Shipping G1G1 machines with NAND reflash locks enabled makes little sense to me. What good is protection against malicious reflash when any attacker who can perform a reflash has physical access to the device and has password-free root access in default configurations?
Instead, the justification that I recall most strongly from when I last inquired about the purpose of enabling the NAND reflash lock on G1G1 machines is that it is primarily intended to reduce support costs by making it harder to test non-Released builds via reflash. I countered that the value of the extra testing we might receive would far outweigh the extra support costs that we might incur but, evidently, my argument was not decisive. Scott - were there other justifications given for the NAND reflash lock? I vaguely recall that you argued that, by default, OFW ought to be prohibited from writing unsigned data to the NAND on the grounds that bugs in the prohibited code paths might otherwise violate security goals of clients shipping passive-kill or active-kill technologies. Did I recall your justification correctly? Michael _______________________________________________ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel