Yeah. This should be what regulations enforce. I’m fine with parts serialization to help identify genuine, certified parts, but as the user I should be able to bypass it if I want to use compatible parts.
It shouldn't be a mere "bypass" as in "press OK to forgo cryptographic security", but rather should include the ability to replace or augment the root of trust with additional keys.
But how would you know someone hasn’t accepted the additional keys for you? You’re making the system weaker while making it appear stronger - that’s the worst possible outcome.
Adding additional keys should wipe the whole device, require a significant amount of time (a few days tethered in a debug mode), and the boot screen should display the trust root.
Would it be that bad if it were a persistent check that happened on boot? All you'd need to do to validate the hardware in your phone is reboot it and it would barely have any impact during normal operation.
I don't know. Maybe a few weeks ago. The point of doing it on boot is that if you're so important that your threat model includes avoiding non-certified parts, you have an on-demand check to validate the entire chain of hardware in your device.
So if you take your phone in for a repair, reboot it afterwards to make sure the parts are all certified. After that you don't need to do it again unless you leave your phone unattended or have a reason to suspect someone swapped parts on you. There could even be an option to toggle on super persistent warnings if needed.
The point is, you don't need persistent warnings to give a normal user the tools they need to check if they have all genuine parts. Reboot your phone after a repair to ensure you received genuine parts is a pretty simple concept to teach people.