Not everyone using an aftermarket OS wants to roll back the security model and disable security features. Proper verified boot is a small part of what we expect potential hardware partners to implement. It's not proper verified boot if firmware bypasses aren't fixed like this.
Conversation
You're welcome to use something other than GrapheneOS if you don't want the standard security model and hardware-based security features intact. Rollback protection is a basic security feature and has already been used for years, just not for the early SoC boot chain in practice.
2
And ultimately, that's why I don't use GrapheneOS.
But it could be a great OS if it didn't insist on denying owners control of their devices, so it's a shame.
It's looking like this case wasn't even a security fix, just DRM.
1
Verified boot is an important security feature primarily used to make privileged persistence much more difficult for an attacker. If they can simply write out a vulnerable SoC boot chain, it doesn't work. It's secondarily used for anti-tampering and the same thing applies to it.
2
Yes, but my security model (for my phone) assumes I always have physical custody of my phone, so verified boot is worthless to me.
I understand and agree it is important to others.
I'm not suggesting taking any of that away from them.
2
1
The primary threat model for verified boot is defending against a remote attacker trying to persist on the device, not physical security. Anti-tampering is a secondary and less important threat model for verified boot. Chromebooks don't really bother even trying to do that part.
3
1
What remote attack could get access to a bootloader? Even with an unlocked device, how is that a threat?
1
I suppose if they can compromise the kernel, they could start flashing the bootloader storage too...
1
They can write out all the SoC and OS images. They can write out the oldest available compatible release of the boot chain firmware and other SoC firmware. They can push outdated firmware to components, etc. too.
A used device would be far more scary without these features.
1
1
Almost the entire point of verified boot on Android and ChromeOS is defending against this route of remote attacker persistence. It's a major part of it on iOS too and it's one of the things that iOS does really well which makes life much harder for sophisticated attackers.