I would be very interested in having CalyxOS on Fairphone 3 as well!
I did some investigation on the “Verified Boot with locked bootloader” requirement of the CalyxOS ticket, and here is what I found (see also here).
- Fairphone 3 does not have ‘secure boot’ enabled
- EDL is easily accessible, and a working EDL programmer is publicly known
(Interestingly, the CalyxOS ticket refers to a link that I was not aware of, but seems to have come to the same conclusions.)
The above two points mean that a ‘fully secure verified boot with locked bootloader’ seems not achievable.
However, I still hope to either be proven wrong, or, at least to maximize security within those constraints - and CalyxOS might be a great option here.
Strictly spoken it is possible to lock the bootloader, and to enable verified boot - I am currently running with this setup (using LineageOS 17.1).
In addition, it seems possible to override the built-in root of trust using our own key. I have been experimenting with this, and I found that, after setting avb_custom_key with my own key and with an image signed with:
-
the default google test keys: the verified boot status is green, suggesting that the built-in root of trust somehow trusts the google test keys. That is unfortunate, as these are obviously available to anyone.
-
my own custom avb_custom_key set: the verified boot status is ‘yellow’ - suggesting that the custom avb_custom_key indeed works. Unfortunately the ‘ID’ field on the yellow boot screen is empty, making it not possible to do a visual verification of the used key.
-
another avb key (other than the google test keys or my trusted user key): the system does not want to boot that image and falls back to the known good image in the other slot - suggesting that it is indeed not trusting the image.
I’d be very interested in any comments on the above, or comments/tips to further secure the verified boot process in general.