Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Whilst that makes sense for many versions of secure boot, it doesn't make sense for blocking updates to a flashed ROM.

If the owner of the device flashed their ROM, they want updates. If someone other than the owner flashed the ROM, the true owner of the device is screwed anyway. Blocking updates won't save the true owner. Instead, this seems nothing more than lockdown for the sake of control.



As I understand it, the flashing breaks a chain of trust. Once a device has booted from software written by others, your own software can never again be truly confident that it is in full control.

It was written to flash by untrusted software, it may have been modified on the way such that it thinks it's unmodified, such that the signatures match when it checks itself, but actual execution uses a modification by that untrusted code.

It's a bit like that paper about modifying the compiler. https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html

From the owner's point of view, being able to update the ROM is the manufacturer's statement that nothing done by a user with physical access survives.


This is actually not the case. The owner is always made aware of whether the system has been opened up to "untrusted" software or not (they get a warning at boot if it has been), but an "untrusted" system can still be OTA-updated if the original OS image has been preserved as-is. This is often combined with some amount of custom modification by separately installing an "overlay"-based solution such as Magisk. But a full-custom ROM cannot be updated in this way, because the manufacturer's OTA update is monolithic and effectively replaces the original stock ROM!


AIUI, an OTA update (or USB update) is effectively carried out by software that was booted from the same flash memory to which the untrusted software was written.

I accept that the manufacturer's OTA update is intended to be monolothic, is desigend to be monolithic, but what assurance do I (the owner) have that the software that was flashed by a physical user actually flashes its replacement monolithically? That it leaves nothing behind?

EDIT: on further reflection, it seems possible to design a phone that provides such an assurance. That any monolothic OTA update actually has to be monolithic, even if untrusted software is in control of the main CPU. But I wouldn't want to bet that any/many/most phones built today actually offer that guarantee.


Android system updates are monolithic OS images. So what are you going to do exactly, replace the user's custom ROM with a stock system?


> replace the user's custom ROM with a stock system?

Yes. I can't see any technical reason why Google disallows factory resetting my device without re-flashing a ROM.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: