update GrapheneOS to latest, incl. Android 13 + support for Pixel 6a, 7+7 Pro #203
Conversation
cassandracomar
changed the title
works by setting up a temp directory off of /dev/shm, the same way we were already doing for the release keys. except now, it's safe to include your encrypted keys in the repo with the rest of your config. just don't forget to --extra-sandbox-paths <path to key file> for your private key. example config is included.
this greatly simplifies things and ensures that the kernel is built the way the build process expects.
Co-authored-by: ajs124 <[email protected]>
| @@ -13,7 +13,7 @@ | |||
| import subprocess | |||
| import sys | |||
|
|
|||
| BASEDIR = "/mnt/cache/chromium" | |||
| BASEDIR = "/tmp/cache/chromium" | |||
There was a problem hiding this comment.
Please consider that tmp is usually <8GiB
There was a problem hiding this comment.
the nix build system already uses /tmp by default to do builds. if you have a ramdisk/tmpfs mounted to /tmp, you already can't build android with robotnix (without a huge amount of ram). /mnt isn't writable by default from an unpriveleged user and running this script with sudo leads to unexpected results as the root user has different programs installed on nixos -- either a temp storage directory needs to be passed in somehow or we have to instruct users to make /mnt writable.
There was a problem hiding this comment.
My nix-daemon's TMPDIR is not /tmp/ for that very reason. /mnt is obviously bad but this just shouldn't be a decision the script makes itself.
A more sane default could be /var/tmp which is usually on a physical disk.
There was a problem hiding this comment.
to be clear, this isn't a build script that's called during a build. it's a script you run as an unprivileged user to create a new chromium manifest. so perhaps something under XDG_CACHE_HOME is most appropriate?
tbh I'm not sure why this script is so different from the ones that update the manifests for the main source dirs. it's much slower and significantly more brittle.
|
I think this does break/drop some needed pars for devices older than the Pixel 6 including the Pixel 5/4a (redbull). I made a few minor changes to test it for the Pixel 5 (just getting the right buildConfig since the kernel is redbull but the device is redfin). Best I can tell the issue is related to the how the prebuilt dependencies are setup/patched. Nix Build Log Excerpt |
|
ahh I know what this is - it's related to the TODO I have in there to set up the kernel build environment variables I have in there - the build instructions for the older kernels are a bit different from the newer devices as of android 13. a bunch of environment variables have to be set because there's no wrapping build script like build_cloudripper.sh and instead build/build.sh gets called directly. I'll push a fix when I get a chance later today. |
|
Is there some sops-related setup that's needed in order to use this? |
|
only if you choose to enable those settings. if you leave them off it
should work as it always has, unless I broke something without noticing.
…On Thu, Apr 27, 2023, 2:22 PM Ryan Trinkle ***@***.***> wrote:
Is there some sops-related setup that's needed in order to use this?
—
Reply to this email directly, view it on GitHub
<#203 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACOKBHE5FAPMECQ2DYBG2TXDK2ODANCNFSM6AAAAAAWUSYSVE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
I did some digging into this. it's not hard to fix the fact that it's picking up the wrong config -- "redbull" isn't the deviceFamily like I thought it was + the redfin family needs ".vintf" on the build config / "/vintf" on the builtRelpath. but the environment vars are actually correct for redfin. the issue and what's going to prevent this from building is that neither the main AOSP tree nor the kernel tree includes a "aarch64-linux-gnu-gcc". moreover, it's running the host's ld instead of the one included in build-tools for discernible reason (I'm guessing it's not provided in the redfin kernel tree?). I'm gonna be honest, I've spent days/upwards of a full week trying to make gcc work as the compiler for the later devices. so it comes as a shock that the build process for the earlier devices is this drastically different. is "aarch64-linux-gnu-gcc" supposed to be "aarch64-unknown-linux-multi-gcc" from nixpkgs cross compilers? why is it trying to use an aarch64 compiler to build something that runs on the host (fixdep)? does this build even work from a clean tree on a non-Nixos system? the build system is supposed to try and pull its whole toolchain from the kernel tree, but the current manifests don't include an x86 gcc or an aarch64 one that targets linux-gnu. when I get some more time, I'll dig into what environment variables normally get set by the wrapper build scripts for the newer devices cause I think the graphene build instructions are missing something drastic. |
|
ok talked to the devs in the grapheneos matrix and found out that it's using the system linker because of an old kernel bug that was fixed but the fix can't be backported to the kernel trees for the older devices as they're stuck at 4.19/4.14. I pushed a patch that allows the redfin kernel to build. let me know if you have any troubles @Princemachiavelli |
|
I tried to build Oriole from you branch with the following: robotnixConfigurations = {
"tabi" = robotnix.lib.robotnixSystem ({ config, pkgs, ... }: {
# These two are required options
device = "oriole";
flavor = "grapheneos";
apv.enable = false;
adevtool.hash = "sha256-FZ5MAr9xlhwwT6OIZKAgC82sLn/Mcn/RHwZmiU37jxc=";
});
};but it complains with the following: I have previously managed to build a working Oriole ROM from this, if it helps – https://github.com/yu-re-ka/robotnix. I'm not sure I can help much, since it's been a while since I've done it and a lot of it was groping around in the dark, but there's this change you're missing: yu-re-ka@fef5f8f. I don't quite remember if the error that prompted this was the same or not and you seem to have commented that out altogether, but maybe it will be helpful? |
|
Hmm, adding |
|
Okay, so I've ran this overnight and was greeted with the following in the morning: Here's the full logs: I also had to disable |
|
will take a look this week when I get a chance. it looks oriole is missing
from the list of supported devices somewhere. that's why kernel.enable
isn't automatically set to true and why the firmware isn't getting pulled
in. also, just to confirm, you've unset adevtool.hash and set the value to
the computed hash after running it once like that? won't help until I
figure out which list oriole got dropped from but it will be necessary
afterwards.
…On Mon, May 22, 2023, 12:45 AM Tomek Mańko ***@***.***> wrote:
Okay, so I've ran this overnight and was greeted with the following in the
morning:
╰─$ nix build .#robotnixConfigurations.tabi.img
warning: Git tree '/home/jaen/Config' is dirty
error: builder for '/nix/store/c452pp42kxlg5l614z3cs0q3632qjl6y-robotnix-oriole-2023050500.drv' failed with exit code 1;
last 10 log lines:
> HOST_CROSS_OS=windows
> HOST_CROSS_ARCH=x86
> HOST_CROSS_2ND_ARCH=x86_64
> HOST_BUILD_TYPE=release
> BUILD_ID=TQ2A.230505.002
> OUT_DIR=out
> PRODUCT_SOONG_NAMESPACES=device/generic/goldfish device/generic/goldfish-opengl hardware/google/camera hardware/google/camera/devices/EmulatedCamera
> ============================================
> installing
> cp: cannot stat '/otatools.zip': No such file or directory
For full logs, run 'nix log /nix/store/c452pp42kxlg5l614z3cs0q3632qjl6y-robotnix-oriole-2023050500.drv'.
error: 1 dependencies of derivation '/nix/store/2lrhkh5nh9hc4x3ziqkjyhl3nb52zdkv-oriole-img-2023050500.zip.drv' failed to build
I also had to disable pixel.useUpstreamDriverBinaries = true that I have
previously built with, because otherwise it errored out with:
╰─$ nix build .#robotnixConfigurations.tabi.img
warning: Git tree '/home/jaen/Config' is dirty
error:
… while evaluating a branch condition
at /nix/store/cxn063ifw1p77gw0a243k5nm6njg4l3i-source/default.nix:83:5:
82| config =
83| if failedAssertions != [ ]
| ^
84| then throw "\nFailed assertions:\n${lib.concatStringsSep "\n" (map (x: "- ${x}") failedAssertions)}"
… while calling the 'map' builtin
at /nix/store/cxn063ifw1p77gw0a243k5nm6njg4l3i-source/default.nix:80:22:
79| # From nixpkgs/nixos/modules/system/activation/top-level.nix
80| failedAssertions = map (x: x.message) (lib.filter (x: !x.assertion) eval.config.assertions);
| ^
81|
(stack trace truncated; use '--show-trace' to show the full trace)
error: no items found for google_devices oriole drivers
—
Reply to this email directly, view it on GitHub
<#203 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACOKBCNI2PT7FD4XMCEINTXHLVPTANCNFSM6AAAAAAWUSYSVE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Ah, no, I have just copied whatever you had in your config. I'll keep it in mind for when you update the branch. |
|
@cassandracomar okay, so it seems the issue was rather trivial in the end and I managed to build a flashable image with this diff: diff --git a/flavors/grapheneos/default.nix b/flavors/grapheneos/default.nix
index 21e7307..857f5d1 100644
--- a/flavors/grapheneos/default.nix
+++ b/flavors/grapheneos/default.nix
@@ -10,7 +10,7 @@ let
upstreamParams = import ./upstream-params.nix;
grapheneOSRelease = "${config.apv.buildID}.${upstreamParams.buildNumber}";
- phoneDeviceFamilies = [ "crosshatch" "bonito" "coral" "sunfish" "redfin" "barbet" "bluejay" "pantah" ];
+ phoneDeviceFamilies = [ "crosshatch" "bonito" "coral" "sunfish" "redfin" "barbet" "raviole" "bluejay" "pantah" ];
supportedDeviceFamilies = phoneDeviceFamilies ++ [ "generic" ];
kernelPrefix = if config.androidVersion >= 13 then "kernel/android" else "kernel/google";
diff --git a/modules/pixel/default.nix b/modules/pixel/default.nix
index c3ae149..e0c3c70 100644
--- a/modules/pixel/default.nix
+++ b/modules/pixel/default.nix
@@ -63,9 +63,10 @@ mkMerge [
apv.ota = mkDefault (fetchItem otaList);
# Exclude all devices by default
- # source.excludeGroups = mkDefault (lib.attrNames deviceMap);
- # # But include names related to our device
- # source.includeGroups = mkDefault [ config.device config.deviceFamily ];
+ source.excludeGroups = mkDefault (lib.attrNames deviceMap ++ lib.mapAttrsToList (name: device: device.family) deviceMap ++ [ "slider" ]);
+ # But include names related to our device
+ source.includeGroups = mkDefault ([ config.device config.deviceFamily ]
+ ++ lib.optional (config.deviceFamily == "raviole") "slider");
signing.avb.enable = mkDefault true;
})I'm not even sure the second change is necessary, but kind of don't wanna recompile the whole world again to find out whether that's true or not xD I had minor issue with flashing (but maybe that's because I haven't set up proper permissions for adb/fastboot and had to use Setting this to I'll now try to use sops-nix for AVB keys, because that's the feature that initially prompted me to try this PR. Will let you know how it works out. |
|
Ok, so update on trying to build a signed image with SOPS. There was an issue in the fingerprint script, where it tried to call Another problem was that I couldn't use my I also had to put the I have managed to flash the signed build and it boots, but I have problems with re-locking the bootloader: I have no idea if I'm doing something wrong or is there some problem with the PR, as it's the first time I'm trying this. EDIT: I have since figured that out and things seem to mostly work. |
|
Are you Daniel Fulmer?
…On Thu, Jun 8, 2023, 6:52 AM Tomek Mańko ***@***.***> wrote:
Ok, so update on trying to build a signed image with SOPS. There was an
issue in the fingerprint script, where it tried to call dirname on an
empty argument. I'm not enough of a bash wizard to understand what is the
exact semantic difference, but changing from if [ -n $GNUPGHOME ] to
either of if [ -n "$GNUPGHOME" ] or if [[ -n $GNUPGHOME ]] fixed the
conditional.
Another problem was that I couldn't use my .sops.yaml file as-is, because
I put signing keys in a subdirectory and had a path_regex to use an age
key for this (for other things I still use GPG for now) and the paths
didn't match in the sandbox. It's probably not a very big deal to use a
different sops config for signing to work this around, but it would be good
to a) document that discrepancy, b) maybe eventually fix this in a follow
up PR, so that's not necessary?
I also had to put the keys.txt in a fairly open place with open
permissions (or at least with o+x) – it's probably a general issue with
extra-sandbox-paths that I was not aware of (I haven't used it before),
but maybe it would be useful to document that as well?
I have managed to flash the signed build and it boots, but I have problems
with re-locking the bootloader:
╰─$ sudo fastboot flash avb_custom_key ./avb_pkmd.bin
Warning: skip copying avb_custom_key image avb footer (avb_custom_key partition size: 0, avb_custom_key image size: 520).
Sending 'avb_custom_key' (0 KB) OKAY [ 0.000s]
Writing 'avb_custom_key' (bootloader) avb custom key: flash done
OKAY [ 0.056s]
Finished. Total time: 0.057s
I have no idea if I'm doing something wrong or is there some problem with
the PR, as it's the first time I'm trying this.
—
Reply to this email directly, view it on GitHub
<#203 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BANFWFBCCRFZZR4E6GJKH7DXKHKILANCNFSM6AAAAAAWUSYSVE>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
pixel 8 is published and there are also new grapheneos released. Would some one to update it? |
|
I'm using this branch currently and I managed to update it previously from a) unsure when I will have time as I haven't touched it it since June (and that might mean my understanding on how to update this might've bitrotted), |
|
@jaen note that during the LineageOS 20 bringup, I've added some Android 13 support. It wasn't too hard all around, so I wouldn't expect Android 14 to be too hard either. Don't stress the support for individual devices. Let's get it working on some device first and then figure out whether the rest work aswell. I'll try to pull in some of the flake changes separately aswell. I had done something similar including basic Darwin support and it kinda worked but ultimately failed in a build or something IIRC. I'll pick that up again and merge it with these flake changes. |
this is a fairly major overhaul to update the Graphene build process for android 13+. this includes:
the kernel build process could probably be reworked to function in an FHS environment but it took more than a week of continuous debugging to get anything that functioned at all so it will be a little bit before I have the energy to revisit that. for the time being, the build works by substituting the kernel sandbox for the nix one and using an android gcc cross compiler over clang (I couldn't find a working clang compiler in nixpkgs that had an android target enabled and could actually compile anything non-trivial).
the adevtool ux also needs a little work, probably to set up an upstream hash nix file that provides the default hash if one isn't set by the user.
I have not tested that this PR continues to support earlier versions of GrapheneOS. if that's a hard requirement, I'll start testing earlier builds, but I saw notes in the docs that said only the latest versions are supported. a lot of this work can probably generalized to bring android 13 support across the board for all flavors.