Ivan Krstić wrote: > [This is important, and your comments are requested -- please read.] > > While working on the OLPC security policy and threat model, I spent some > time thinking about how we're going to perform BIOS updates. > > At some unpleasant hour of the morning last night, I had a flash of > inspiration, and I think I've solved this in a much better way. Here's how: > [...] > If the file is present, the LB payload verifies that the binary is > cryptographically signed by OLPC. This is all done within the known-good > LB payload. > [...] > Voila. This is now a completely secure BIOS solution which requires no > TPM, allows fully automatic upgrades without the user's cooperation > (such as pressing keys), and fully protects both against phishing and > automated attacks -- in fact, it's vector-independent.
And it fully automates bricking of thousands of machines if the key is ever compromised. In that aspect, the new suggestion is much worse than the older one. Flashing a new BIOS against the will of the user is *evil* (and generates quite a lot of bad publicity if you look at the Playstation Portable forced firmware upgrades). > The design also > allows provisions to be made for kids that are brave enough to want to > hack their BIOSes, as well as for countries which want to offer > additional non-OLPC BIOSes. Once you make these provisions, how are you going to be sure a worm author doesn't use them? "Hey, I'm a kid wanting to hack the BIOS, can I have a signing key?" Besides that, this new signing mechanism would make the laptops as closed as the Xbox. There should remain at least one way to flash a non-signed BIOS without resorting to a soldering iron. Possibly require a USB keyfob to be plugged in or something (like the original solution with keypress). Regards, Carl-Daniel _______________________________________________ Devel mailing list [email protected] http://mailman.laptop.org/mailman/listinfo/devel
