Ubuntu Touch On Pixel 3a: Re-locking bootloader?

Recently installed Ubuntu Touch onto a brand new Pixel 3a; installation seems stable and no issues present. However on boot the phone reminds me the bootloader is unlocked still. Is it possible to re-lock the bootloader? Specifically without reverting the install or bricking the phone (or will I have to keep the bootloader unlocked permanently)?


There is currently no way for Ubuntu Touch developers to lock the bootloader without causing problems during boot. Specifically, it needs AVB 2.0 support in some way to make the bootloader believe it's a valid OS install which hasn't been tampered with by someone else.

Releases of Ubuntu Touch are done as tarballs which get unpacked into the device using the recovery, not as signed images like with Android.

More information on how this approach could look like: https://fredl.me/envisioning-verified-boot-on-ubuntu-touch-devices/

The gist of what needs to be implemented:

  • Verify update package contents as before, using GPG
  • Unpack the tarballs into the target partition
  • Flash partitions as required for booting up
  • Creating and signing a vbmeta image based on the system, boot and vendor partitions
  • Flashing the just-created vbmeta image

But since this is not the case right now, any help achieving that goal is appreciated.