Local or remote attacker?
If user choose to to enable root mode and choose root boot in boot loader, I don’t see how any attacker has any advantage.
A local attacker can try to boot into either non-root or root mode. Either way, there is encryption / access controls. I don’t see why in one case encryption / access controls are weaker.
I am not convinced this dilemma exists.
I don’t see why Android couldn’t do similar as planned in multiple boot modes for better security: persistent user | live user | persistent secureadmin | persistent superadmin | persistent recovery mode - #32 by Patrick. (That concept is generic. Works for both, hosts and VMs.) Seems like saying “when booting into superadmin delete /home/user first”. When using full disk encryption (FDE) it doesn’t matter which boot mode is used. If local attacker doesn’t know password, it’s considered secure.
I don’t see how Debian based vs Android based changes something conceptually.
Current model:
- “the attacker has to compromise the device remotely first to enable OEM unlocking”
- “then have physical access to the device to unlock the bootloader which then wipes all user data so they can’t access anything.”
Comments:
- If attacker can remotely enable OEM unlocking they already do have root access? Otherwise how could a remote attacker enable OEM unlocking?
- Is irrelevant due to 1).