[deleted]
ujjayi Do not use an OS that forces to keep the bootloader open
ujjayi Do not use an OS that forces to keep the bootloader open
I guess the last part about the DivestOS developer sticking to GrapheneOS says a lot. Thanks.
ujjayi To be clear, Tad (DivestOS lead dev) doesn't use GrapheneOS. They use DivestOS, but that's because they're just used to it, not because they think it's superior. What I meant to say there is that they recommend GrapheneOS over their own OS to others if they can get a Pixel.
In their own words:
https://divestos.org/index.php?page=patch_levels
Furthermore GrapheneOS is a substantially hardened operating system. DivestOS includes some of the security features from GrapheneOS along with its own.
Such hardening changes can prevent exploitation of both known and unknown issues and are not found in LineageOS, CalyxOS, or most other aftermarket systems.
If you are choosing an operating system for security the order is GrapheneOS, then DivestOS, then official LineageOS, with the choice depending on what device you have or can acquire/afford.
At the potential cost of freedom and/or privacy, you may even want to consider the stock OS as long as it is not end-of-life.
[deleted] Do not use an OS that forces to keep the bootloader open
An open bootloader carries a very specific risk. If your threat model includes the possibility of a sophisticated actor (nation state) getting physical access, then yes.
If not, it really isn't a high risk for those with a more common threat model.
Graphite An unlock bootloader doesn't only expose you to physical access vulnerabilities. This is a common perception, but is not really correct.
With my utmost respect to the other posters and their suggestions, I only say this from my perspective.
Don't let security be the determining factor for you. Instead consider which hardware and what software options you will have, and how "robust" the privacy is. I don't know how much better that one plus phone is compared to a pixel. Nor do I know any of the features and privacy elements of DivestOS. But I can tell you after I considered a number of OSes, what made me go with graphene wasn't mainly the security ( that was a bonus). It was the the price to start, software compatibility and the amount of flexibility it offered. Because of its Sandboxed Play, it means I will not run into future "FORCED TO HAVE" apps not working.
GrapheneOS has:
The pixel has these issues though: (6a)
Anyway, Consider whats important to "YOU" and think of the future, your wallet, and realism. Actually really think of your app needs and their compatibility and your privacy goals. Don't fall for "better hardware" hype-trains either.
I'm blown away how close this phone is to a non-privacy phone and little compromise there is. I'm glad I didn't go with some of the other systems.
matchboxbananasynergy doesn't only expose you to physical access vulnerabilities
What would be the remote exploit be?
The permissions denial part is a huge point, also the maintenance with the swift updates and all, and I'd add community and support/discussion channels being important too.
I'm also curious about any possible remote access cos of an unlocked bootloader tho!
The main threat model for verified boot is a remote attacker compromising the device. It prevents them modifying the OS or directly persisting with root/system level access. Factory reset purges their access.
The purpose of preventing them directing persisting privileged access is to force them to exploit the OS again at each boot, which makes their control much more fragile and much easier to detect. It combines well with reduced trust in persistent state and hardware attestation.
https://nitter.lacontrevoie.fr/GrapheneOS/status/1621463829229047810
Thanks. That's specifically for Verified Boot.
I have not tested this out myself, so I don't know. Once you unlock the bootloader, are you saying verified boot is completely disabled? Or is it just that verified boot continues to work, but can now be bypassed with physical access to the device?
Thank you for the information. I'd love to know the details.
Locking the bootloader is important as it enables full verified boot. It also prevents using fastboot to flash, format or erase partitions. Verified boot will detect modifications to any of the OS partitions and it will prevent reading any modified / corrupted data. If changes are detected, error correction data is used to attempt to obtain the original data at which point it's verified again which makes verified boot robust to non-malicious corruption.
Graphite Verified boot is not enforced with an unlocked bootloader. Being able to lock the bootloader is the bare minimum to ensuring that the device is reasonably secure, and it is very unfortunate that locking the bootloader has become synonymous with physical threats, when that is simply not true. The entirety of the security model depends on the bootloader being locked, so that verified boot can be enforced, and you go from there. It does not stop at physical access at all.
Ok, thank you. I think I understand better now. Verified boot, which is extremely important even against remote attackers, is wholly dependent on a locked bootloader. And an unlock bootloader makes the device vulnerable to more than just physical attacks, because it disables verified boot.
Thanks for taking the time to clarify.
ujjayi just to clarify: several OnePlus devices CAN lock its bootloader. For example hotdog(g) can.
steadfasterX While it was possible to relock the bootloader of older OnePlus devices, verified boot was done in a completely insecure way. They attempted to fix this on newer devices by completely removing support for alternate operating systems.
intelligence Those claiming that unlocked bootloader is more susceptible to remote attacks is missing a key piece;
I don't believe people are claiming this. I believe they are stating that a locked bootloader and verified boot are a better defense against persistence. In other words, two similar devices with one locked and the other unlocked are similarly susceptible to remote compromise; however, the locked device with verified boot will be more resistant to persistence.
intelligence if somebody is able to compromise the device to the extent where they can take advantage of the unlocked bootloader, they will be able to install their own avb key or some other trickery as well. In my opinion, trusting a locked bootloader to provide you with ANY additional security is giving you a FALSE sense of security.
My understanding of a locked bootloader is that it would actually prevent the loading new signing keys. Or, that it would at least detect the tampering at reboot. So, in this case, the locked bootloader would provide additional security over an unlocked bootloader.
Do you have any reference material on any existing proofs of concepts or exploits that installed their own key and signed images that bypassed a locked bootloader?
Confusing. Seems like comments are being deleted.