Leaving bootloader unlocked?

n3t_admin

Watermelon can you link me the reply?

Watermelon

GrapheneOS GrapheneOS Note that this isn't exactly what was said/implied by the posters in this thread. They were talking about a case where someone steals the phone, modifies the system partition because that's trivial with an unlocked bootloader, and returns the phone to the user, who then gets their credentials and data stolen. A locked bootloader is not a guarantee that the device you hold is your device nor that it wasn't tampered with. n3t_admin An attacker can trivially buy another device of an identical model, set it up with the same style and wallpaper and physical case as the original stolen phone, set the new phone to steal the credentials, and boot the original stolen phone in Safe Mode which enables Airplane Mode automatically. All they have to do is wait for the user to input their credentials, and they can try the same on the stolen phone and unlock it, and theft deterrence apps can't do anything because the phone is in Airplane Mode and they can be disabled from Safe Mode anyway. This kind of attack would be extremely easy for a state to execute.

GrapheneOS I mentioned in this thread that the encryption must work differently when the bootloader is unlocked. I'm interested in hearing how exactly it's different from your FAQ entry about the encryption implementation. Several months ago you told me the verified boot key of the booted OS is involved in the encryption, so with an unlocked bootloader that's out of the question, but your reply suggests there's more changes and out of curiosity I would like to learn that. Maybe the OP would find it educational too. Thank you

GrapheneOS

akira If you leave the device unlocked, verified boot is not enforced and your data is not reasonably while the device is in the After First Unlock state. You should lock the device and it's not clear why you wouldn't do that. It's not considered a completed GrapheneOS installation without locking it and that's the first thing which will be suggested if you reported any issue or ask for support. Locking the device makes sure you have the releases without any corruption or missing parts. It's required for the update system to have the full robustness it provides by detecting anything wrong on boot and then triggering rollback if it's the initial boot prior to it being marked as working.

GrapheneOS

Watermelon Locking the device is required for verified boot which is required as part of the basic protections against extracting data from an After First Unlock state device. It's also what makes it non-trivial to obtain the Before First Unlock state data outside of user profiles prior to our planned boot passphrase prompt option.

GrapheneOS

Watermelon

verified boot is primarily meant to protect against malware and local/remote exploits persistence, not against physical attacks.

It's a core part of defending against data extraction too.

GrapheneOS

secrec

A "state agency" can take the flash memory chip out and access its contents regardless of whether or not your bootloader is unlocked.

No, all of the data stored on it is encrypted. The firmware and OS images are verified via verified boot and if you don't lock the device, the OS images can be arbitrarily modified including to change what's loaded from them while the OS is booted in a way that bypasses the lockscreen or allows extracting data without an actual exploit. Lack of verified boot from it being unlocked enables data extraction without exploits. Locking it does not provide perfect protection against physical attacks for data extraction which is not possible but that's why our locked device auto-reboot feature exists to get the data back at rest within a configured time period with 18 hours as the default.

secrec

GrapheneOS No, all of the data stored on it is encrypted.

I never suggested otherwise. The point is just that the BOOTLOADER LOCK has no relevance with regards to "state agency". If a state agency has the means of decrypting the data, then the bootloader lock sure as hell won't be an issue standing in their way.

dc32f0cfe84def651e0e

My reasons to keep the bootloader unlocked:

I want it to.
It's supposed to be my own device I'm antitled to do anything with.
I highly value freedom.

Watermelon

dc32f0cfe84def651e0e I highly value freedom.

GrapheneOS with a locked bootloader and the security that comes from it feels more free to me than a phone with an unlocked bootloader or root. It's amazing. And I highly trust them to keep it feeling this way because of how pro-user they are. They're not after stealing our data or money and the OS is vendor-neutral and very clean. I don't understand why anyone would want an unlocked bootloader with GrapheneOS, and I recommend anyone to try it with a locked bootloader, it's excellent.

Watermelon

secrec There's no reason to think that the encryption itself is breakable, and the secure element is known to be highly resistant but not bulletproof. Any thinking beyond that would have to be backed by solid evidence, or it's just paranoia.

n3t_admin

Watermelon trivially

nothing of what you've described is "trivial". Especially because it takes a lot more work and time. So no, it's not possible to install a different system or boot img with a locked bootloader.

dc32f0cfe84def651e0e

Watermelon It's not about GOS, I do trust them as well. I prefer freedom over safety.

dc32f0cfe84def651e0e

Watermelon the OS is vendor-neutral

Yet only Pixels are being supported.

secrec

Watermelon Please try to look up the definition of the word "if".

LeslieFH

dc32f0cfe84def651e0e I prefer freedom over safety.

Out of curiosity, since you don't want to lock your phone's bootloader because you prefer freedom over safety - do you leave your home and car unlocked as a matter of principle too? :-)

I really don't understand the argument, locking the bootloader doesn't take away any of your freedoms as you can trivially unlock it again in the future.

ElliesSurviving

dc32f0cfe84def651e0e what "freedom" are you talking about here. you cannot freely modify the OS without having the trust that it hasnt been modified by a third party, either remotely or physically.

if you mean root when you say "freedom" that is a major security flaw and you shouldnt be rooting

edit:
i just saw rooting was your intention
rooting is leaving your device extremely vulnerable to attacks. this gives any attacker full privilege escalation far too easily. the device cannot be considered secure and you cannot trust your device at all. please reconsider.

Watermelon

secrec Please try to look up the definition of the word "if".

Your “if” comment wasn't noteworthy, and the inclusion of it can be interpreted to mean that it is. Thus warranting my reply.

chinook

dc32f0cfe84def651e0e I would put it that way: "all¹ the AOSP-compatible phones with the reasonable hardware security and vendor updates are supported" -- see https://grapheneos.org/faq#future-devices :)

¹unlockable of course. It's not GOS project fault if a vendor refuses to allow 3rd party images and keys.

Watermelon

n3t_admin So no, it's not possible to install a different system or boot img with a locked bootloader.

I did not say that and it's not relevant.

secrec

Watermelon Learn to read pal.

akira

From all the comments in the thread i get this:

If i state agency confiscate my phone they can't get access to my files because of the encryption and the strong password even if the bootloader is unlocked. They can install another system rom because of the unlocked bootloader and return my phone, and assuming i am stupid enough to unlock the phone, instead of wiping all data immediately, they can compromise the security of the phone.

I don't know if i am correct but this is my understanding of the answers in the thread.

de0u

akira If i state agency confiscate my phone they can't get access to my files because of the encryption and the strong password even if the bootloader is unlocked. They can install another system rom because of the unlocked bootloader and return my phone, and assuming i am stupid enough to unlock the phone, instead of wiping all data immediately, they can compromise the security of the phone.

What if somebody ("state agency", criminal, or household member) compromises the software while you're asleep?

Watermelon

akira If i state agency confiscate my phone they can't get access to my files because of the encryption

The encryption works differently when the bootloader is unlocked. As the GrapheneOS project account mentioned, there's also no protection of the Device Encrypted (DE) data in BFU state. Important user data is saved in Credentials Encrypted (CE) storage, though. It's my belief that if your OS hasn't been compromised (that's a wild assumption because with an unlocked bootloader an attacker has to succeed only once, ever, in compromising it to permanently compromise it), you use a strong password (not a PIN or a weak password), and the attacker finds your phone in a BFU or powered off state already, then there's nothing they can do to decrypt your CE data. Normally, with a locked bootloader, the secure element is involved in the encryption, and the verified boot key of the booted OS is also involved in the encryption. The answer that @GrapheneOS posted suggests that, with an unlocked bootloader, the former's involvement is much reduced somehow, and you can be sure that the latter is definitely not involved because the OS isn't identified or verified with a key at all. I'm interested to see what @GrapheneOS has to say about this.

akira They can install another system rom because of the unlocked bootloader and return my phone, and assuming i am stupid enough to unlock the phone, instead of wiping all data immediately

Wiping your data would do nothing to secure “your” “phone”. You go into a phone shop. You buy a Pixel phone to install GrapheneOS on it. How can you know it's an authentic, untampered Pixel phone? The state confiscates your phone. They want to attack you and get all your data. They give you a device looking like your phone. How can you know it's your authentic, untampered Pixel phone?

Purchasing an authentic Pixel phone, not a counterfeit or something that has a hardware modification that spies on you, is very important. Why are you willing to “buy” a “phone” from a state attacker that you know (once they actually confiscate your phone) are trying ti get your data? This makes no sense and there's absolutely nothing you can do to secure the device they give you. Throw it to the trash and buy a new one.

akira I don't know if i am correct but this is my understanding of the answers in the thread.

You seem very concerned with your security. You need to lock your bootloader.

« Previous Page Next Page »