undefined | Better HN

0 pointsrickdeckard8mo ago0 comments

You should read up a bit more on the matter then. The bootloader is not shipped in an unlocked state, even on a device which supports BL-unlock.

Bootloader-unlock describes a feature which supports a controlled break of the trust-chain of the device, so telling the bootloader that it should continue executing the bootshell even if the signature check has failed.

In this state the OS should continue to boot despite of this state, and applications should gracefully handle such a condition.

The crucial parts of this are also not part of AOSP, it relies heavily on the chipset manufacturer and the OS-implementation of the device-vendor.

0 comments

altairprime7mo ago

Note that “applications should gracefully handle” does include “may opt to disable some or all functionality” here, in order to protect secure credentials, comply with merchant agreements, and so on. A productive example of this to study is how macOS behaves when secure boot is disabled, by disabling a couple specific attestation-mandatory features while leaving the majority of application functionality unaltered.

j / k navigate · click thread line to collapse

0 pointsrickdeckard8mo ago0 comments

You should read up a bit more on the matter then. The bootloader is not shipped in an unlocked state, even on a device which supports BL-unlock.

In this state the OS should continue to boot despite of this state, and applications should gracefully handle such a condition.

The crucial parts of this are also not part of AOSP, it relies heavily on the chipset manufacturer and the OS-implementation of the device-vendor.

0 comments

altairprime7mo ago

j / k navigate · click thread line to collapse