Development [ROM][13][UNOFFICIAL][Raven/Oriole] Magisk Patched GrapheneOS for Pixel 6/Pro

Search This thread

FireRattus

Senior Member
Feb 26, 2022
139
91
Magisk Patched Unofficial GrapheneOS for the Pixel 6 / 6 Pro (oriole/raven)

This ROM will allow you to lock the boot loader. Do not ever disable the OEM unlocking checkbox when using a locked bootloader with root.
This is critically important. With root access, it is possible to corrupt the running system, for example by zeroing out the boot partition.
In this scenario, if the checkbox is turned off, both the OS and recovery mode will be made unbootable and fastboot flashing unlock will not be allowed.
This effectively renders the device hard bricked.

I am not responsible for any harm you may do to your device, follow at your own risk etc etc, Rooting your device can potentially introduce security flaws, I am not claiming this to be secure. If you would like to have more security and peace of mind then I highly recommend you follow This Guide to build this rom using your own encryption keys.

GrapheneOS is a privacy and security focused mobile OS with Android app compatibility developed as a non-profit open source project. It's focused on the research and development of privacy and security technology including substantial improvements to sandboxing, exploit mitigations and the permission model. It was founded in 2014 and was formerly known as CopperheadOS.

The features page provides an overview of the substantial privacy and security improvements added by GrapheneOS to the Android Open Source Project (AOSP). Many of the past features were contributed to AOSP, Linux and other projects to improve privacy and security for billions of users so they're no longer listed on the features page.

More info:
Official releases are available on the releases page (Not Magisk Patched) and installation instructions are on the install page.
GrapheneOS also develops various apps and services with a focus on privacy and security. Vanadium is a hardened variant of the Chromium browser and WebView specifically built for GrapheneOS. GrapheneOS also includes our minimal security-focused PDF Viewer, our hardware-based Auditor app / attestation service providing local and remote verification of devices, our modern privacy / security focused camera app, and the externally developed Seedvault encrypted backup which was initially developed for inclusion in GrapheneOS.

No Google apps or services

GrapheneOS will never include either Google Play services or another implementation of Google services like microG. It's possible to install Play services as a set of fully sandboxed apps without special privileges via our sandboxed Google Play compatibility layer. See the FAQ section for more details on our plans for filling in the gaps from not shipping Play services and Google apps.

Installation Instructions: Fashing-factory-image
Locking the bootloader is Optional but does increase the device security Locking-the-bootloader


Update Instructions: simply follow these instructions Updates-sideloading to sideload the latest patched OTA update package (You can update from any previous version if using full ota update)

Android OS Version: 13
Current Version: See Post #2
Download: See Post #2

Sources: GrapheneOS - AVBRoot - Magisk -
Patch Guide

PayPal Donation Link
 
Last edited:

FireRattus

Senior Member
Feb 26, 2022
139
91
Builds for Pixel 6 Pro (Raven)

Magisk-Patched GrapheneOS Factory Install Build
Full system install builds for clean and new installs

Build based on release#2023012500 (2023-01-25)
SourceForge_Download

Build based on release#2023011000 (2023-01-10)
SourceForge_Download

Build based on release#2023010300 (2023-01-03)
Anonfiles Download | 1fichier Download | SourceForge_Download

Build based on release#2022122000 (2022-12-20)
Anonfiles Download | 1fichier Download

Build based on release#2022121400 (2022-12-14)
Anonfiles Download | 1fichier Download

Build based on release#2022121100 (2022-12-11)
Anonfiles Download | 1fichier Download

Build based on release#2022120300 (2022-12-03)
Anonfiles Download | 1fichier Download

Build based on release#2022113000 (2022-11-30)
Anonfiles Download

Build based on release#2022112500 (2022-11-25)
Anonfiles Download

Build based on release#2022111800 (2022-11-18)
Anonfiles Download

Build based on release#2022111000 (2022-11-10)
Anonfiles Download

Build based on release#2022101800 (2022-10-18)
Anonfiles Download

Magisk Patched OTA Update packages
Full OTA Builds will let you update from any older version

Patched OTA based release#2023012500 (2023-01-25)
SourceForge_Download

Patched OTA based release#2023011000 (2023-01-10)
SourceForge_Download

Patched OTA based on release#2023010300 (2023-01-03)
Anonfiles Download | 1fichier_Download | SourceForge_Download

Patched OTA based on release#2022122000 (2022-12-20)
Anonfiles Download | 1fichier_Download

Patched OTA based on release#2022121400 (2022-12-14)
Anonfiles Download | 1fichier Download

Patched OTA based on release#2022121100 (2022-12-11)
Anonfiles Download | 1fichier Download

Patched OTA based on release#2022120300 (2022-12-03)
Anonfiles Download | 1fichier Download

Patched OTA based on release#2022113000 (2022-11-30)
Anonfiles Download

Patched OTA based on release#2022112500 (2022-11-25)
Anonfiles Download

Patched OTA based on release#2022111800 (2022-11-18)
Anonfiles Download

Patched OTA based on release#2022111000 (2022-11-10)
Anonfiles Download

Patched OTA based on release#2022110800 (2022-11-08)
Anonfiles Download

Builds for Pixel 6 (oriole)

Always do a backup of your data before flashing any updates, just in case.

I make no promises that this works or that I will provide regular updates. I will attempt to provide updates when they are available and I have time, you may have issues with this rom, you could lose your data or brick your device (although it's very unlikely if you follow the instructions and use common sense)
 
Last edited:

FireRattus

Senior Member
Feb 26, 2022
139
91
New Release 2022111800
Changes since the 2022111000 release:
  • don't skip ahead-of-time (AOT) compilation of apps that weren't recently used since we depend on full AOT compilation being done for performance rather than JIT compilation with background JIT profile guided AOT compilation like Android
  • battery usage UI: use fallback name for unknown components
  • change minimal value of battery saver schedule to 5% again as it was before Android 13
  • enable the post-upgrade "Optimizing apps" progress indication UI
  • app crash UI: show process uptime and optional extra text
  • Sandboxed Google Play compatibility layer: show version of GmsCompatConfig in the crash UI
  • Sandboxed Google Play compatibility layer: stop splitting multi-package PackageInstaller sessions
  • Sandboxed Google Play compatibility layer: improve handling of activity starts
  • Sandboxed Google Play compatibility layer: bugfix: Parcel position wasn't reset by dynamic stubs
  • Sandboxed Google Play compatibility layer: bugfix: missing handling of ListSlices in dynamic stub
  • GmsCompatConfig: make sure Play Store PhenotypeFlags are overridable by Gservices flags (further deterring Play Store trying to update Play services / Play Store beyond supported versions)
  • Pixel 7, Pixel 7 Pro (adevtool): drop unused face unlock components since we have no plans to enable support for an insecure face unlock implementation incapable providing reasonable security due to lack of dedicated face unlock hardware (Pixel 4 and Pixel 4 XL had dual infrared cameras, IR dot projector and IR flood illuminator providing a more secure biometric unlock system than fingerprint unlock as opposed to simply using the front camera in a way that could be done on any device)
  • Pixel 4, Pixel 4 XL, Pixel 4a, Pixel 4a (5G), Pixel 5, Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro: include gril library to avoid qns crash on Pixel 7 and Pixel 7 Pro
  • Pixel 7, Pixel 7 Pro: include vendor_kernel_boot partition requirement in factory images metadata to force an error with an incompatible fastboot such as the currently buggy Arch Linux package
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro): update GKI to Linux 5.10.150
  • Auditor: update to version 66
Download in Post #2
 
  • Like
Reactions: Slim2none4u

96carboard

Senior Member
Jul 17, 2018
959
587
I don't see a real value in locking the bootloader. In theory, the only thing it protects is undetectable modification being made when the device is out of your direct control. However, strong security practices require you to assume that *anything* could have been done to the device when it is outside of your direct control, so the "security" you get from the locked bootloader is artificial.

ANY time a device leaves your physical control, you have to assume it to be compromised. No exceptions.

I would also like to point out that, no offense to OP, but using a "high security" operating system that *HAS* been modified by an unknown 3rd party.... is insane. I'd recommend that anyone interested in this actually take the time to understand the process and reproduce it on their own.
 
  • Like
Reactions: Slim2none4u

FireRattus

Senior Member
Feb 26, 2022
139
91
I don't see a real value in locking the bootloader. In theory, the only thing it protects is undetectable modification being made when the device is out of your direct control. However, strong security practices require you to assume that *anything* could have been done to the device when it is outside of your direct control, so the "security" you get from the locked bootloader is artificial.

ANY time a device leaves your physical control, you have to assume it to be compromised. No exceptions.

I would also like to point out that, no offense to OP, but using a "high security" operating system that *HAS* been modified by an unknown 3rd party.... is insane. I'd recommend that anyone interested in this actually take the time to understand the process and reproduce it on their own.
Sorry but I am not interested in arguing about this stuff
I didn't create this thread to argue about potential security issues or how secure phones really are
it seems you have more of an issue with the security of Android in general

I would recommend everyone who just wants to share opinions like this which are essentially unrelated to the ROM, please just don't

I am not claiming rooting your phone to be perfectly secure and I am not interested in arguing about it
 

FireRattus

Senior Member
Feb 26, 2022
139
91
Although as explained here https://forum.xda-developers.com/t/...pdated-november-9-2022.4343431/#post-85733797
there are advantages to using a locked bootloader, even with root.
The rom could be used on locked bootloader with ROOT (donate feature) with or without Gapps.

The benefits of LOCKED BOOTLOADER combined with WORKING AVB-2 protection are:


Get back your DRM L1 certificate. Most banking apps will work regardless of Magisk.

Security: Nobody and nothing can modify Kernel, Recovery and Virtual Partitions without triggering a red screen of death with the message 'your device is corrupted and cannot boot'.

At that point, the only option is to unlock bootloader. But, if a user had previously disabled OEM unlock in Developer settings, then unlocking becomes unavailable, and so does flashing via fastboot. In other words, if your phone gets into the hands of an adversary, their only option is to use MSM tool to make the phone work again, but no access to your data or any other partition.

Why prebuilt Magisk? Because you can't modify kernel or recovery on locked bootloader post installation, and that's exactly what Magisk does.
I am offering this as a free feature, not a donate feature and I have also created a guide so that anyone is able to build the rom and sign it using their own keys for even greater security than trusting me.
Magisk isn't just some unknown third party, Graphene, Magisk, AVBRoot, they are all open source projects
 
Last edited:

96carboard

Senior Member
Jul 17, 2018
959
587
Sorry but I am not interested in arguing about this stuff
I didn't create this thread to argue about potential security issues or how secure phones really are
it seems you have more of an issue with the security of Android in general

I would recommend everyone who just wants to share opinions like this which are essentially unrelated to the ROM, please just don't

I am not claiming rooting your phone to be perfectly secure and I am not interested in arguing about it

I'm not talking about the utility or security of root (hint: Its perfectly safe and secure when used RESPONSIBLY). I'm talking about the value of using a security hardened OS with modifications made by someone who you don't know and can't trust. Doing so throws away ALL security because there is no way to tell what else someone has changed.
 

FireRattus

Senior Member
Feb 26, 2022
139
91
I'm not talking about the utility or security of root (hint: Its perfectly safe and secure when used RESPONSIBLY). I'm talking about the value of using a security hardened OS with modifications made by someone who you don't know and can't trust. Doing so throws away ALL security because there is no way to tell what else someone has changed.
So just follow the guide I provided so you can build the rom yourself, you can inspect all the source code and work out exactly what it's all doing if you are so inclined
https://forum.xda-developers.com/t/...-using-rooted-grapheneos-magisk-root.4510295/
 

FireRattus

Senior Member
Feb 26, 2022
139
91
@FireRattus is there any chance we can see pre-build images for Oriole in the future? I'm having trouble building it myself.
What are the troubles you are having with building it yourself? I can try my best to help
I would be able to build images for Oriole probably but I wouldn't be able to test them myself and building for more variants would take more time making updates slower so I don't want to invest in that currently.
I do think it's best to build it yourself if you are able so I am glad you have tried already
 

KainoaK

New member
Dec 10, 2018
3
1
> What are the troubles you are having with building it yourself? I can try my best to help

My computer just doesn't have enough RAM + Disk space to build it, plus I seem to keep getting stuck at getting all the tools to work together :(
I'd be happy to donate monthly or whatnot to help keep up oriole builds though
 
  • Like
Reactions: FireRattus

FireRattus

Senior Member
Feb 26, 2022
139
91
> What are the troubles you are having with building it yourself? I can try my best to help

My computer just doesn't have enough RAM + Disk space to build it, plus I seem to keep getting stuck at getting all the tools to work together :(
I'd be happy to donate monthly or whatnot to help keep up oriole builds though
I will try to build it for you, since the pixel 6 and 6 pro share the same Build ID, I should be able to build it without needing to download everything again
 
  • Like
Reactions: MidnightDevil

FireRattus

Senior Member
Feb 26, 2022
139
91
New Release #2022112500
Changes since the 2022111800 release:
  • Sandboxed Google Play compatibility layer: fix missing handling of APEX ListSlices in dynamic stubs (improves compatibility when granting Nearby devices permission to Play services with a WearOS device connected)
  • Sandboxed Google Play compatibility layer: mark PackageInstallerStatusForwarder as not exported
  • Settings: avoid OBB toggle unnecessarily force stopping app
  • extend original-package renaming to static launcher shortcuts to fix Vanadium new tab shortcut for users with an install predating the package rename
  • Camera: update to version 57
  • Vanadium: update Chromium base to 107.0.5304.141
  • Contacts: add support for dark mode
  • kernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro): restore fix for CVE-2022-3176 which was reverted upstream (GKI LTS branch) due to not being marked as a security fix and changing the GKI ABI
  • Pixel 4, Pixel 4 XL: set frozen patch level string to 2022-11-01 (has been provided since the 2022110800 release but we initially left the patch level string at the previous value)
  • port GrapheneOS changes to Linux 5.15 GKI LTS branch in order to prepare for 6th/7th generation Pixels potentially moving to the Linux 5.15 LTS and late 2023 devices which will be based on it
Download in Post #2
 

FireRattus

Senior Member
Feb 26, 2022
139
91
My computer just doesn't have enough RAM + Disk space to build it, plus I seem to keep getting stuck at getting all the tools to work together :(
I'd be happy to donate monthly or whatnot to help keep up oriole builds though
I am not able to test them myself but I have provided a patched, signed build which should work
just check post #3 for the download links, I would appreciate a donation if you feel it's worth it but no pressure
Edit: Moved it to post #2 with the other downloads
 
Last edited:

MidnightDevil

Senior Member
Apr 2, 2012
3,130
1,248
London
Redmi Note 9
Google Pixel 6 Pro
I don't see a real value in locking the bootloader. In theory, the only thing it protects is undetectable modification being made when the device is out of your direct control. However, strong security practices require you to assume that *anything* could have been done to the device when it is outside of your direct control, so the "security" you get from the locked bootloader is artificial.

ANY time a device leaves your physical control, you have to assume it to be compromised. No exceptions.

I would also like to point out that, no offense to OP, but using a "high security" operating system that *HAS* been modified by an unknown 3rd party.... is insane. I'd recommend that anyone interested in this actually take the time to understand the process and reproduce it on their own.
To be fair you'll always be using something done by a third party, including android itself, unless it's you writing and compiling your own OS.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    New Release #2023012500
    Changes since the 2023011000 release:
    • don't send IMSI / Phone number to SUPL server when SUPL is enabled (note: using SUPL is always an optional choice in APN configuration on GrapheneOS, unlike AOSP and the stock OS)
    • SELinux policy: drop auditing for apk_data_file execute/execute_no_trans (research is done)
    • SELinux policy: add back apk_data_file execute/execute_no_trans for adb shell for debugging use cases (removing it isn't really useful for hardening and we plan on hardening ADB for the verified boot model another way)
    • Settings: revert to standard Android 13 minimum threshold of 10% for automatic battery saver since lowering it below 10% doesn't work as intended without more invasive changes outside the scope of GrapheneOS
    • fully disallow installing instant apps instead of permitting ADB shell and system apps to do it (this will simplify future work)
    • extend self app-op spoofing used for Network permission compatibility to unsafeCheckOpRaw()
    • fix upstream bug causing crash from isServiceTokenValidLocked() being called without holding the lock
    • Sandboxed Google Play compatibility layer: support enabling compatibility layer for any package on debuggable builds to help with development
    • Sandboxed Google Play compatibility layer: coerce Play Store into not attempting to auto install AR services
    • Sandboxed Google Play compatibility layer: fix issues with Play Store updates of Play services
    • Sandboxed Google Play compatibility layer: avoid our implementation of the Play services location API returning null for getCurrentLocation() to avoid crashes in apps not handling it
    • Sandboxed Google Play compatibility layer: increment compatibility layer version to 1001
    • Sandboxed Google Play compatibility layer: use the most recent available version map in GmsCompatConfig to simplify defining configuration
    • Sandboxed Google Play compatibility layer: improve stack trace parser used for dynamic exception shims
    • Sandboxed Google Play compatibility layer: add shim for making Bluetooth adapter discoverable
    • Sandboxed Google Play compatibility layer: improve UX for "Action required in Play Store" notification
    • Sandboxed Google Play compatibility layer: add new shims to support requesting temporary screen capture from the user via the standard unprivileged approach for Chromecast screen casting (currently lacks shims to support audio capture)
    • GmsCompatConfig: add stub for LocationManager.registerGnssStatusCallback()
    • GmsCompatConfig: update max supported version of Play services and Play Store
    • stop re-enabling deprecated 2-button navigation option since Android no longer has official support for it and is gradually breaking support for it including making changes knowingly introducing bugs with it since it's not meant to be used (traditional 3-button navigation is still fully supported)
    • Settings: add GrapheneOS Camera to list of mandatory components since only system camera apps can provide the media capture intents required by other apps on Android 11 and above (can still be disabled via ADB but we want to avoid easy ways to break the OS in the UI)
    • kernel (Generic 5.15): update to latest GKI LTS branch revision including update to 5.15.80
    • extend the install available apps feature (allows Owner user to install apps in other users) to apps only installed in secondary profiles
    • Apps: update to version 13
    • add GrapheneOS fs-verity public key as a supported key
    • require fs-verity for installing system app updates (will be enforced at boot for verified boot enhancement in a future release due to the need to phase in the feature properly because of future out-of-band app updates on earlier OS releases)
    • Vanadium: update Chromium base to 109.0.5414.118
    • SettingsIntelligence: drop no longer required QUERY_ALL_PACKAGES permission now that more precise queries are defined upstream providing the necessary package visibility for Settings app search
    Download in Post #2
  • 11
    Magisk Patched Unofficial GrapheneOS for the Pixel 6 / 6 Pro (oriole/raven)

    This ROM will allow you to lock the boot loader. Do not ever disable the OEM unlocking checkbox when using a locked bootloader with root.
    This is critically important. With root access, it is possible to corrupt the running system, for example by zeroing out the boot partition.
    In this scenario, if the checkbox is turned off, both the OS and recovery mode will be made unbootable and fastboot flashing unlock will not be allowed.
    This effectively renders the device hard bricked.

    I am not responsible for any harm you may do to your device, follow at your own risk etc etc, Rooting your device can potentially introduce security flaws, I am not claiming this to be secure. If you would like to have more security and peace of mind then I highly recommend you follow This Guide to build this rom using your own encryption keys.

    GrapheneOS is a privacy and security focused mobile OS with Android app compatibility developed as a non-profit open source project. It's focused on the research and development of privacy and security technology including substantial improvements to sandboxing, exploit mitigations and the permission model. It was founded in 2014 and was formerly known as CopperheadOS.

    The features page provides an overview of the substantial privacy and security improvements added by GrapheneOS to the Android Open Source Project (AOSP). Many of the past features were contributed to AOSP, Linux and other projects to improve privacy and security for billions of users so they're no longer listed on the features page.

    More info:
    Official releases are available on the releases page (Not Magisk Patched) and installation instructions are on the install page.
    GrapheneOS also develops various apps and services with a focus on privacy and security. Vanadium is a hardened variant of the Chromium browser and WebView specifically built for GrapheneOS. GrapheneOS also includes our minimal security-focused PDF Viewer, our hardware-based Auditor app / attestation service providing local and remote verification of devices, our modern privacy / security focused camera app, and the externally developed Seedvault encrypted backup which was initially developed for inclusion in GrapheneOS.

    No Google apps or services

    GrapheneOS will never include either Google Play services or another implementation of Google services like microG. It's possible to install Play services as a set of fully sandboxed apps without special privileges via our sandboxed Google Play compatibility layer. See the FAQ section for more details on our plans for filling in the gaps from not shipping Play services and Google apps.

    Installation Instructions: Fashing-factory-image
    Locking the bootloader is Optional but does increase the device security Locking-the-bootloader


    Update Instructions: simply follow these instructions Updates-sideloading to sideload the latest patched OTA update package (You can update from any previous version if using full ota update)

    Android OS Version: 13
    Current Version: See Post #2
    Download: See Post #2

    Sources: GrapheneOS - AVBRoot - Magisk -
    Patch Guide

    PayPal Donation Link
    4
    Builds for Pixel 6 Pro (Raven)

    Magisk-Patched GrapheneOS Factory Install Build
    Full system install builds for clean and new installs

    Build based on release#2023012500 (2023-01-25)
    SourceForge_Download

    Build based on release#2023011000 (2023-01-10)
    SourceForge_Download

    Build based on release#2023010300 (2023-01-03)
    Anonfiles Download | 1fichier Download | SourceForge_Download

    Build based on release#2022122000 (2022-12-20)
    Anonfiles Download | 1fichier Download

    Build based on release#2022121400 (2022-12-14)
    Anonfiles Download | 1fichier Download

    Build based on release#2022121100 (2022-12-11)
    Anonfiles Download | 1fichier Download

    Build based on release#2022120300 (2022-12-03)
    Anonfiles Download | 1fichier Download

    Build based on release#2022113000 (2022-11-30)
    Anonfiles Download

    Build based on release#2022112500 (2022-11-25)
    Anonfiles Download

    Build based on release#2022111800 (2022-11-18)
    Anonfiles Download

    Build based on release#2022111000 (2022-11-10)
    Anonfiles Download

    Build based on release#2022101800 (2022-10-18)
    Anonfiles Download

    Magisk Patched OTA Update packages
    Full OTA Builds will let you update from any older version

    Patched OTA based release#2023012500 (2023-01-25)
    SourceForge_Download

    Patched OTA based release#2023011000 (2023-01-10)
    SourceForge_Download

    Patched OTA based on release#2023010300 (2023-01-03)
    Anonfiles Download | 1fichier_Download | SourceForge_Download

    Patched OTA based on release#2022122000 (2022-12-20)
    Anonfiles Download | 1fichier_Download

    Patched OTA based on release#2022121400 (2022-12-14)
    Anonfiles Download | 1fichier Download

    Patched OTA based on release#2022121100 (2022-12-11)
    Anonfiles Download | 1fichier Download

    Patched OTA based on release#2022120300 (2022-12-03)
    Anonfiles Download | 1fichier Download

    Patched OTA based on release#2022113000 (2022-11-30)
    Anonfiles Download

    Patched OTA based on release#2022112500 (2022-11-25)
    Anonfiles Download

    Patched OTA based on release#2022111800 (2022-11-18)
    Anonfiles Download

    Patched OTA based on release#2022111000 (2022-11-10)
    Anonfiles Download

    Patched OTA based on release#2022110800 (2022-11-08)
    Anonfiles Download

    Builds for Pixel 6 (oriole)

    Always do a backup of your data before flashing any updates, just in case.

    I make no promises that this works or that I will provide regular updates. I will attempt to provide updates when they are available and I have time, you may have issues with this rom, you could lose your data or brick your device (although it's very unlikely if you follow the instructions and use common sense)
    3
    Can i flash the raven image on oriole too isn't it?

    The Pixel 6's link to buids redirect to the raven post
    Thank you for pointing this out
    I have updated it to point to the correct location https://forum.xda-developers.com/t/...patched-for-pixel-6-pro.4525965/post-87808583


    Edit: Just an update for everyone, I am having many issues with building the rom since the last updates and the change to the TAG_NAME, So please have patience, I recommend you build it yourself so you aren't relying on me for updates
    I have been spending a lot of time trying to get a successful build again
    3
    Although as explained here https://forum.xda-developers.com/t/...pdated-november-9-2022.4343431/#post-85733797
    there are advantages to using a locked bootloader, even with root.
    The rom could be used on locked bootloader with ROOT (donate feature) with or without Gapps.

    The benefits of LOCKED BOOTLOADER combined with WORKING AVB-2 protection are:


    Get back your DRM L1 certificate. Most banking apps will work regardless of Magisk.

    Security: Nobody and nothing can modify Kernel, Recovery and Virtual Partitions without triggering a red screen of death with the message 'your device is corrupted and cannot boot'.

    At that point, the only option is to unlock bootloader. But, if a user had previously disabled OEM unlock in Developer settings, then unlocking becomes unavailable, and so does flashing via fastboot. In other words, if your phone gets into the hands of an adversary, their only option is to use MSM tool to make the phone work again, but no access to your data or any other partition.

    Why prebuilt Magisk? Because you can't modify kernel or recovery on locked bootloader post installation, and that's exactly what Magisk does.
    I am offering this as a free feature, not a donate feature and I have also created a guide so that anyone is able to build the rom and sign it using their own keys for even greater security than trusting me.
    Magisk isn't just some unknown third party, Graphene, Magisk, AVBRoot, they are all open source projects
    3
    I don't see a real value in locking the bootloader. In theory, the only thing it protects is undetectable modification being made when the device is out of your direct control. However, strong security practices require you to assume that *anything* could have been done to the device when it is outside of your direct control, so the "security" you get from the locked bootloader is artificial.

    ANY time a device leaves your physical control, you have to assume it to be compromised. No exceptions.

    I would also like to point out that, no offense to OP, but using a "high security" operating system that *HAS* been modified by an unknown 3rd party.... is insane. I'd recommend that anyone interested in this actually take the time to understand the process and reproduce it on their own.
    Sorry but I am not interested in arguing about this stuff
    I didn't create this thread to argue about potential security issues or how secure phones really are
    it seems you have more of an issue with the security of Android in general

    I would recommend everyone who just wants to share opinions like this which are essentially unrelated to the ROM, please just don't

    I am not claiming rooting your phone to be perfectly secure and I am not interested in arguing about it