#5680 HIGH Update.: G1G1 laptops are shipping with "security" enabled

Zarro Boogs per Child bugtracker at laptop.org
Wed Dec 26 19:15:03 EST 2007 

#5680: G1G1 laptops are shipping with "security" enabled
-----------------------+----------------------------------------------------
  Reporter:  gnu       |       Owner:  jg                      
      Type:  defect    |      Status:  new                     
  Priority:  high      |   Milestone:  Update.1                
 Component:  security  |     Version:                          
Resolution:            |    Keywords:  firmware, security, G1G1
  Verified:  0         |    Blocking:                          
 Blockedby:            |  
-----------------------+----------------------------------------------------

Comment(by gnu):

 Replying to [comment:2 jg]:
 > Is it acceptable to you that your laptop be able to be "bricked" by a
 virus or worm, as conventional whiteboxes are able to be?

 Totally, absolutely, 1000%.  It is much better for theoretical future
 malware to theoretically brick a laptop in the future, than for its
 manufacturer to actually, physically brick it today.  You've burned the
 village to save it.

 Hundreds of millions of whiteboxes are in active use daily.  Very few are
 ever bricked by malware.  The D*M in the XO is bricking laptops every day
 for real live donor/customers, including a lot of little kids' Christmas
 presents.

 I supported four such people yesterday, one in IRC and three in
 rt.laptop.org.  In some cases the machine isn't necessarily bricked, but
 it can't be diagnosed because you can't interact with it.

 Please don't conflate D*M with security against malware.  It's not clear
 to me exactly how malware could brick a laptop (other than by writing zero
 to the RTC month register, triggering a firmware bug).  It should be easy
 for the firmware to disable writes to the firmware flash chip before
 booting any kernel (whether tagged "wp" or not).  This would still allow
 writing the firmware from Forth, which is how we always do it anyway, but
 not from Linux.  Closing off that opportunity for malware has nothing to
 do with whether the user is permitted to type commands to the firmware
 before receiving a blob signed by a private key held by OLPC.

-- 
Ticket URL: <http://dev.laptop.org/ticket/5680#comment:5>
One Laptop Per Child <http://dev.laptop.org>
OLPC bug tracking system

More information about the Bugs mailing list