Concern about disabling OEM unlock

pixelbomb

I saw in the installation guide it is recommended to disable OEM unlock. Typically I leave this enabled on my devices in case the OS fails to boot I can unlock the bootloader and reflash it. If unlock is disabled and the OS can not boot (even if it's unlikely with A/B) will the device be bricked? Is there any recovery procedure for this scenario to quell my fears? What is the risk level of leaving OEM unlock enabled?

Thanks.

[deleted]

I personnally keep OEM unlocking enabled so that if an update fails and my device is broken, I can unlock the bootloader to reflash it.
disabling OEM unlock prevents anyone why steals your phone from reusing it and scanning the storage, but if a bad update happens and your device can't boot, it's bricked.

As the storage is encrypted and unlocking the bootloader erases the storage, I keep it enable to make sure I don't lose my phone but high qualified engineers may be able to get some data, but it would be very complicated.

spring-onion

As you mentioned, if an update fails to install your phone will fallback to the other boot slot, undoing the changes. But factory resetting is always an option too, head into fastbootd (bootloader), open recovery mode, press the power button and the volume up button together and let go. This is also how people gain access to their device if they forget their password/pin.

pixelbomb

spring-onion

So there is a factory reset capability even with bootloader locked? That is a bit reassuring unless something can go wrong to prevent recovery mode.

spring-onion

Yes. I also forgot to mention, sideloading is an option too.

matchboxbananasynergy

Leaving OEM unlocking enabled exposes additional attack surface in the bootloader. When you enable it, some commands are disabled that wouldn't otherwise be.

The recommendation is to disable this as per the guide - it's mentioned there for a reason.

DeletedUser80

Further clarification on OEM unlocking from strcat on Matrix.

The only situation where it's helpful to leave OEM unlocking enabled is if your SSD fails; corrupting your OS but not your firmware.
Disabling OEM unlocking doesn't improve security significantly so you may leave it enabled for peace of mind.
It's safe and good practice to disable OEM unlocking.