Fairphone 3 and DivestOS Secureboot and Verified Boot... I don't realy understand

SebWit · November 14, 2024, 6:07pm

Hello,
I’ve installed DivestOS on FP3. In Fastboot Mode SECURE BOOT is disabled. I can lock the DEVICE STATE but no ID is shown while booting. Where can I enable the “Verified Boot” to see the hash? Or was something wrong while flashing? It was only running up to 94%.
Can somebody help me with this?

Thanks,
Sebastian

SkewedZeppelin · November 15, 2024, 1:44am

Secure boot is unrelated to verified boot and can only be controlled by the vendor.
Fairphone wrongly did not enable secure boot on the FP2 and FP3.

Verified boot does work on FP3 as long as the operating system supports it. Only DivestOS, CalyxOS, and iodeOS support it properly, other use insecure test-keys.

94% is successful for the sideload in DivestOS.

You must relock to enable verified boot and then you’ll see the fingerprint which you can match against here: Verified Boot Hashes - DivestOS Mobile

Please be aware that unlocking and relocking will wipe the device, so please backup anything you’ve setup.

SebWit · November 15, 2024, 10:16am

Thanks for answering. Thats what I did. I relocked the device but I still can’t see the hash-ID. Still showes “ID:”.
On both devices I did… I don’t know. I reflashed the avb_coustom_key file, but still the same.

Sebastian

SebWit · November 16, 2024, 10:50am

Now I startet the system, took the phone to WLAN went to the updates. Last update was shown. 11. November 2024. But I installed this image…
I installed the update, restartet the phone and it still comes up with this update i the update list…
Now I try the installation for the second time.
Exactly the same. Still comes up with this installable update.

Sebastian

SkewedZeppelin · November 16, 2024, 1:18pm

@SebWit
this is documented on the website: Broken - DivestOS Mobile

The Updater will show the currently installed update, this is expected.

please don’t keep reinstalling it.

SebWit · November 16, 2024, 5:41pm

Okay. Interesting behaviour. So this will even don’t fix my problem.
But why are the hashes not been displayed?
I don’t understand.

Sebastian

SkewedZeppelin · November 16, 2024, 5:58pm

I think that is another FP3 vendor issue since they didn’t support verified boot on the stock OS either.

SebWit · November 16, 2024, 6:19pm

Okay, but on Devices - DivestOS Mobile you can read:

Verified Boot: 2.0

A little confusing.

Sebastian

SkewedZeppelin · November 16, 2024, 7:10pm

@SebWit
yes, DivestOS supports verified boot on the FP3
but Fairphone did not correctly configure the bootloader to 100% support it, because they wrongly used test-keys in their production build.

SebWit · November 16, 2024, 7:46pm

Okay, I will ask the fairphone support to verify this.
Thanks a lot for your answers.

Sebastian

SkewedZeppelin · November 16, 2024, 8:09pm

It was discussed here last time in 2022, although in regards to the FP4: Bootloader // AVB keys used in ROMs for Fairphone 3+4 - #11 by SkewedZeppelin

SebWit · November 17, 2024, 9:28am

Interesting. Thanks a lot.
But why did I copy the avb keys while flashing?
**

$ fastboot erase avb_custom_key
$ fastboot flash avb_custom_key avb_pkmd-fp3.bin **

Thats a little confusing.

Sebastian

SkewedZeppelin · November 17, 2024, 12:26pm

@SebWit
because the key is still necessary for it

SebWit · December 1, 2024, 9:06pm

Fairphone Support answered the following:

First of all, it’s great to hear that “everything works fine” with DivestOS on your FP3.
Regarding “Verified Boot”, it is actually working as intended. The yellow warning screen you’re seeing is the expected behavior when using a locked bootloader with custom signing. So this is normal.
The point about the FP3 bootloader using different keys is correct. However, this is inherent to the design and cannot be changed on our side at this time.

It’s okay for me. Thanks for helping here.

Sebastian