brunoais 334 Posted October 28, 2020 Share Posted October 28, 2020 (edited) According to the PRO¹-x FAQ Quote Does Lineage OS Pro1-X come with a locked bootloader? LineageOS Pro1-X comes with an unlocked bootloader. To lock the bootloader, you will need to flash the official Android firmware and then lock it from there. Why does LOS come with an unlocked bootloader without locked bootloader option? From the documentation I read, it's up to the ORM to decide on what img can be used to lock the bootloader. Given that F(x)tec is the OEM, you should be able to ship with a locked bootloader and LOS which can allow having root capabilities and a locked bootloader at the same time.... Which can allow full freedom and SafetyNet attestation to pass (if the user installs SafetyNet by himself, ofc)! Am I missing something here? Sources: https://source.android.com/devices/bootloader/locking_unlockinghttps://source.android.com/security/verifiedboot/verified-boothttps://source.android.com/security/verifiedboot/boot-flow ADD: I don't mind "custom OS" warnings. I think it's good even. But a locked bootloader would be very welcome... Please? Tagging @Erik for hope Edited October 28, 2020 by brunoais Typo fix 2 1 Quote Link to post Share on other sites
netman 1,424 Posted October 28, 2020 Share Posted October 28, 2020 Why would you want a locked bootloader with Lineage though? To me it sounds like more trouble than it's worth, although I think it'd be possible if you sign the images with your own keys. Quote Link to post Share on other sites
EskeRahn 5,427 Posted October 29, 2020 Share Posted October 29, 2020 2 hours ago, netman said: Why would you want a locked bootloader with Lineage though? @ToniCipriani posted in another thread on BYOD to a company requiring it to be locked. 1 1 Quote Link to post Share on other sites
Hook 2,945 Posted October 29, 2020 Share Posted October 29, 2020 9 minutes ago, EskeRahn said: @ToniCipriani posted in another thread on BYOD to a company requiring it to be locked. I could be wrong, but in my experience, Lineage wouldn't fly for a company BYOD device no matter what state the bootloader is in. 1 2 Quote Link to post Share on other sites
FlyingAntero 869 Posted October 29, 2020 Share Posted October 29, 2020 The reason might be that Google does not allow to ship Lineage OS (LOS) phone with locked bootloader. LOS is not compatible with CTS since it is missing Google Mobile Services (GMS). In the past Google has denied OEMs to ship phones with non-CTS Android version if they want to use keep GMS licence for other phones. See the YunOS (aka Aliyun OS) and Fire OS cases below. Google’s iron grip on Android: Controlling open source by any means necessary Quote While it might not be an official requirement, being granted a Google apps license will go a whole lot easier if you join the Open Handset Alliance. The OHA is a group of companies committed to Android—Google's Android—and members are contractually prohibited from building non-Google approved devices. That's right, joining the OHA requires a company to sign its life away and promise to not build a device that runs a competing Android fork. Acer was bit by this requirement when it tried to build devices that ran Alibaba's Aliyun OS in China. Aliyun is an Android fork, and when Google got wind of it, Acer was told to shut the project down or lose its access to Google apps. Google even made a public blog post about it: "While Android remains free for anyone to use as they would like, only Android compatible devices benefit from the full Android ecosystem. By joining the Open Handset Alliance, each member contributes to and builds one Android platform—not a bunch of incompatible versions." This makes life extremely difficult for the only company brazen enough to sell an Android fork in the west: Amazon. Since the Kindle OS counts as an incompatible version of Android, no major OEM is allowed to produce the Kindle Fire for Amazon. So when Amazon goes shopping for a manufacturer for its next tablet, it has to immediately cross Acer, Asus, Dell, Foxconn, Fujitsu, HTC, Huawei, Kyocera, Lenovo, LG, Motorola, NEC, Samsung, Sharp, Sony, Toshiba, and ZTE off the list. Currently, Amazon contracts Kindle Fire manufacturing out to Quanta Computer, a company primarily known for making laptops. Amazon probably doesn't have many other choices. Google has allowed individual customers to flash whatever they want to their phones by unlocking bootloder. Then custom ROM users can whitelist their device to use Google services if needed. Google now blocks GApps on uncertified devices, but lets custom ROM users be whitelisted For OEMs this has not been possible. So maybe Google allows F(x)tec to ship Pro1-X with Lineage OS if the bootloader is not locked and they will not lose their licence for stock Android? Situation might be handled like with custom ROM users? In the EU, Google was recently forced to allow OEMs to use also non-CTS Android while using CTS Android on other phones. I don't know if that is possible on the rest of the world? Complying with the EC’s Android decision Quote Going forward, Android partners wishing to distribute Google apps may also build non-compatible, or forked, smartphones and tablets for the European Economic Area (EEA). 2 Quote Link to post Share on other sites
brunoais 334 Posted October 29, 2020 Author Share Posted October 29, 2020 @FlyingAntero Thank you. Given that ruling, F(x)tec, from a legislative perspective, can ship with LOS with locked unlockeable bootloader to the shipments in EEA. Tbh, I don't mind locking it myself as long as I don't get a brick and it helps passing SafetyNet attestation. 6 hours ago, Hook said: I could be wrong, but in my experience, Lineage wouldn't fly for a company BYOD device no matter what state the bootloader is in. Maybe it can fly locked to the EU 😄... Or even unlocked but I can just run the adb commands to lock it right before I use it. 1 1 Quote Link to post Share on other sites
ToniCipriani 194 Posted October 29, 2020 Share Posted October 29, 2020 (edited) 19 hours ago, Hook said: I could be wrong, but in my experience, Lineage wouldn't fly for a company BYOD device no matter what state the bootloader is in. Depends how the device management is configured. Some are draconian where you can't even be 1 or 2 versions of Android behind, some are basically free for all and does a simple root check, it comes down to the IT guys. I've seen cases back then where BlackBerry Android devices were blocked because some IT management thought those ran BB10, lol. Edited October 29, 2020 by ToniCipriani Quote Link to post Share on other sites
tdm 2,322 Posted October 30, 2020 Share Posted October 30, 2020 Yes it would be possible to ship LineageOS with a locked boot loader. This basically means that the boot loader would ensure that the boot partition (kernel and recovery, mostly) is bit-for-bit as shipped by the factory. It does not necessarily mean that the contents of any other partitions (system, vendor) would be locked. It could be configured to do so, but that requires other security measures -- most notably verity, which LineageOS disables to allow add-ons to be installed. Now, what would that gain you? I'm not exactly sure. I don't see how this improves security unless you are worried about someone slipping a hacked kernel onto your device. LineageOS does not pass SafetyNet as shipped, so you would surely not be able to use the device with banking apps or enroll in BYOD. Some LineageOS users install magisk to get around SafetyNet, but I believe magisk installs a custom boot partition, so that would not work either. If you are imagining the device shipping with LineageOS and GMS (gapps), this is surely not going to happen. LineageOS would take quite a lot of work to pass Google certification. It would be a much wiser choice to take some LineageOS patches into stock to make stock look and behave better. 1 4 Quote Link to post Share on other sites
brunoais 334 Posted October 30, 2020 Author Share Posted October 30, 2020 (edited) 15 hours ago, tdm said: LineageOS does not pass SafetyNet as shipped, so you would surely not be able to use the device with banking apps or enroll in BYOD. OK. My intent is moot, then. I thought it didn't pass because the bootloader had to be unlocked. If I need to run SafetyNet approved apps (probably will, as usual), I'll get a very cheap smartphone (<100$) to run SafetyNet sensitive apps and remote access to it using adb. This method is less secure than doing it on LOS but passes SafetyNet attestation. Speaking from experience with my remote connections to my current phone from my PC using my VPN and scrcpy. Edited October 30, 2020 by brunoais Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.