DivestOS with microG build (on Fedora)

# DivestOS with microG build (on Fedora) This build guide describes how to build DivestOS with microG. To do this, there are 2 essential requirements: 1) Enable signature spoofing - we do this by adding signature spoofing patches which can be found [here](https://github.com/lineageos4microg/docker-lineage-cicd/tree/master/src/signature_spoofing_patches). 2) Include [this](https://github.com/lineageos4microg/android_vendor_partner_gms) repository in the local_manifest.xml file and set the ```WITH_GMS``` environment variable to ```true```. If you wish to do a clean build of DivestOS, i.e. without microG, please skip the steps mentioned in the above requirements. ### Installing Dependencies (on fedora - strongly recommended) ###### The DivestOS community strongly recommends building on Fedora. However, please refer the [official DivestOS build guide](https://divestos.org/pages/build) for installing dependencies for other distros. ``` sudo dnf update; sudo dnf install @development-tools android-tools automake bc bison bzip2 bzip2-libs ccache curl dpkg-dev flex gcc gcc-c++ git git-lfs glibc-devel.{x86_64,i686} gnupg gperf ImageMagick ImageMagick-c++-devel ImageMagick-devel java-1.8.0-openjdk java-1.8.0-openjdk-devel libgcc.{x86_64,i686} libstdc++.{x86_64,i686} libX11-devel.{x86_64,i686} libxml2-devel libXrandr.{x86_64,i686} libXrender.{x86_64,i686} libxslt lz4-libs lzop make maven mesa-libGL-devel.{x86_64,i686} ncurses ncurses-compat-libs ncurses-devel.{x86_64,i686} ninja-build openssl-devel optipng jpegoptim perl-Digest-MD5-File perl-Switch pngcrush python python2-virtualenv python3 python3-mako python-mako python-markdown python-networkx readline-devel.{x86_64,i686} rsync schedtool SDL squashfs-tools syslinux-devel unzip wxGTK xml2 xz-lzma-compat zip zlib zlib-devel.{x86_64,i686} vim-common vboot-utils; curl https://storage.googleapis.com/git-repo-downloads/repo >> ~/bin/repo; chmod a+x ~/bin/repo; sudo ln -sf /usr/share/crypto-policies/LEGACY/java.txt /etc/crypto-policies/back-ends/java.config; ``` ### Creating a Workspace ``` DivestOS/Build/LineageOS-20.0``` is going to be the Workspace that we will be setting up in further steps. #### Setting up Firejail (optional) For extra security of your host machine, you can run the entire build process in a fairly restricted sandbox with minimal performance impact. The DivestOS community has already upstreamed a profile for just this task. ``` sudo dnf install firejail echo 'if [ $container="firejail" ]; then unset PROMPT_COMMAND; fi;' >> .bashrc; firejail --profile=/etc/firejail/aosp.profile bash; ``` #### Checking out the code ###### Clone the DivestOS repository ``` umask 0022; git clone https://gitlab.com/divested-mobile/divestos-build.git DivestOS; cd DivestOS; ``` ###### Clone the missing submodules(recursively), fetch any new remote commits, and update the directory tree.Must have git-lfs installed and also add your public ssh key to your github account. ``` git submodule update --init --recursive; ``` ###### DivestOS is a soft fork of LineageOS. Essentially, it applies directly on top of the latest aosp/lineage/etc repos. Hence, we create the required directories for the same. ``` mkdir -p Build/LineageOS-20.0/.repo/local_manifests Builds Signing_Keys .Signing_Keys; ``` ###### Use cryfs/ecryptfs/encfs if gocryptfs not available. In such case, skip init and directly run next command to mount the vault at Signing_Keys directory, or refer the man page for the respective tool. ``` gocryptfs -init .Signing_Keys; gocryptfs .Signing_Keys/ Signing_Keys/; mkdir Signing_Keys/NEW ``` ###### Change **/mnt/docs/ in line 25** to **your DivestOS directory path** and **28th line pointing to your Signing_Keys directory**. ``` nano Scripts/init.sh; ``` ###### Copy the default LineageOS local manifest to the local manifest file of our Build. Any further changes or additions in local manifest will be done at ``` Build/LineageOS-20.0/.repo/local_manifests/local_manifest.xml```. Then we initialise repo in the Build/LineageOS-20.0. ``` cd Build/LineageOS-20.0; cat ../../Manifests/Manifest_LAOS-20.0.xml > .repo/local_manifests/local_manifest.xml; repo init -u https://github.com/LineageOS/android.git -b lineage-20.0; ``` ###### Add your device's proprietary blobs to local manifest. The following lines add blobs for ```beryllium```. You can find vendor blobs for your device [here](https://github.com/TheMuppets). Make sure to add blobs specific to your device(eg. beryllium) as well as common for the vendor of your device (eg. xiaomi). ``` nano .repo/local_manifests/local_manifest.xml add - <project name="TheMuppets/proprietary_vendor_xiaomi_beryllium" path="vendor/xiaomi/beryllium" remote="github" revision="lineage-20"/> <project name="TheMuppets/proprietary_vendor_xiaomi_sdm845-common" path="vendor/xiaomi/sdm845-common" remote="github" revision="lineage-20"/> ``` ###### Add this line to include the [repository](https://github.com/lineageos4microg/android_vendor_partner_gms) consisting a collection of FOSS APKs under the microG mobile services. Skip this step if donot want microG included in your DivestOS build.  ``` <project path="vendor/partner_gms" name="divestos4microg/android_vendor_partner_gms" remote="github" revision="master" /> ``` ###### Synchronize local project directories with the remote repositories specified in the manifest file. Repo is a python wrapper script for git. Read [this](https://stackoverflow.com/questions/25046570/what-does-repo-init-and-repo-sync-actually-do) to understand the repo commands used in this guide. ``` repo sync ``` ###### Skip this step if donot want microG included in your DivestOS build. ``` export WITH_GMS=true ``` ###### This command sets the environment variables used by all other scripts of DivestOS and verifies the last commit in the current checkout branch (The HEAD pointer) using [GPG commit signature verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#gpg-commit-signature-verification). ``` source ../../Scripts/init.sh; ``` ###### ```resetWorkspace``` to sync the workspace from git and undo any changes in the workspace if at all. ``` resetWorkspace ``` ###### Now we apply all of the DivestOS changes to our workspace. ``` patchWorkspace ``` ###### Define functions commonly used in the build environment (eg. croot, breakfast, etc), i.e create 'hooks' in the terminal. ``` source build/envsetup.sh ``` ###### Configure your build environment with the correct variables to create your device-specific rom. ``` breakfast lineage_beryllium-user ``` ###### Compile the tool that generates [verity_key](https://source.android.com/docs/security/features/verifiedboot/dm-verity) which is required for a verified boot. ``` make -j20 generate_verity_key ``` ##### Some error handling might be required for the above command : ###### Delete unnecessary vendor directories if they were throwing errors during ```make -j20 generate_verity_key```. ``` cd vendor/ for instance, if you are building for xiaomi - (modify the command based on your vendor) rm -rf essential/ fairphone/ fxtec/ google/ oneplus/ razer/ sony/ ``` ###### Run this to ignore missing packages if ```make -j20 generate_verity_key``` is failing due to missing packages. ``` croot awk -i inplace '!/enforce-product-packages-exist-internal/' vendor/lineage/config/common.mk; ``` ###### If you encounter an error of conflicting packages due to ```additional_repos.xml``` , delete ```vendor/partner_gms/additional_repos.xml```. ###### If DivestOS [supports](https://divestos.org/pages/devices) multiple devices by your device's vendor, then you might have to remove the directories created for those other devices inside your vendor's directory. <br> ###### Generate Signing Keys for the build. This gets stored at ```Signing_Keys/NEW/beryllium```. ``` sh ../../Scripts/Generate_Signing_Keys.sh beryllium ``` #### Setup ccache (optional) Use of ccache is highly recommended, it's an easy way to dramatically reduce build time and power usage. This is extremely recommended to be on a separate drive from your system drive and your build drive. ``` mkdir ccache; echo "export USE_CCACHE=1;" >> .bashrc; echo "export CCACHE_COMPRESS=1;" >> .bashrc; echo "export CCACHE_COMPRESSLEVEL=1;" >> .bashrc; echo "export CCACHE_EXEC=/usr/bin/ccache;" >> .bashrc; echo "export CCACHE_DIR=[PATH TO CCACHE DIRECTORY];" >> .bashrc; source ~/.bashrc; ccache -M 128GB; #Optionally set a size limit ``` ### Building ``` cd Build/LineageOS-20.0; source ../../Scripts/init.sh; ``` ``` resetWorkspace patchWorkspace; ``` ###### Add signature spoofing patches here, skip if building without microG. Download the patches from [here](https://github.com/lineageos4microg/docker-lineage-cicd/tree/master/src/signature_spoofing_patches). ``` cd frameworks/base patch -p1 -i "/home/fedora/signature_spoofing_patches/android_frameworks_base-Android13.patch" croot cd packages/modules/Permission patch -p1 -i "/home/fedora/signature_spoofing_patches/packages_modules_Permission-Android13.patch" ``` ###### Move ```DivestOS/Signing_Keys/NEW/beryllium``` one directory up. ``` croot cd ../../Signing_Keys mv NEW/beryllium . cd ../Build/LineageOS-20.0 ``` ###### Here, if you face errors similar to those during ```make -j20 generate_verity_key``` , then follow the error handling commands mentioned [above](https://hackmd.io/cDDSADpMT3ee0OP9gOFp6Q?both#Some-error-handling-might-be-required-for-the-above-command-) for the same. ``` buildDevice [device]; #or buildAll for all supported devices ``` Afterwards you should have flashable zips located in $DOS_BUILDS (DivestOS/Builds) ### Notes - If repo sync throws errors and you need to reset your workspace because it broke : ```repo forall -c 'git am --abort; git add -A && git reset --hard' ; then repo sync``` - If there are failures during the CVE patcher section in ```patchWorkspace``` then they need to be regenerated using ```patchAllKernels```. Run ```resetWorkspace && patchAllKernels && resetWorkspace``` and then ```patchWorkspace``` - Never run ```patchWorkspace``` twice simultaneously as it could break things.