this post was submitted on 15 Jul 2026
250 points (98.4% liked)

Technology

86401 readers
3975 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots


founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] defaultusername@lemmy.dbzer0.com 9 points 1 day ago (2 children)

Kind of. You can change the signing key for the operating system, but you cannot change the signing key of the primary bootloader, as that is baked into the SoC.

[–] 01189998819991197253@infosec.pub 4 points 1 day ago (1 children)

I'm assuming this is why it will forever "warn" me that my phone is running an "insecure" OS?

[–] defaultusername@lemmy.dbzer0.com 8 points 1 day ago (1 children)

That's moreso because it's using an unofficial key, so the device manufacturer (Google in the case of Pixels) cannot verify the authenticity of the OS you're running.

If you were able to replace that bootloader with a custom one, then you would be able to disable that message or just use a completely different bootloader like UBoot or EDK2 if it was ported, though.

[–] 01189998819991197253@infosec.pub 1 points 22 hours ago (1 children)

Functionally, though, wouldn't it be the same as replacing the computer's SecureBoot bootloader, since it's Microsoft (in the case of SecureBoot) that doesn't like the unofficial key that Linux installs? Shouldn't the user be allowed to add or remove any key they desire from the allow list of official keys (maybe have some sort of decentralized verification system, if they user decides they want to verify it)?

I'm more thinking out loud here, trying to understand.

[–] defaultusername@lemmy.dbzer0.com 2 points 22 hours ago (1 children)

The difference is that with ARM TrustZone, there is an efuse burned with the key that the manufacturer set in the SoC itself that checks the signature of the primary bootloader, which cannot be modified.

Standard computers do not have such a hardware-level key, so if you wanted to replace the bootloader with something like coreboot if it has been ported to your board, then you can. On smartphones, you do not have that option.

Same thing goes for even more locked down systems like game consoles.

[–] 01189998819991197253@infosec.pub 1 points 15 hours ago (1 children)

Ah, that makes a lot more sense!

Is there no way to clear that memory? Or is it more just that it's uncommonly difficult that the people with the skillset just do other, more value added things?

[–] defaultusername@lemmy.dbzer0.com 2 points 14 hours ago* (last edited 14 hours ago) (1 children)

It's not memory, but rather physical fuses that have been blown on the die itself, similar to the Xbox 360's downgrade protection fuses and CPU key. Much like the Xbox 360, the only way to bypass it would be to do something like a reset glitch hack to glitch the state of the CPU right as it tries to read the state of the fuses and bypass that check, and that would require a specific modchip for every individual device. Another option would be to replace the SoC with one that does not have that protection enabled to begin with.

[–] 01189998819991197253@infosec.pub 2 points 13 hours ago (1 children)

I was unaware of this. Super interesting, and disturbing honesty.

[–] defaultusername@lemmy.dbzer0.com 2 points 13 hours ago (1 children)

Yeah. Best to look out for devices that don't have this restriction. Not 100% sure if the Fairphone and Shiftphone have this, but I'm sure if you ask them, they'll tell you.

[–] Axolotl_cpp@feddit.it 1 points 9 hours ago* (last edited 9 hours ago) (1 children)

I think the nothing phone does not have it, at least, i doubt because their bootloader is not locked IIRC

[–] defaultusername@lemmy.dbzer0.com 2 points 9 hours ago (1 children)

Having an unlockable bootloader is a separate thing from being able to replace the primary bootloader entirely.

[–] Axolotl_cpp@feddit.it 1 points 8 hours ago

My bad, i misunderstood