← Back to context

Comment by digiown

18 hours ago

Meh, I'm ok with not having root on my phone. What I'm not ok with is not being able to flash whatever I want to run on it later without unlocking and wiping. For this reason I have an automated script to verify Graphene's signatures and replace them with my own. This would give me the ability to extract data using root at a later date, for example.

2 comments

digiown

Reply
palata  7 hours ago

> What I'm not ok with is not being able to flash whatever I want to run on it later without unlocking and wiping.

The wiping is a security feature: if someone installs a new random system ("random" being defined as "not signed by the same entity"), then they can modify the system in order to attack it. The whole secure boot idea is worthless if you allow that.

  • digiown  6 hours ago

    I don't disagree. I just don't want the trusted entity to be other than me.

    Note that secure boot doesn't become worthless just because you can flash something different. The TPM should notice SB is turned off, and should refuse to decrypt, but there should be a way for the user to back up the key and use it to recover the data later.