Security implication of leaving OEM unlocking enabled?

u84468575

Hi,

I'm interested in knowing the security implication of leaving "OEM unlocking" enabled.
My understanding is that it (only?) allows the fastboot command "fastboot flashing unlock", to replace the OS / flash from fastboot, but since this command results in the device being wiped after being entered, this would not compromise data?
In the other hand, leaving "OEM unlocking" enabled would prevent from bricking the device in case an upgrade of the installed OS prevent it from booting?
But I also understand that having "OEM unlocking" enabled is removing a layer of security, as if fastboot fails to wipe the device then data could be compromised (like on some Xiaomi devices, where you had to boot in fastboot twice keeping the volume button pressed to prevent the wipe).
I'm sure there's other considerations?

Alex

treequell

u84468575 "OEM unlocking" enabled would prevent from bricking the device in case an upgrade of the installed OS prevent it from booting?

That will not brick the device. If the OS fails to boot after an upgrade, it will rollback to the previous version. And failing that, you can sideload the latest release from recovery mode.

u84468575

treequell And failing that, you can sideload the latest release from recovery mode.

No way to screw that due to anti-rollback?

What about the other questions, are the assumptions correct?

csis01

treequell That will not brick the device.

You mean except if it increments the anti-rollback counter and then gets rolled back, probably manually, like what was happening to a lot of P6's.

treequell

u84468575 No way to screw that due to anti-rollback

When you sideload it's important to make sure you sideload the correct image. Instructions to do so are given on the GrapheneOS website, but if you're unsure, you can visit the Matrix chatroom to ask for support there.

u84468575 What about the other questions, are the assumptions correct?

It's correct that leaving OEM unlocking enabled will reduce your security. I'm not sure about the specifics, but I know that the developmemt team strongly recommended that you disable OEM unlocking. It's one of the post-installation steps in the install guide.