If you are using /e/ the bootloader must stay unlocked because /e/ doesn’t have native support for verified boot. Verified boot is required to lock the bootloader after installing /e/.
Verified Boot is important for true device security and privacy. Any mainstream stock OS will use verified boot. It is counterintuitive to replace a stock OS with a “secure” OS that lacks stock OS security features.
How can verified boot be set up or /e/ to enable locking the bootloader?
We already had a look about this point. Unfortunately, it seems a bit difficult to lock the bootloader with another ROM than the official one. Please feel free to open an issue on our GitLab to discuss about that.
First of all, it’s just dangerous, because in case of any serious OS malfunction, your phone could be totally bricked. Also, if I understand it correctly, it is not possible to combine TWRP with a locked bootloader on the modern A/B devices, so this installation method isn’t suitable if Verified Boot is on. (There’s probably a way to sign TWRP with the same key to make it work, but I’m pretty unsure about that.)
Simply use encryption and make a complete reinstallation (includes recovery) if your device has been out of your sight for a long time in suspicious hands.
i think if its possible even for just a selected few devices to re-lock the bootloader it would be nice. @e.follower encryption is cool, but locked bootloader is cooler. One of the things I heard Gael say over and over is that /e/ is targeting average users, not just geeks. Locking the bootloader and therefore skipping the boot message saying “your phone is at risk” would definitely help giving the OS a more professional image that’s a viable alternative to pre-installed android or IOS.
There are only a small number of devices which are known to relock the bootloader. I am trying GrapheneOS on a Pixel 2 and the locked boot loader definitely looks more developed than the unlocked bootloader. It is also quite important for security as it closes a large door for hacking attempts. Note that CalyxOS also supports a locked bootloader.
The locking of the bootloader on Pixels (and Nexus before that) is there as these are the devices used to develop Android. It is thus necessary for a developer to be able to lock and unlock as required to modify the system easily. Other manufacturers have little incentive to offer such functionality.
@archie as much as you dislike G-devices they are what Android is developed for, and while I too was reluctant to go with the Pixel at the start, android and derivatives run extremely well on them. And in the end we are using a G developed OS.
@anon84098008, I appreciate the services that Google has provided for the Internet and Android. But Google has developed such a great supremacy, or in other words, monopolistic market structure, which is not conducive to a free society.
Years ago, I was still using various Google services. For years I haven’t even used the really fantastic G-Serach, no G-Mail, no G-Hardware. Google’s “Don’t be evil” is no longer true for me. By the way, my attitude also applies to Amazon, Facebook, Twitter & Co.
I agree, we can say a lot of bad things about Google when it comes to privacy, but their security is quite ok. Verified Boot is also done at OEM-level:
Verified Boot strives to ensure all executed code comes from a trusted source (usually device OEMs), rather than from an attacker or corruption. It establishes a full chain of trust, starting from a hardware-protected root of trust to the bootloader, to the boot partition and other verified partitions including system , vendor , and optionally oem partitions. During device boot up, each stage verifies the integrity and authenticity of the next stage before handing over execution.
In addition to ensuring that devices are running a safe version of Android, Verified Boot checks for the correct version of Android with rollback protection. Rollback protection helps to prevent a possible exploit from becoming persistent by ensuring devices only update to newer versions of Android.
In addition to verifying the OS, Verified Boot also allows Android devices to communicate their state of integrity to the user.
When the e.foundation starts to work with OEM’s that provide /e/ on their phones they will probably talk about verified boot.