Help installing GrapheneOS from Fedora

Ask Fedora
, ,
1

As the title states, I am new to Fedora and Linux as a whole. I made the switch to up my privacy/security/freedom. One thing I am interested in doing is switching over to a Pixel running GrapheneOS. I’ve been trying to do some research and they do not include instructions on how to flash via Fedora. There are some posts on this forum, however I can’t make much sense of it. Could someone explain to me like I am 5 the steps I would need to take? This post seems to say a lot, but it’s still kind of confuses me, this is what I can understand, correct me if I am wrong please.

Install android-tools Package

sudo dnf install android-tools

Add User to Plugdev Group (I don’t really understand this part)

sudo groupadd plugdev
sudo usermod -aG plugdev $USER

Activate udev Rules

sudo ln -s /usr/share/doc/android-tools/51-android.rules /etc/udev/rules.d

Follow GOS Verification/Flashing Steps
(They use OpenSSH to verify the GOS rom which I assume is the openssh package?

That should be all of it correct? The other post mentions disabling the udev rules once done to reduce attack surface. I would only need to do this once so would uninstalling the android-tools package once I’m done do the job? As in, just removing the package would basically wipe the slate clean and I wouldn’t have to worry about the above changes?

1 Like
2

Added adb, android, fastboot and removed packages

3

I wrote the other post.

GrapheneOS has some pretty confusing explanations, they also mention using some BSD tools, this is all Ubuntu only.

They dont support Fedora yet, and Fedoras fastboot was broken at that time, so you should install the google binaries instead.

Removing the udev rules afterwards means to remove them.

sudo dnf uninstall android-tools

rm /etc/udev/rules.d/51-android.rules

usermod -G plugdev $USER

I want to make this whole thing a Fedora Wiki page soon. But the state of fastboot makes this kinda complicated as I am pretty sure promoting using “random binaries” over Fedora packages is not allowes.

Also there is no standalone android-udev package, which is why I did the hacky install from the ublue repo.

4

I think the GOS install instructions are quite good. The BSD tool is a widely used tool and they use it to verify the GOS image (similar to how you would with gpg). The only issue I see from Fedora’s standpoint is not having a usable fastboot. Arch seems to be the only distro where everything works. Apt packages are so broken they suggest getting the standalone tools, but even they have usable udev rules. From what I understand from all the work you’ve done (which is sweet btw, thanks), Fedora’s fastboot is broken for some reason. It would be great if someone from Fedora could help us out with this. If the android-tools package could get ironed out (including the udev rules) then Fedora would be all set up to be a great Android rom flashing environment.

*Fedora in theory should be able to follow the Arch install instructions (aside from having the udev as a separate package)

5

I’m reading CLI install guide | Install | GrapheneOS now and don’t see anything too unfamiliar:

  1. Get Android tools (latest from Google for linux)
  2. Unlock the bootloader (fastboot oem unlock or the fancier one GrapheneOS mentions)
  3. Download the zip for your device
  4. Flash it (flash-all.sh, but read it)
  5. Re-lock the bootloader
  6. Follow GrapheneOS’s specific post install instructions

It doesn’t really seem different than what I’ve been doing to flash LineageOS for almost a year on Fedora. I needed to do sudo for fastboot, but adb was fine as a normal user, and I didn’t need any udev rules.

If I were flashing GrapheneOS to a supported device right now on F40:

  • I wouldn’t bother with udev and would just do sudo fastboot; fastboot only for root sounds like good practice anyway (regular Android dev only needs adb)
  • I’m guessing Fedora’s fwupd is newer than 1.9.10 to not worry about the mentioned bug
  • I wouldn’t bother with OpenSSL verifying stuff either; surely GrapheneOS gives SHAs and can manually verify files with sha256sum or something, but in-lieu of that I’d just download the zip with aria2 and trust it’ll be fine
  • With the bsdtar they mentioned I’d use unar instead; it’s just decompressing a file and I never heard anyone mention bsdtar on Linux to do that prior to GrapheneOS
  • I’d open flash-all.sh and manually run each individual command; GrapheneOS’s guide is already a bit overkill so I’m sure there’s some more things to be curious about in how they’re flashing it :stuck_out_tongue:

Currently F40’s fastboot is version 34.0.4-android-tools while Google’s is 35.0.1-11580240.

1 Like
6

Care to eleaborate on this? They specifically say to flash as non-root. I don’t know why exactly. Is it a security thing? What security issues would there be by flashing as root?

They use OpenSSH to sign the image, which is easy to figure out. Once installed, the system shows a hash you can compare to make sure everything is good. I will verify with OpenSSH before hand just to play it safe.

It is 1.9.16 so all good there

From their site

You can use a distribution package for this, but most of them mistakenly package development snapshots of fastboot, clobber the standard version scheme for platform-tools (adb, fastboot, etc.) with their own scheme and don’t keep it up-to-date despite that being crucial.

This may be what @boredsquirrel means when he says fastboot is broken/not working

1 Like
7

Yes fwupd doesnt need to be disabled anymore on basically all systems. That line is outdated.

8

It does on Debian and Ubuntu just releases 24.04 and has a usable version. Downstream distros like Mint will still need to until they catch up to Ubuntu’s new release. Debian will probably be another year

9

Theoretically if there’s an exploit on fastboot or images flashed through it, that could be a concern for running it root, but I never heard of this. Generally if something can be done as non-root it’s better to to it non-root to isolate it from affecting other parts of the host OS if it’s malicious, but I doubt fastboot is a target of anything (make sure to either use Google’s official platform-tools or your distro’s if it works and not random fastboot GUI flasher packages on xda or something).

I figure it would be better to keep fastboot limited to root as it deals with critical boot partitions on phones and that seems like that should only be available as a higher privilege like disk partitioning tools.

If your phone was connected and on the bootloader, if someone somehow gains remote execution on your machine, they could use fastboot without needing to root/elevate and flash malicious to the phone. But with fastboot as root, they at least need to know your root password to continue. It’s also a potential save if you plug in an unrelated phone and happen to just double-click flash-all.sh for the wrong device. Both scenarios are probably not-likely-to happen though :stuck_out_tongue:

I mainly prefer sudo for fastboot because it’s quicker and easier than having to come up with some commands for udev rules and one-liners and have to maintain it in my notes :stuck_out_tongue:

10

Got it. The udev rules seem to be from a GitHub repo. But then again, they are packaged together on Fedora aren’t they? I can’t tell how android-tools is verifiable from Android website so I guess you have to trust someone and hope for the best.

So I guess our options are:
-Download android-tools from android website and use as root or
-Use Fedora package that uses same file + contains udev rules from that repo and use as non-root

*Arch uses the same udev rules from that repo and their android-tools comes from a different repo. I don’t know how that’s verifiable either.