Re: Does antitheft.py in olpcrd ever do anything?
On Tue, May 5, 2009 at 3:21 AM, Martin Langhoff martin.langh...@gmail.com wrote: On Tue, May 5, 2009 at 6:24 AM, C. Scott Ananian csc...@laptop.org wrote: the plan is to implement real EC-based security for Gen 1.5; I recommend ditching the init-based plan completely Any hints or references for that I could read? Or should I talk w Richard? I'd like to make sure I implement something that works also on 1.5... I think talk to Richard. I'm pretty far out of the loop. --scott -- ( http://cscott.net/ ) ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Does antitheft.py in olpcrd ever do anything?
On Tue, May 5, 2009 at 6:24 AM, C. Scott Ananian csc...@laptop.org wrote: the plan is to implement real EC-based security for Gen 1.5; I recommend ditching the init-based plan completely Any hints or references for that I could read? Or should I talk w Richard? I'd like to make sure I implement something that works also on 1.5... m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Does antitheft.py in olpcrd ever do anything?
Today I've been working through the olpcrd and the OATC code, new keyjector, etc. Quite interesting read. One of the interesting things is: our init is antitheft.py, which checks for existing activation, registers signal handlers to deal with zombies, and then ... and sleeps. The sleep is heralded by a do OATC stuff comment. As far as I can see, it hasn't setup any other signal handler, it's not listening to any kernel event (inotify, etc). It is truly sleeping. Is there anything I am missing? Frankly, I don't think we gain much from having a smart init past the init phase. The flow I am envisioning is as follows: - Let antitheft.py sleep, or let it exec a real lightweight init (assuming it releases memory). - Take advantage of the NetworkManager event called on ifup. When we associate successfully to a network, if we haven't gotten a lease recently, and the network looks like it may have a XS, request one. - If we get a new lease, validate it and save it as /security/lease.sig . We have the option here of being paranoid about DoS via OATC and writing it out to /security/new-lease.sig , to be re-validated and formally installed in the next boot. I don't think it's worthwhile. - If we get a STOLEN, shut down immediately. What do we miss, if we compare this with an 'OATC-checking init' model? - If you have root, it's easy to remove the NM script, whereas fiddling with init is pretty hard. However, even if you remove the NM hooks, the checks are performed on boot. - If the lease runs out while the machine is running, the next check is at reboot time. In any case, the XO has been rendered quite useless as it'll only run until it's rebooted... Why do I want to add logic in the NM hooks and not in the pythonesque init? A simple lightweight init is a good thing, and simple scripts from NM are easily made failsafe -- getting init to listen to NM events, establish network connections, etc is a fairly treacherous thing. cheers, martin -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Does antitheft.py in olpcrd ever do anything?
2009/5/4 Martin Langhoff martin.langh...@gmail.com: Today I've been working through the olpcrd and the OATC code, new keyjector, etc. Quite interesting read. One of the interesting things is: our init is antitheft.py, which checks for existing activation, registers signal handlers to deal with zombies, and then ... and sleeps. The sleep is heralded by a do OATC stuff comment. As far as I can see, it hasn't setup any other signal handler, it's not listening to any kernel event (inotify, etc). It is truly sleeping. Is there anything I am missing? I don't think so. As far as I'm aware, it does nothing, but there were probably plans for implementing some things later. I don't know exactly what is pending or the reasons behind the design decision, Scott is probably a good person to ask nicely... Frankly, I don't think we gain much from having a smart init past the init phase. The flow I am envisioning is as follows: - Let antitheft.py sleep, or let it exec a real lightweight init (assuming it releases memory). - Take advantage of the NetworkManager event called on ifup. When we associate successfully to a network, if we haven't gotten a lease recently, and the network looks like it may have a XS, request one. - If we get a new lease, validate it and save it as /security/lease.sig . We have the option here of being paranoid about DoS via OATC and writing it out to /security/new-lease.sig , to be re-validated and formally installed in the next boot. I don't think it's worthwhile. - If we get a STOLEN, shut down immediately. What do we miss, if we compare this with an 'OATC-checking init' model? - If you have root, it's easy to remove the NM script, whereas fiddling with init is pretty hard. However, even if you remove the NM hooks, the checks are performed on boot. No they aren't. Or does your proposal include adding such checks during boot? - If the lease runs out while the machine is running, the next check is at reboot time. In any case, the XO has been rendered quite useless as it'll only run until it's rebooted... Why do I want to add logic in the NM hooks and not in the pythonesque init? A simple lightweight init is a good thing, and simple scripts from NM are easily made failsafe -- getting init to listen to NM events, establish network connections, etc is a fairly treacherous thing. cheers, martin -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Does antitheft.py in olpcrd ever do anything?
On Mon, May 4, 2009 at 7:54 PM, Daniel Drake d...@laptop.org wrote: I don't think so. As far as I'm aware, it does nothing, but there were probably plans for implementing some things later. I don't know exactly what is pending or the reasons behind the design decision, Scott is probably a good person to ask nicely... At the bottom of http://wiki.laptop.org/go/Theft_deterrence_protocol there's mention of /security/events as the socket to communicate with oatc. - If you have root, it's easy to remove the NM script, whereas fiddling with init is pretty hard. However, even if you remove the NM hooks, the checks are performed on boot. No they aren't. Or does your proposal include adding such checks during boot? I am thinking of the simple check of do we have a still-current lease. Following find_lease() we do end up in verify_act() which does check that /security/lease.sig is good and current. Or are you thinking of something else? cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Does antitheft.py in olpcrd ever do anything?
2009/5/4 Martin Langhoff martin.langh...@gmail.com: No they aren't. Or does your proposal include adding such checks during boot? I am thinking of the simple check of do we have a still-current lease. Following find_lease() we do end up in verify_act() which does check that /security/lease.sig is good and current. Or are you thinking of something else? I mistook your mail for suggesting that all of your NM script code would be duplicated by the boot sequence - this isn't true for any of the am I stolen? code which would run on every connection through NM, but in the boot sequence would only ever run when the lease has expired. And because the NM script would be trivial to delete, it makes the am I stolen? code somewhat pointless. Apart from that, I guess your ideas would hold up, but we might be missing something. Daniel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel