Hi @amoun thanks for replying.
You are right, in the thread I’ve linked to they discuss this specific case where someone has unlocked their bootloader. However, in the post I linked to from @Micka he explains that “Fairphone 3 does not have ‘secure boot’ enabled ”
I would like to clarify that unlocking and locking the bootloader and having secure boot are two different kind of security concepts and measurements. In principle even a locked bootloader would not protect you from an Evil maid attack if a sufficiently powerful and motivated adversary would implement it.
I’m not directly worried that someone can read my encrypted data if I just loose my phone.
I’m more worried that the following happens:
Adversary gets physical access to my phone and installs some kind of very low level malware that gets executed through the bootchain (again, this is possible even in the presence of a locked bootloader as long as there is no cryptographically verified boot chain (aka. secure boot or verified boot)
I don’t notice the attack and use my phone normally afterwards. This means I enter my decryption passwords.
The malware can then potentially log my passwords and could leak the password alongside all other information on my phone to the adversary.
I don’t think so.
While in the stackexchange post it’s explained that:
Android Boot Loader
Provided by the OEM
Contains a public key that is used to verify the integrity of the kernel/OS (aka ROM) before loading it. However if Aboot is “unlocked” any ROM can be loaded)
The problem is according to these posts:
Fairphone simply did not enable secure boot on the Fairphone 3.
Also, to be even more precise I would actually like to know whether the Fairphone 4 has support (as in: it’s possible to activate it) for verified boot with alternative operating systems (like for example: /e/OS, Lineage OS, CalyxOS or GrapheneOS)
And yes, I know the device is very new and there are no alternative OS. But they will come in the future and this basically makes or breakes my purchase decision.
The Google Pixel phones for example have this feature, but I’d rather give my money to Fairphone.
And do let us know the answer @Free. I’m interested in this as well. It does come with a Qualcomm SoC, which does have a secure enclave option I suppose to verify the ROM at boot securely. My Pixel 3 has a Titan security chip, I also don’t want to downgrade in terms of security. Since it is your personal life in that phone.
I’m also very much interested in this question, because of the thread of me you’ve quoted already.
As people said already, there is more to verified boot than just a locked bootloader (which you can usually/hopefully lock and unlock in the bootloader, which always formats your device (also for locking, keep that in mind, y’all!)), when that was enabled in the OS.
I asked the official Fairphone Support whether the Fairphone 4 supports verified boot/secure boot with a custom (user-defined) key and they said ‘yes’.
This means that ROMs can install their own key which opens the path to more secure custom ROM experiences and automatic updates with a locked bootloader. As far as I know, the only other series of devices to allow this properly are the Google Pixel phones. As they are not available in many countries this makes the Fairphone 4 pretty unique and an exciting phone for custom ROM development.
My personal hope is that this might lure in privacy/security focused ROMs like CalyxOS or GrapheneOS to support the Fairphone 4.
This is their official responds:
As I understand it, your questions was:
Is it possible to have a functioning android verified boot by allowing the use of a custom key and a properly verified key during the boot process?
After investigating with the product team, the answer is:
Yes, installing a custom “avb_custom_key” onto Fairphone 4 and locking the bootloader again is possible.
FP4 will then verify the integrity of the custom image against the key in “avb_custom_key.”.
However, after locking the bootloader, FP4 will still show a yellow warning message saying:
“Your device has loaded a different operating system.”. You can find more details here.