Anti-rollback issue misunderstanding


I’m about to try to install /e/os on a brand new Fairphone FP5. This is a first for me, given that I’m brand new to both Fairphone and /e/os.

I’ve stumbled on the anti-rollback issue, which I do not perfectly understand. Hence I stopped the process.

Here are the informations that I have:

Now, what makes me suspicious is:

  • page states: “Downloads for FP5 /e/OS build : T stable (Security patch: 2024-02-05)”
    ==> This means to me: “do not install this version of /e/os because it is based on a security patch that is older than the one on my device”
  • while following step by step the install guide, I unlocked the bootloader of my device, and previous page mentions “Rollback protection errors are IGNORED when the bootloader is UNLOCKED.”
    ==> This means to me: “I can install this version of /e/os since the bootloader is unlocked, so that will be ignored”

So what should I do: proceed with the install? wait until the /e/os build is based on a security patch >2024-02-05 (while making sure that the phone remains in current security patch)? how about restoring or not the bootloader locking after that?

Thank you very much in advance.

Note: I browsed through the messages and read the following ones, but without fully understanding them:

  • Can I get a confirmation on anti-rollback without re-locking bootloader?
  • Two quick questions before installing /e/OS on an FP5 (anti-rollback feature + skip microg)

Do you wish and intend long term to run your FP5 with a locked bootloader ?

1 Like

Hello and thank you, @aibd.
The Reddit post you mention is very interesting, and lead me to make up my mind regarding bootloader locking: I won’t relock the bootloader, after installing /e/os.

I want to avoid my rewording of the documentation, but does looking at it like this solve the misunderstanding ?

On the other hand the group of users who do wish to relock the bootloader should follow the advice carefully. Failure to do so has resulted in reports of users having to pay for a “re-imaging service” at Fairphone, as no other user fix seems available. The point of failure is reported to come at Locking the Bootloader.

I think I see the light now.
I understand that :

  • bootloader unlocking is a requirement for /e/os installation. At that installation step, there is no risk of phone bricking, given that “Rollback protection errors are IGNORED when the bootloader is UNLOCKED."
  • If the bootloader remains unlocked from now on, there’s no more risk of phone bricking. This is my intent: no relocking of the bootloader, given that the evil maid risk treatment option is: accept (I’m a cybersecurity consultant, hence the risk analysis bias ^v^)
  • If I relock the bootloader later on, well, I don’t know what, so won’t relock the bootloader.

All in all, I will then proceed to the i/e/os installation.

Thanks a lot, @aibd.

1 Like