable scripting
|
||||
capabilities. Even *if* this script works with your build, you may encounter
|
||||
it using the wrong storage paths, failing verification, producing various
|
||||
errors, etc.
|
||||
|
||||
|
||||
Security
|
||||
--------
|
||||
|
||||
The OTA ZIPs that **OpenDelta** downloads or re-generates are stored on
|
||||
either internal or external storage. These locations are not secure, as any
|
||||
malicious app can write to these locations, and with some careful timing
|
||||
place its own update to be flashed instead of our update, thus gaining
|
||||
full system access.
|
||||
|
||||
Additionally, **OpenDelta** conveniently flashes ZIPs located in the
|
||||
**FlashAfterUpdate** subfolder of its storage. A malicious app could add
|
||||
its own ZIPs to the list, thus gaining full system access.
|
||||
|
||||
**OpenDelta** has the capability to re-generate OTA ZIPs fully signed with
|
||||
your private keys (without knowing them). Assuming you aren't using a set
|
||||
of publicly known keys to sign your ZIPs (ouch!), this can be used to make
|
||||
your update secure.
|
||||
|
||||
Chances are that the recovery you are using does not have your public key
|
||||
built-in for whole-file verification purposes, and thus verification would fail.
|
||||
This is why **OpenDelta** also provides the capability to inject your public
|
||||
key into the recovery. This public key is provided to the recovery through
|
||||
the /cache partition, which non-privileged apps cannot write to.
|
||||
|
||||
These features combined allows the recovery to verify the update signature
|
||||
securely without the chance of a malicious app hijacking either the update
|
||||
or the keys. However, this feature **only** works with **TWRP**, and the
|
||||
signatures will not be checked by non-*OpenRecoveryScript* recoveries. It
|
||||
also leaves open the **FlashAfterUpdate** hole, as ZIPs stored there by
|
||||
the user will (likely) not be signed with the same keys as your update,
|
||||
and thus their origins cannot be verified.
|
||||
|
||||
If **OpenDelta** is configured with all the needed parts to re-generate the
|
||||
OTA ZIPs fully signed, and verify the signatures in recovery, then **secure
|
||||
mode** becomes available (whether or not it is enabled by default is also
|
||||
a configuration switch). In **secure mode**, the public key injection and
|
||||
signature verification features are enabled, additional ZIPs from the
|
||||
**FlashAfterUpdate** subfolder will **not** be flashed, and the
|
||||
**CWM**-compatibile script will **not** be generated. Unless your recovery
|
||||
is compromised, this should provide for fully secure flashing.
|
||||
|
||||
Of course, the user has the option to enable or disable this feature from the
|
||||
actionbar menu.
|
||||
|
||||
|
||||
Bad builds
|
||||
|
|
Loading…
Reference in New Issue