1

Installing custom rom needs unlocked bootloader. so I unlocked bootloader.

I built a custom android 12 rom with AVB enabled for system and boot partitions and flashed it.

if I Installing apk through recovery to system partition(copy to /system/app), apk will not installed. so AVB is working normally.

But if I flash Magisk in recovery, Magisk will root device.

Also if I flash a disabled vbmeta partition in fastboot and then inject some apk in the system partition, the apk will be installed in the system partition normally.

So the question is

Is there any way to provide integrity of system without using User-settable root of trust in custom roms with unlocked bootloader?

a farahabadi
  • 63
  • 5
  • 1
    By unlocking bootloader you disable the central system integrity feature of Android, what do you expect? A locked bootloader + root of trust + vbmeta is the way Android is designed to provide system integrity. – Robert Apr 16 '23 at 11:51
  • thanks @Robert so what is this section in AVB Doc? why this doc says it supports unlocked state? – a farahabadi Apr 16 '23 at 14:09
  • If I understand the linked documentation correctly in unlocked state verification is performed but the outcome is simply saved in a flag and the boot process will continue no matter if the verification fails or succeededs. – Robert Apr 16 '23 at 20:34
  • I know Magisk had issues with FEC on some Moto devices. ext4-dedup could be useful too – alecxs Apr 18 '23 at 18:57

0 Answers0