OK, here's the proposed solution for write protect of the OLPC BIOS.
Short of phishing attacks, I think it should suffice; but I'd like
people here to shoot at the scheme in case I'm missing something.
Regards,
- Jim
--
Jim Gettys
One Laptop Per Child
--- Begin Message ---
Hi, C.H.!
We need to write-protect the BIOS ROM. To do this, I propose the
following. The EC will hard write-protect the BIOS (including its own
code, if this is stored in the BIOS ROM). It is *crucial* that no
possible command from the Geode to the EC can change his write-protect
pin, no matter how difficult that command might be to issue.
The sequence to write either the EC or the BIOS will require the following:
1. The user runs the BIOS Writing utility
2. The CPU will send a "Request Write-Enable" to the EC
3. The BIOS Writing utility's user interface will ask that the user
hold down the space bar for five seconds
4. The user holds down the space bar for five seconds. At that
point, the EC itself will detect this fact, and will remove the
write-protection for the BIOS & EC.
5. The BIOS Writing utility will then re-program the BIOS and/or EC code.
6. Upon completion of programming, the EC will automatically re
write-protect the BIOS / EC code.
It is vital that any variation from this sequence will inhibit the
writing process, and will require starting over. If the user presses
the wrong key, or if the EC receives any other command, then the
sequence should be restarted.
Once again, it is truly important that no combination of CPU commands
can write-enable the BIOS without user intervention. This includes
commands like "Port Write to EC", "Set Write Address / Write Byte" to
EC, etc.
The reason we need this capability is to prevent a virus from instantly
destroying millions of machines overnight. Please let me know if this
can be implemented in the fashion that we're requesting.
Thank you very much!
Cheers!
MarkF
--- End Message ---
--
linuxbios mailing list
[email protected]
http://www.openbios.org/mailman/listinfo/linuxbios
