"encrypted bootloader" properly defined
Locked. Signed. Encrypted. I felt the need to redefine these terms, since until today, even I didn't have it quite right. In other posts, I pointed out the distinction between a locked (and signed) bootloader to an encrypted bootloader. That distinction still exists, but not how I originally described it. So I may have contributed to some of the ongoing confusion with bootloader terminology.
When someone says "encrypted bootloader," they mean that the signature of the bootloader is encrypted. The actual bootloader image (HBOOT) is not encrypted. In the past, when people referred to the encrypted bootloader, they meant Motorola's bootloader on the Droid X et. al. It's important to clarify here that even this bootloader is not encrypted. It's a signed bootloader, and the signature is encrypted.
Therefore, "encrypted bootloader" is a misleading term. No manufacturer actually encrypts the bootloader firmware itself. That's why when people claimed HTC's bootloaders were not encrypted, it was kind of a meaningless statement. Because something DID change with HTC bootloaders; they started to sign them with encryption. Which is what Moto does. Furthermore, HTC is now signing the images for /boot (kernel) and /recovery, adding more protection against customization of these areas.
So, saying that HTC does not encrypt its bootloaders is a TRUE statement. Saying that HTC's bootloaders are locked and signed is a TRUE statement. Saying that HTC's bootloaders have always been locked is a TRUE statement.
And yet, saying that HTC's bootloader security has never changed because of the above statements is FALSE because they placed an encryption layer on the signature.
So... here are the terms and what they mean:
locked bootloader: a bootloader that protects certain partitions from being modified. Flip a switch (S-ON to S-OFF), and the bootloader is unlocked. Or more appropriately, NAND protection is removed, meaning the various protected partitions on the NAND internal flash memory are now able to be mounted read/write. Like the confusing terminology of "encryped bootloader," there's nothing "locked" about the bootloader itself. The bootloader is locking up areas of the internal flash memory. That's what devs are trying to "unlock."
signed bootloader: a bootloader signed by the manufacturer to assure it's official. A signed bootloader can be either locked or unlocked. Just because it's signed doesn't imply it's locked. The Engineering bootloader is an example of a signed but unlocked HBOOT.
encrypted bootloader: same as a signed bootloader, but the signature is encrypted, making forgery of the signature practically impossible. One possible solution is to flash a leaked Engineering HBOOT with that same encrypted signature. There's no guarantee that this image will ever be leaked or that some other security measure isn't in place to prevent this workaround. Another solution is to find some way to hack into the phone's radio and call a command to flip the switch from S-ON to S-OFF. But there's no guarantee that such an exploit exists on all phones.
The good thing about science is that it's true whether or not you believe in it. -Neil deGrasse Tyson
Help me out: Sign up with Dropbox and we both get 250-500MB extra space. Thanks!