Jump to content

Locked bootloader with LineageOS hard or forbidden?


Recommended Posts

According to the PRO¹-x FAQ

Quote
Does Lineage OS Pro1-X come with a locked bootloader?
LineageOS Pro1-X comes with an unlocked bootloader. To lock the bootloader, you will need to flash the official Android firmware and then lock it from there.

Why does LOS come with an unlocked bootloader without locked bootloader option?

From the documentation I read, it's up to the ORM to decide on what img can be used to lock the bootloader. Given that F(x)tec is the OEM, you should be able to ship with a locked bootloader and LOS which can allow having root capabilities and a locked bootloader at the same time.... Which can allow full freedom and SafetyNet attestation to pass (if the user installs SafetyNet by himself, ofc)!

Am I missing something here?

Sources:

https://source.android.com/devices/bootloader/locking_unlocking
https://source.android.com/security/verifiedboot/verified-boot
https://source.android.com/security/verifiedboot/boot-flow

ADD:

I don't mind "custom OS" warnings. I think it's good even. But a locked bootloader would be very welcome... Please?

Tagging @Erik for hope

Edited by brunoais
Typo fix
  • Like 2
  • Thanks 1
Link to post
Share on other sites

The reason might be that Google does not allow to ship Lineage OS (LOS) phone with locked bootloader. LOS is not compatible with CTS since it is missing Google Mobile Services (GMS). In the past Google has denied OEMs to ship phones with non-CTS Android version if they want to use keep GMS licence for other phones. See the YunOS (aka Aliyun OS) and Fire OS cases below.

Quote

While it might not be an official requirement, being granted a Google apps license will go a whole lot easier if you join the Open Handset Alliance. The OHA is a group of companies committed to Android—Google's Android—and members are contractually prohibited from building non-Google approved devices. That's right, joining the OHA requires a company to sign its life away and promise to not build a device that runs a competing Android fork.

Acer was bit by this requirement when it tried to build devices that ran Alibaba's Aliyun OS in China. Aliyun is an Android fork, and when Google got wind of it, Acer was told to shut the project down or lose its access to Google apps. Google even made a public blog post about it:

"While Android remains free for anyone to use as they would like, only Android compatible devices benefit from the full Android ecosystem. By joining the Open Handset Alliance, each member contributes to and builds one Android platform—not a bunch of incompatible versions."

This makes life extremely difficult for the only company brazen enough to sell an Android fork in the west: Amazon. Since the Kindle OS counts as an incompatible version of Android, no major OEM is allowed to produce the Kindle Fire for Amazon. So when Amazon goes shopping for a manufacturer for its next tablet, it has to immediately cross Acer, Asus, Dell, Foxconn, Fujitsu, HTC, Huawei, Kyocera, Lenovo, LG, Motorola, NEC, Samsung, Sharp, Sony, Toshiba, and ZTE off the list. Currently, Amazon contracts Kindle Fire manufacturing out to Quanta Computer, a company primarily known for making laptops. Amazon probably doesn't have many other choices.

Google has allowed individual customers to flash whatever they want to their phones by unlocking bootloder. Then custom ROM users can whitelist their device to use Google services if needed.

For OEMs this has not been possible. So maybe Google allows F(x)tec to ship Pro1-X with Lineage OS if the bootloader is not locked and they will not lose their licence for stock Android? Situation might be handled like with custom ROM users?

In the EU, Google was recently forced to allow OEMs to use also non-CTS Android while using CTS Android on other phones. I don't know if that is possible on the rest of the world?

Quote

Going forward, Android partners wishing to distribute Google apps may also build non-compatible, or forked, smartphones and tablets for the European Economic Area (EEA).

 

  • Thanks 2
Link to post
Share on other sites

@FlyingAntero Thank you.

Given that ruling, F(x)tec, from a legislative perspective, can ship with LOS with locked unlockeable bootloader to the shipments in EEA. Tbh, I don't mind locking it myself as long as I don't get a brick and it helps passing SafetyNet attestation.

 

6 hours ago, Hook said:

I could be wrong, but in my experience, Lineage wouldn't fly for a company BYOD device no matter what state the bootloader is in.

Maybe it can fly locked to the EU 😄... Or even unlocked but I can just run the adb commands to lock it right before I use it.

  • Like 1
  • Haha 1
Link to post
Share on other sites
19 hours ago, Hook said:

I could be wrong, but in my experience, Lineage wouldn't fly for a company BYOD device no matter what state the bootloader is in.

Depends how the device management is configured. Some are draconian where you can't even be 1 or 2 versions of Android behind, some are basically free for all and does a simple root check, it comes down to the IT guys. I've seen cases back then where BlackBerry Android devices were blocked because some IT management thought those ran BB10, lol.

Edited by ToniCipriani
Link to post
Share on other sites

Yes it would be possible to ship LineageOS with a locked boot loader.  This basically means that the boot loader would ensure that the boot partition (kernel and recovery, mostly) is bit-for-bit as shipped by the factory.  It does not necessarily mean that the contents of any other partitions (system, vendor) would be locked.  It could be configured to do so, but that requires other security measures -- most notably verity, which LineageOS disables to allow add-ons to be installed.

 

Now, what would that gain you?  I'm not exactly sure.  I don't see how this improves security unless you are worried about someone slipping a hacked kernel onto your device.  LineageOS does not pass SafetyNet as shipped, so you would surely not be able to use the device with banking apps or enroll in BYOD.  Some LineageOS users install magisk to get around SafetyNet, but I believe magisk installs a custom boot partition, so that would not work either.

 

If you are imagining the device shipping with LineageOS and GMS (gapps), this is surely not going to happen.  LineageOS would take quite a lot of work to pass Google certification.  It would be a much wiser choice to take some LineageOS patches into stock to make stock look and behave better.

 

  • Like 1
  • Thanks 4
Link to post
Share on other sites
15 hours ago, tdm said:

LineageOS does not pass SafetyNet as shipped, so you would surely not be able to use the device with banking apps or enroll in BYOD. 

OK. My intent is moot, then. I thought it didn't pass because the bootloader had to be unlocked.

If I need to run SafetyNet approved apps (probably will, as usual), I'll get a very cheap smartphone (<100$) to run SafetyNet sensitive apps and remote access to it using adb. This method is less secure than doing it on LOS but passes SafetyNet attestation. Speaking from experience with my remote connections to my current phone from my PC using my VPN and scrcpy.

Edited by brunoais
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

Terms