PhantomRunner I personally understand the use case of all options except for "Charging-only when locked except BFU" which I don't really see the use off. Is that the one you are referring to as well?

    I think the devs are trying to have the data connection blocked while in BFU but then allowed while in AFU with that setting. If that's the case then the words 'charging only while locked' should not be used. If that is not the case then i don't understand the exception. I haven't tested this to see if this is happening.

      PhantomRunner No that's definitely not what that option does. It means that while the phone is locked you can only use the USB port for charging except when the phone is in BFU state. While in BFU state, the USB connection can also be used for data connection. What I don't get by this option is; what would you use a data connection for anyways when the phone is in BFU?

      I think the devs rationale are that allowing data connection while in BFU state doesn't do much harm since the user data is encrypted and at rest. I just don't see why anyone would use this option over any of the other options.

          trilogy6202 What I don't get by this option is; what would you use a data connection for anyways when the phone is in BFU?

          The setting allows people to use USB keyboards to type long (secure) passwords. As you say, there is little/no risk in this as BFU means the data is encrypted and thus allowing safe use of the keyboard. If you don't need to use a keyboard (like myself), then changing the USB setting to "Charging only while locked" is perfectly fine.

              trilogy6202

              Thank you for that answer and so then I don't understand the need for that setting. The OS can't enforce any of these settings until boot and you would think that the BFU would be protected by disallowing any data line in this state if there is a setting for it; as having the possibility of data extraction is a weakness. Having no extraction is better than having even an encrypted one. Disabling the MTP host may offer some protection in BFU and AFU.

              I can't think of a reason right now as to why one would need a data connection in BFU state especially if the bootloader is locked. All kinds of thoughts are going through my head now but can't type it all. I thinking now that this USB port control my be a Houdini. Hope I'm wrong! Maybe balderdash. Maybe maybelline?

                  PhantomRunner I thinking now that this USB port control my be a Houdini. Hope I'm wrong!

                  Features don't get added to GrapheneOS if they're worthless security-wise. The devs are very firmly against security theater. They also work hard to make sure that the features they do add are implemented securely in the most proper way possible (see the number of times people ask for Face unlock for example).

                      Dumdum Yes hopefully I'm wrong but can you give another reason as to have a data connection in this state other than using a connected keyboard. What's wrong with using the on-screen one? I don't think you can enter high ASCII characters with the on-screen board but you can still get a good password by using it.

                      Having the phone allow a keyboard could be more of an issue. I know grapheneOS would resist brute-forcing but cracking the pass would be a lot easier with a device that simulates a keyboard entering passwords.

                          PhantomRunner What's wrong with using the on-screen one?

                          Nothing "wrong". As I said, long passwords are the use case for a USB keyboard. Users with some 10+ word diceware password can input far quicker with a keyboard.

                              Dumdum Thank you for your answer.
                              I been using GOS now for a little longer then this profile setup on the forum and have never considered going back to an OEM implementation of Android. Im' just brain storming and pondering about it and I think the grapheneOS devs are some of the best in this field.

                              But I'm curious of you Dumdum, may I ask a few questions?

                              Have you actually connected a physical keyboard to your phone in the BFU state and if so did you have to grant permission. I know that when you connect a computer it ask for permission like a fingerprint device trust. How did you grant trust to this keyboard? Are keyboards given a pass? How did you do this in the BFU state?

                                I wonder if setting "Charging-only when locked, except before first unlock" (as described above) is of any use if you are afraid that the display will become inoperable (e.g. if you drop it). Then it would also be possible to log in with a keyboard and operate everything with a mouse, wouldn't it?

                                The thread title should be changed!

                                  Offliner-A-GoGo Certainly the OP of this thread has had misunderstanding as charging is allowed as per the settings and so not a bug.

                                  I think so. Forgive me Armbus25 if wrong as I can be a goof!

                                    other8026 changed the title to USB-C Exploit Protection Setting .