#9564 NORM Not Tri: RTC anti-rollback
Zarro Boogs per Child
bugtracker at laptop.org
Wed Oct 28 11:24:20 EDT 2009
#9564: RTC anti-rollback
---------------------------------+------------------------------------------
Reporter: wmb at firmworks.com | Owner: wmb at firmworks.com
Type: enhancement | Status: new
Priority: normal | Milestone: Not Triaged
Component: ofw - open firmware | Version: not specified
Keywords: | Next_action: never set
Verified: 0 | Deployment_affected:
Blockedby: | Blocking:
---------------------------------+------------------------------------------
The idea is to record boot timestamps in SPI FLASH to guard against clock-
rollback attacks on the XO security.
It could be done without FLASH wearout by using several thousand locations
in the mfg data page, incrementing to the next location on each boot.
Erasure would be very infrequent. For example, if 32K were used, with 4
-byte-plus-parity-byte timestamps, that would be 6K reboots before
erase/rewrite is needed. That's about 4 reboots per day every day for 5
years.
The current idea is for OFW to convert the RTC date and time to a Unix-
style seconds timestamp and write it to the next available location in the
mfg data page of SPI FLASH. This would happen in the OFW secure startup
sequence before disabling indexed IO. A new EC feature (already
prototyped) permits writing to SPI FLASH without having to reboot.
OFW will make the latest timestamp available to the OS via a property in
the device tree - details TBD.
OFW will only write increasing timestamps. If the RTC time is less than
the last valid (good parity) timestamp, OFW will not write a new
timestamp, and the fact that the RTC is too early will be exported to the
OS via another device tree property - but the OS will be booted anyway in
order to permit the initrd to fix the RTC.
--
Ticket URL: <http://dev.laptop.org/ticket/9564>
One Laptop Per Child <http://laptop.org/>
OLPC bug tracking system
More information about the Bugs
mailing list