But those issues would not arise without the counter being incremented in the first place. With unlocked bootloaders, this should be a choice.
Conversation
Rollback is disabled before it updates the anti-rollback counter.
1
It still hurts custom rom users. I already don't care about my safetynet state, why should I be locked to an android 13 bootloader for security issues that I choose to not care about?
1
3
Rollback protection is part of verified boot. It has existed for the SoC boot chain, secure element and the OS itself for many years. Pixels have used it for the OS and secure element for years. It wasn't used in practice for SoC boot chain due to being a development annoyance.
1
2
An important security feature not being fully implemented due to it being a development annoyance is problematic. GrapheneOS is an aftermarket OS focused on Pixels and we wanted this feature to start being used properly and complained about it not being done on the past devices.
2
1
Not everyone using an aftermarket OS wants to roll back the security model and disable security features. Proper verified boot is a small part of what we expect potential hardware partners to implement. It's not proper verified boot if firmware bypasses aren't fixed like this.
1
You're welcome to use something other than GrapheneOS if you don't want the standard security model and hardware-based security features intact. Rollback protection is a basic security feature and has already been used for years, just not for the early SoC boot chain in practice.
2
Pixels were in theory supposed to be doing this already but were not doing it in practice due to the conflict between them being secure devices and being development devices where someone might want to flash an obsolete, insecure OS version to test app compatibility with it, etc.
2
Newer runs of the devices will shipped with updated firmware/OS.
We consider it a problem that it takes us a couple weeks to move to new major OS versions we intend to solve that by getting partner access eventually such as via a hardware partner so that we can port earlier.
1
On our own hardware, we'll also get to decide when we move to a new major OS version. On existing hardware, when a device moves to a new major OS version, we have to move to the new major OS version to continue providing basic privacy and security updates for the firmware, etc.
That's true regardless of whether there's anti-rollback protection for the boot chain firmware. On August 15th, Android 13 was released for Pixels. There was no August release for Android 12.1. The maximum obtainable patch level on Android 12.1 is 2022-08-01. We have to upgrade.
2
1
Or backport the fixes, like LineageOS tries to.
(Probably difficult long-term, but likely not for the first release especially since Graphene does their own security fixes)
1
2
Show replies