| ▲ | franga2000 a day ago | |
Malware van persist across reboots regardless of verified boot. What it can't do is persist through a factory reset. But if you really want a thorough reset, simply re-lock the bootloader and flash stock firmware from there. Nothing can persist through that without an exploit in the verification chain and if you have that kind of exploit, you don't need the bootloader to be unlocked in the first place. Also, there are devices out there that let you enroll your own keys, like the Google Pixel series. | ||
| ▲ | flotzam a day ago | parent [-] | |
> Malware [c]an persist across reboots regardless of verified boot. Some can, some can't. Even when it can persist, escalating to root after every reboot may be unreliable or noisy (e.g. 70% chance of success, 30% crash) compared to straight persistence as root without verified boot. > Also, there are devices out there that let you enroll your own keys, like the Google Pixel series. This still applies to those devices. It's the main reason GrapheneOS (which exclusively runs on Pixels, with the bootloader relocked to a GrapheneOS key) is opposed to building in root access: Verified boot would be "enabled", but effectively bypassed. https://xcancel.com/GrapheneOS/status/1730435135714050560 | ||