The command needs to be confirmed on the device and will wipe all data.
-OEM unlocking can be disabled again in the developer settings menu within the - operating system after booting it up again.
-OEM unlocking can be disabled again in the developer settings menu within the + operating system after booting it up again.
+Verified boot authenticates and validates the firmware images and OS from the - hardware root of trust. Since GrapheneOS supports full verified boot, the OS images - are entirely verified. However, it's possible that the computer you used to flash the - OS was compromised, leading to flashing a malicious verified boot public key and - images. To detect this kind of attack, you can use the Auditor app included in - GrapheneOS in the Auditee mode and verify it with another Android device in the - Auditor mode. The Auditor app works best once it's already paired with a device and - has pinned a persistent hardware-backed key and the attestation certificate chain. - However, it can still provide a bit of security for the initial verification via the - attestation root. Ideally, you should also do this before connecting the device to the - network, so an attacker can't proxy to another device (which stops being possible - after the initial verification). Further protection against proxying the initial - pairing will be provided in the future via optional support for ID attestation to - include the serial number in the hardware verified information to allow checking - against the one on the box / displayed in the bootloader. See the - Auditor tutorial for a guide.
+After the initial verification, which results in pairing, performing verification - against between the same Auditor and Auditee (as long as the app data hasn't been - cleared) will provide strong validation of the identity and integrity of the - device. That makes it best to get the pairing done right after installation. You can - also consider setting up the optional remote attestation service.
-Verified boot authenticates and validates the firmware images and OS from the + hardware root of trust. Since GrapheneOS supports full verified boot, the OS images + are entirely verified. However, it's possible that the computer you used to flash the + OS was compromised, leading to flashing a malicious verified boot public key and + images. To detect this kind of attack, you can use the Auditor app included in + GrapheneOS in the Auditee mode and verify it with another Android device in the + Auditor mode. The Auditor app works best once it's already paired with a device and + has pinned a persistent hardware-backed key and the attestation certificate chain. + However, it can still provide a bit of security for the initial verification via the + attestation root. Ideally, you should also do this before connecting the device to the + network, so an attacker can't proxy to another device (which stops being possible + after the initial verification). Further protection against proxying the initial + pairing will be provided in the future via optional support for ID attestation to + include the serial number in the hardware verified information to allow checking + against the one on the box / displayed in the bootloader. See the + Auditor tutorial for a guide.
-After the initial verification, which results in pairing, performing verification + against between the same Auditor and Auditee (as long as the app data hasn't been + cleared) will provide strong validation of the identity and integrity of the + device. That makes it best to get the pairing done right after installation. You can + also consider setting up the optional remote attestation service.
+Installation of the stock OS via the stock factory images is the same process - described above. However, before locking, there's an additional step to fully revert - the device to a clean factory state.
+The GrapheneOS factory images flash a non-stock Android Verified Boot key which - needs to be erased to fully revert back to a stock device state. After flashing the - stock factory images and before locking the bootloader, you should erase the custom - Android Verified Boot key to untrust it:
+Installation of the stock OS via the stock factory images is the same process + described above. However, before locking, there's an additional step to fully revert + the device to a clean factory state.
-fastboot erase avb_custom_key+
The GrapheneOS factory images flash a non-stock Android Verified Boot key which + needs to be erased to fully revert back to a stock device state. After flashing the + stock factory images and before locking the bootloader, you should erase the custom + Android Verified Boot key to untrust it:
+ +fastboot erase avb_custom_key+