| 17 Jul 2021 |
 Robin | In reply to @samueldr:matrix.org
hi, not 100% positive on the answers, but here goes
B: AFAIK re-locking the bootloader with user controlled yes (the important part) is only possible on Pixel hardware. Though there's not much documentation elsewhere about this on any other project than GrapheneOS.
A: Not sure whether it helps with the "secure" operations like NFC payments, considering some devices+roms combos apparently can do it without user-controlled keys and locked bootloaders. But my knowledge about that is old; I know they changed a lot about security and device attestation(?) since in Android.
C: the list of devices is taken from the LineageOS CI. There are ways to use other devices, but I don't know off the top of my head.
Not sure this is 100% relevant, but this shows how to add a non-upstream ROM *without modifying Robotnix sources, manually:
https://gist.github.com/danielfullmer/c9b785759fb3235418f2ed874c719bcd
The main idea being you need to track down the few repositories being used by said device and add them to "known sources" (the source.dirs attribute set)
Locking the Bootloader with user controlled keys seems to be Possible with OnePlus Devices, which are newer than the 6t: https://forum.xda-developers.com/t/guide-re-locking-the-bootloader-on-the-oneplus-8t-with-a-self-signed-build-of-los-18-1.4259409/
Warning: this seems to be experimental/a proof of concept and is not used anywhere yet. | 19:34:45 |
 samueldr | yeah, maybe I should have said "known to work well" | 19:38:42 |
 hmenke | For NFC payment you need Google's device attestation called SafetyNet. There is an implementation in microG, but that never worked for me. The only times I've seen SafetyNet work correctly was on stock ROMs. | 19:56:23 |
| samueldr | yeah, safetynet is the "secure" part I was thinking about but couldn't remember the name... | 20:04:33 |
| samueldr | ... and is the one what received further "enhancements" | 20:04:46 |
| Robin | I found a good overview about relocking the bootloader with your own keys:
"Oh, ok, but will it help me pass SafetyNet?
Not really, SafetyNet is dependent on many things, including a locked bootloader. If you want to relock your bootloader for this reason I suggest you go no farther. Google can change SafetyNet requirements at any time and do so reasonably often"
"isn't their an easier way?
Or use an custom ROM that is specifically designed to be used with relocked bootloaders. There are a few around but they often have (for all the reasons stated above) very limited device support."
https://www.reddit.com/r/LineageOS/comments/n7yo7u/a_discussion_about_bootloader_lockingunlocking/
| 22:33:07 |
| Robin | I think GrapheneOS with robotnix and a supported device is the best way to have a locked bootloader with custom keys. | 22:34:22 |
| 18 Jul 2021 |
 cde | https://hub.libranet.de/wiki/and-priv-sec/wiki/verified-boot | 00:13:09 |
| 19 Jul 2021 |
 jack | grapheneos-2021.07.16.19 built and tested on redfin! | 18:53:06 |
| 18 Jul 2021 |
| cde | That gives a good overview of the whole bootloader locking situation | 00:13:28 |
 danielrf | Pushed grapheneos-2021.07.16.19 tag. Briefly tested working on sunfish and crosshatch. | 07:17:12 |
| 20 Jul 2021 |
|  Andrea Pascal joined the room. | 03:36:56 |
| 21 Jul 2021 |
| danielrf | Pushed grapheneos-2021.07.19.18 tag. Tested working on crosshatch. | 02:34:59 |
| jack | Works on redfin! | 22:46:44 |
| 23 Jul 2021 |
| Room Avatar Renderer. | 23:25:16 |
| 24 Jul 2021 |
 jaen | Thanks for the reponses re: locking. So from what I understand this basically means "well, you could try locking the bootloader, but you will still probably have the same kind of issues like with unlocked bootloader/root, because SafetyNet doesn't care about supporting custom roms and if it perchance works, no guarantee it will keep to", is that a correct understanding? | 11:47:11 |
| cde | you can't just relock the bootloader on any device, and also can't just do it on any rom - it has to be built to support that. | 13:10:24 |
| samueldr | relocking the bootloader without enrolling custom keys generally means the OEM's keys are used, and the custom ROM won't be signed with those keys, so it won't boot | 19:18:03 |
| samueldr | and as can be observed, few devices allow enrolling custom keys | 19:18:25 |
| samueldr | and even then, "locked / unlocked" is probably not what safetynet asks for about the device | 19:18:53 |
| samueldr | (really it's all of a blackbox that's not trivial) | 19:19:15 |
| 28 Jul 2021 |
| danielrf | Ok. Tagged and pushed `grapheneos-2021.07.26.20`. Tested working on `crosshatch` | 19:03:28 |
| danielrf | This is the first time I've done an update while away from my main workstation. Luckily it went fairly smoothly! | 19:04:52 |
| 29 Jul 2021 |
| hmenke | Has anybody tried out the new sandboxed Google Play services on GrapheneOS yet? https://grapheneos.org/usage#sandboxed-play-services | 11:06:05 |
| hmenke | I wonder whether this could replace microG for me, which I really only use to get push notifications via Google Cloud Messaging (GCM). | 11:06:36 |
| 30 Jul 2021 |
| jack | In reply to @danielrf:matrix.org
Ok. Tagged and pushed `grapheneos-2021.07.26.20`. Tested working on `crosshatch` Works on redfin. | 04:46:27 |
|  philipp changed their profile picture. | 20:22:28 |
| 3 Aug 2021 |
| danielrf | Pushed vanilla-2021.08.03.00. Tested working on sunfish. | 04:37:28 |
| danielrf | Pushed grapheneos-2021.08.03.03. Tested working on crosshatch. | 15:40:22 |
| danielrf | Pushed a new tag: grapheneos-2021.08.03.03-2 The previous tag was not correctly including the Updater application | 17:43:56 |
