22

Mobile phone makers always lock their device's bootloader - that is, they prevent you from getting root access to your device, or uninstalling the default operating system and installing something else. There are ways to unlock the bootloader, but you have to jump through hoops to get it done (difficulty varies by brand, up to being impossible).

Meanwhile, the bootloader of a PC always come unlocked. You can insert a USB stick into a brand new device (no extra steps required) and install whatever you want. I do not own Mac devices so I may be wrong, but I heard that Mac bootloaders aren't locked either; that's why Asahi Linux is possible.

It makes every sense for PC makers (and Mac if I'm correct?) to lock the bootloader just as phone makers do, i.e., to control what softwares could be run on their devices thus maintain market share. Why don't they? It makes even less sense when many PC brands also make phones, but their PC comes with the bootloader unlocked while the phone is locked. Why is there this disparity?

  1. Are there financial incentives for companies to keep their PC's bootloaders unlocked (e.g. corporate customers)?

  2. Are there legal requirements that PC bootloaders must not be locked (e.g. antitrust laws)?

Improve this question
16
  • 58
    Because PC are expected to allow / support different OSes, which require different bootloader respectively. Also, in some sense they do -- Secure Boot.
    – Tom Yan
    Commented Nov 15, 2023 at 8:39
  • 8
    Unless they somehow prevent me from physically swapping out the drive -- with potentially any OS on it -- this would just cripple the usefulness of swapping out drives at all. Which, since we hope that our relatively expensive PCs outlast individual drives, would not be fun. A phone, as others have noted, is a pretty closed system where most components are expected to live and die together. (Obviously bad from an ecological point of view but much more user-friendly if you want to sell 8b phones.)
    – Luke Sawczak
    Commented Nov 16, 2023 at 11:57
  • 18
    "It makes every sense for PC makers to lock the bootloader" Why?
    – gre_gor
    Commented Nov 16, 2023 at 16:42
  • 7
    @FelixFourcolor a lot of people buy their phones through their carrier, rather than direct retail. And the carriers have their reasons to pressure the manufacturers towards locked bootloaders. PCs are different because the internet is more of an open system, although there are folks like Netflix who are trying to be able to exert similar pressure.
    – hobbs
    Commented Nov 16, 2023 at 21:22
  • 6
    They're simply not as evil (yet). Though TPM and Secure Boot are pushing into that direction.
    – towe
    Commented Nov 17, 2023 at 6:34

2 Answers 2

Reset to default
4

When using devices which needs to be accredited to security standards, due to the sensitivity of the data being processed, there are guidance documents about how to apply device security (aka locking down the device). As well as the Secure Boot in the other answer, you may need to also consider TPM and DMA protection. E.g. the UK NCSC Device Security Guidance - Choosing devices includes:

Devices that are Modern Standby certified must meet all the requirements for UEFI secure boot and ship with it enabled. They should not have ports that allow DMA access and will have TPM 2.0 or later.

A TPM is a separate cryptographic co-processor that provides hardware-backed security features. These significantly improve the physical security of the device, and are required for the use of data at rest encryption in its most secure configuration. Devices that include a TPM 2.0 should be preferred where possible.

Since some device lockdown is operating system dependent, e.g. to support data at rest encryption Bitlocker is used for Windows .vs. UKS/dm-crypt disk encryption for Ubuntu, can understand why the PC manufacturer supplies unlocked devices.

Improve this answer
1

There are many different levels of "why". From a practical perspective, your phone is in your pocket or purse and is unlikely to acquire any peripherals. In other words, it has poor physical security and won't need to power anything new on boot. Since every decision about security is also a decision about user convenience, tight security on the phone's boot loader makes a lot of sense.

Conversely, your PC is likely behind a physical lock (at your home or business) and has many "upgradeable" parts which may need to be powered after you install a new video card, a new drive, more RAM, etc... The security tradeoffs here are different - there is value for the user to tinker and there is a higher expectation of physical security.

Improve this answer