Talk:Firmware security: Difference between revisions
Jump to navigation
Jump to search
(Comments on GNU's comments.) |
m (Talk:Firmware Security moved to Talk:Firmware security: lowercase) |
(No difference)
|
Revision as of 20:06, 21 August 2007
Several issues with the draft Firmware Security article:
- Developer key should allow reflashing with unsigned firmware. Make it require input from a human on the gamepad.
- Developer key should not be stored in NAND in a particular filesystem format. The user should be free to boot or install new OS's with new filesystem formats, without losing their ability to reprogram the hardware. My suggestion is that the developer key (or a bit or other field that indicates a developer key has been seen) be stored in SPI flash, with or near the manufacturing data.
A developer key is supposed to turn off all the DRM, making it possible for the user to change anything in the system, as if it was an open system. The spec as stated doesn't do that. Open Firmware is freely available for people to modify and run, but even with a devkey, you couldn't run it in an XO (only in somebody else's hardware). That's a bug, not a feature.
- I don't think these objections are valid. The current spec says that the developer key drops you into the Open Firmware prompt. From there you can reflash the firmware as you can currently, which could naturally turn off any further key checks. Once you've done that, it doesn't matter if or where you store the developer key, so you can naturally use any flash format you like. CScott 15:11, 14 August 2007 (EDT)
- The firmware should refuse to reflash itself over and over. Currently there are a number of endless loops built into the process (e.g. "Look in /boot/bootfw.zip, reflash self if it's newer than current firmware"). I just saw auto-installation go into an endless loop as long as a particular SPI flash image was on USB at boot. When you make a loop like that which runs from NAND there's potential for real trouble, since the user can't just yank the NAND to regain control of their system. This all happens before Linux is booted, before the developer key has been examined, and way before the user gets any control.
OFW could keep timestamps of reflashings; or could, after the third time within ten minutes, ignore the reflash and boot Linux. Or could have a counter and demand human intervention when it hits zero. Or could rewrite the file in the NAND or USB filesystem. Or something!
- This is a valid point, but mitigated somewhat if "newer than current firmware" uses the same algorithm that will be used post-boot. The auto-reinstallation scripts have this trouble because "newer than current firmware" relies on a filename check pre-installation, and on some magic bits in the image header post-installation. As long as we use the same method both pre- and post-installation then infinite loops should be impossible. But sanity checks would not be out of place. CScott 15:11, 14 August 2007 (EDT)