Hey @lmeu,

I'm assuming that you have attempted to do the necessary research yourself. With this in mind:

1) LineageOS publishes a charter that specifies in detail the requirements for an official release. It clearly states: "All devices MUST NOT alter SafetyNet validation responses." This means that further steps are necessary if your device does not pass this validation on its own, which will most likely be the case. At the time of posting, this charter was last updated on Jul 12, 2022 and can be found here.

2) While third party tutorials can be useful, it's important to remember to always seek out official instructions from the tool provider. These instructions are often the most up-to-date and accurate. In this particular case, you can find the official instructions here (scroll down to the "Useful Links" section).

3) You should begin by updating the stock firmware to the latest version. The proprietary firmware blobs are located in the vendor partition. It is up to the device maintainers to update these in future releases. Upgrade instructions between LineageOS versions should point to the required steps for ensuring compatibility.

4 & 5) I don't know. The likelihood of a TWRP version for this device becoming available in the near future is low. It may be best to not hold out hope and find different ways to achieve this functionality.

6) As previously stated, the charter specifies the requirements. Luckily it states "All devices MUST be configured for SELinux Enforcing."

Heyyo @lmeu , so LineageOS official does not allow tampering with SafetyNet so on official builds it will fail and you would need to use Magisk and SafetyNet mods. I haven't done that stuff but on our Telegram community there has been a few people mentioning how to do it so it is possible.

As for why SafetyNet used to work fine? Back in the day it was just software attestation for checking it, which could easily pass with the device's stock ROM build fingerprint alone, but these days on newer chipsets there is hardware attestation too which requires more workarounds and spoofing and LOS team has decided to not risk pissing off Google so they don't allow haxxs on official builds.

Another thing of note is unfortunately on bootloader unlock the DRM keys get wiped, so Widevine L1 won't work. Maybe in the future a way to backup the DRM keys while the bootloader is locked can be found but so far no luck...

For firmware updates, you can always download them on lolinet and then flash the device firmware only via TinyFastbootScript but so far the only issue in the past was an audio one we were able to fix in the kernel so any device firmware version will currently work for us.

TWRP has been a pain for devices with vendor_boot so tbh before I gave up lol but I see some workarounds so I will probably try it again.

Selinux is definitely enforcing as it is required for official builds on LOS.

File-based encryption is also set up because keeping data safe is important too