Before we begin
Despite the contrary and statements I have made in the past, bootloader unlocking is not an unsafe measure unless as a user you disable the OEM Unlocking option yourself. The reason we keep OEM unlocking enabled is to ensure that if an update goes badly you can always run the fastboot command to unlock again afterwards.
As for updates, hentaiOS will soon have it’s own OTA updater however for the moment we will have to sideload updates to the built in AOSP recovery (more on that later).
Locking your bootloader will erase your data so make sure you have a backup first, same goes for unlocking!!
How it works
With the Pie release of Android, Google released documentation on how the Android Verified Boot 2.0 system works and what developers need to do to implement it, for those who want to read up on how it works the link is here. The TLDR of this post is that Google announced their “avb_custom_key” mode on Pixel 2 and newer devices which allows for a user to flash a developers public key from a signed build of Android (in this case hentaiOS) and boot it on a locked bootloader.
hentaiOS maintainers that have signed their builds may have supplied a custom “avb_custom_key.img” file along with their build, along with that file you will also a need a copy of fastboot which you are able to flash your phone with.
Flashing the key is very simple, download the image which will be supplied with the ROM itself and flash it as you normally would with any other image, for me this is “fastboot flash avb_custom_key avb_custom_key.img”. Upon running the command if you see the “[Okay]” status returned by fastboot then the public key is flashed and you can now proceed to flash the ROM and run “fastboot flashing lock” to lock your bootloader. If done correctly you will now boot up your phone to see “Your phone is booting a different operating system” which means everything is successful.
Updating the ROM
Now that you have the custom key flashed and you have locked the bootloader the updating part is really simple, all you need to do to update is reboot to the stock recovery included with the ROM and select the “Apply update from ADB” (if you get the No command screen then keep pressing volume + power until it works) where you can ADB sideload the new ROM zip. The custom key does not need to be reflashed, it will remain the same unless the developer states otherwise. Updating from SD card will also work.
Why do it?
On the Pixel 3 series of Google phones and higher Qualcomm decided as part of the new Hexagon DSP you are required to bootloader lock before the DSP actually works, for the average user this means that image processing times in Google Camera are slower, audio is noticeably worse and you won’t have any hardware accelerated features in apps such as the Google assistant, in this case a bootloader lock on hentaiOS is fully worth it as those features can be revived.
On the Pixel 2 series however it is not disabled which means there is no major reason to bootloader lock other than peace of mind in terms of security for some people, I personally run hentaiOS with the bootloader locked on my main phone to refrain from flashing things such as custom kernels, overall it makes me much happier with my Android install as it is more like the stock Pixel experience again.