Why is it not possible, to lock the bootloader after installation. Some banking apps check this before start.
Graphene os has this feature: Web installer | Install | GrapheneOS
Hi!
Iām new here but I think you must use an official build to do that!
Although Iām using one on my Pixel 8 and have problems to lock the bootloader. 
Still looking for the solution.
./fastboot flash avb_custom_key ../pkmd_pixel.bin
Warning: skip copying avb_custom_key image avb footer (avb_custom_key partition size: 0, avb_custom_key image size: 520).
Sending 'avb_custom_key' (0 KB) OKAY [ 0.001s]
Writing 'avb_custom_key' (bootloader) avb custom key: flash done
OKAY [ 0.059s]
Finished. Total time: 0.063s
./fastboot flashing lock
FAILED (remote: 'invalid android images, skip locking')
fastboot: error: Command failed
@MarcelloT please
Good hint 
Hereās the information.
Phone: Pixel 8
/e/OS version: 2.8-a14-20250219469961-official-shiba
First I installed /e/OS via Easy Installer which went pretty well until it got stuck in an endless loop. It could not enter Recovery Mode or Rescue Mode, only Fastboot was possible.
Then I downloaded āIMG-e-2.8-a14-20250219469961-official-shiba.zipā and ran āflash_shiba_factory.shā. After that /e/OS booted and everything is fine now.
The only thing thatās left is locking the bootloader.
Any ideas?
Thanks!!
@manoj, the documenttion has not yet been modified according to the recent change of installation method that is no more by recovery, but by install_script
.
Hello @Lightning, Welcome to this forum.
the instruction to use the install_script is to execute
chmod +x flash_shiba_factory.sh && ./flash_shiba_factory.sh
then if you choose to relock the bootloader, (that have disadvantages)
.
reboot to fastboot and run the following :
Official Instructions
according to Install /e/OS on a Google Pixel 8 - āshibaā
Locking the bootloader
Warning: The bootloader is lockable in official builds only. The procedure to lock the bootloader will not work on community builds.
In /e/OS recovery main screen:
- Select
Advanced - Select
Reboot to bootloader
Once the device is in fastboot mode:
- Verify your PC finds it by typing:
fastboot devices
2.Tip:* If you see no permissions fastboot while on Linux or macOS, try running fastboot as root.
- Download the avb custom key
- Erase the previous key
fastboot erase avb_custom_key - Flash the new key previously downloaded
fastboot flash avb_custom_key pkmd_pixel.bin - Lock the device
fastboot flashing lock - Use the volume key to select
Lock the bootloader
Reboot the device
- Use power button to
Startthe device
The reboot process may take 5 - 10 minutes
Disabling OEM Unlocking.
Once you boot your device after locking bootloader:
- Finish
SetupWizard - Go to Settings > About phone > Build number.
- Tap the Build Number option seven times until you see the message You are now a developer! This enables developer options on your device.
- Return to the previous screen and go to
Systemto find Developer options at the bottom. - In
Developer Options, turnOEM Unlockingoff.
Success: Congratulations !! Your phone should now be booting into /e/OS !!
1 Like
Garphene can lock the boot loader because they support only a limited number of phones that are all Pixels. I think with eOS, like was said it āofficialā that can be locked.
Could always search the internet to see if phones other than Pixel have been locked, that may apply to eOS alsoā¦
2 Likes
The document has been modified it needs to be published. Should be released in the next couple of days.
3 Likes
Itās possible if you choose your /e/OS device accordingly ā¦ [LIST] Devices where bootloader can be relocked .
GrapheneOS also chose their supported devices accordingly. Itās always good to keep in mind that they support a very limited set of devices to be able to provide their set of features ā¦ https://grapheneos.org/faq#supported-devices
4 Likes
Thatās what I did and this led to the mentioned error.
Maybe the avb custom key is not correct as it is the same for all devices.
Hi there!
Found a solution for my problem! 
I installed /e/OS based on Android 14 while the stock Android version on my device already was 15.
Thatās why the /e/OS Installer failed and the device ran into an endless loop.
Also it was the reason why the bootloader couldnāt be locked again by the installation script.
I used the Android Flash Tool to downgrade to version 14 and after that the /e/OS Installer finished without problems including bootloader locking.
Thanks for your support! 
It would be great to add this prerequisite to the installation documentions.
2 Likes
Did you check security patch before installation?
No, startet the installation immediately.
I thought the Android version is irrelevant but I also still never tried to understand the Rollback protection or what it is called
on pixel, anti roll back protection seems to be effective regarding OTA / recovery installation,
but not if you flash the entire Stock firmware / OS (unlike Samsung)
Hi @Lightning ,
I actually did the exact same yesterday (running flash_shiba_factory.sh) with my new Pixel 8 (only I was using the in the meantime latest image IMG-e-2.9-a14-20250321478214-official-shiba.zip) and ran into the same issue while trying āfastboot flashing lockā.
But actually my original stock Android version on my device was Android 14 (I had the upgrade to 15 available in settings but didnāt do it).
Is there anything else you did to resolve the issue? May I ask on which OS you used the /e/OS Installer since that didnāt work for me from the very beginning (got stuck while trying to connect to fastboot at the first step after downloading). I used it on Linux (Debian).
Thanks
Hi @moe ,
in the meantime I installed another Pixel 8 and ran into the same problem as you.
After flashing the device by running the script āflash_shiba_factory.shā from the image file I wasnāt able to lock the device again.
I think the installation manual describes different steps than the /e/OS Installer performs for locking the device.
I finally achieved a successful installation with the following steps:
- Restart computer and Pixel and donāt use local adb or fastboot to check the connection (I did once and than /e/OS Installer failed with fastboot or adb sideloading and this couldnāt be fixed again ā start from the very beginning)
- Install stock android 14 with Android Flash Tool
- Restart computer and Pixel again, donāt use local adb or fastboot to check the connection
- Use /e/OS Installer for installation and follow the instructions exactly, donāt do anything different (I did once and then I had to start again from the very beginningā¦
)
Be careful: Clicking the text field somewhere is sometimes recognized by the Installer as if you clicked the āContinueā button - If one step fails in /e/OS Installer, go back to step 1
- Good Luck to get a bootloader-locked Pixel 8 with /e/OS!
I used Linux (openSUSE) and Google Chrome for /e/OS Installer.
1 Like
Sounds like the *.sh file has an issue 
e/OS/Installer does it like manually just with guidance.
Thanks a lot @Lightning for the detailed instructions. Tried to follow them, but I actually get the same error in Android Flash Tool as I get with the /e/OS Installer: It works until the phone restarts in boot mode and on next connect there is always a connection error, no matter what I do (I did not use the local fastboot or adb).
Maybe it is because I need sudo locally to run fastboot, otherwise I get permission errors. Did you have to use sudo for fastboot too?
I am using Linux (Debian) and Google Chrome, so setup actually sounds quite similar. Iāll have a try on a Windows machine to check if I get the same error there.
You might check this recommendation Installing E/OS on FP5 with Web Installer Fails "Error on step: connect-bootloader - #58 by aibd
Hi @moe,
youāre right.
Adb and fastboot must be executable with user permissions (without āsudoā).
Good luck.