Actually, I kind of like this thought process, with some caveats. A) We should not expect 6-year olds to reflash BIOS nor expect them to know the difference between phishing and normal stuff. B) BIOS reflashing should be an adult/supervised activity - possibly by parents or teachers or local computer person of some sort
C) We do not want to open the machine to reflash the BIOS and jumpers can get lost. D) While we do want these to be purposeful machines, with the demeanor of a toaster, I do think we would need to update the BIOS, for security reasons, fixing bugs or even enhancements. So we do need a way out, that is scalable and coherent. E) In short, supporting Ivan (for a change ;o)) we do need a mechanism to securely reflash the BIOS. F) Policies etc will rule the mechanics - how the security materials are inserted into the system, carried thru during the lifecycle and replaces as and when necessary G) So long as we can a place for a public key which we trust for a set of sequences (like updating the BIOS) and a method to safely update the BIOS we are in good shape, me thinks. But we definitely need to document the sequences, the various bit buckets we trust and the level of trust we place on them. H) Naturally as John and others point out, we will never have a fool-proof system, we do the best we can - collectively and improve on it. Cheers <k/> > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of William Bradley > Sent: Tuesday, August 29, 2006 10:08 AM > To: [email protected] > Subject: Re: [OLPC-devel] Secure BIOS on the OLPC > > > This machine is for children. Are we trying to give kids > basic access to information, or create yet another platform > for OS experimentation? There is a desperate need for the > former and I'm excited about helping to fill it. The latter > I could care less about. > > This machine needs to Just Work. That argues for treating > the BIOS as Something You Really Don't Want to Touch after > the machine is shipped. > > I vote for making it *really* hard to reflash the BIOS. Like > you have to open something, or insert a jumper, or something. > > _______________________________________________ > Devel mailing list > [email protected] > http://mailman.laptop.org/mailman/listinfo/devel > _______________________________________________ Devel mailing list [email protected] http://mailman.laptop.org/mailman/listinfo/devel
