#9564 NORM 1.0-fir: XO-1: RTC anti-rollback
Zarro Boogs per Child
bugtracker at laptop.org
Tue Feb 16 09:07:10 EST 2010
#9564: XO-1: RTC anti-rollback
-------------------------------------------+--------------------------------
Reporter: wmb at firmworks.com | Owner: wmb at firmworks.com
Type: enhancement | Status: assigned
Priority: normal | Milestone: 1.0-firmware-security
Component: ofw - open firmware | Version: 1.0 Hardware
Resolution: | Keywords:
Next_action: code | Verified: 0
Deployment_affected: | Blockedby:
Blocking: |
-------------------------------------------+--------------------------------
Comment(by martin.langhoff):
I had assumed that the plan you outlined for saving the last-known-good-
rtc would be atomic and resilient in the face of powerloss (which is the
core issue at #10022 ). Resiliency is a major issue for a value that will
be updated on every boot.
Other than that. I have been studying the possible corner cases for the
OFW side and I cannot find one. We have exactly 3 variables:
* RTC
* Last-known-good RTC in SPI flash
* /security/rtc-reset
So the main logic is
* if LKGRTC == rtc-reset and rtc-reset is signed; then LKGRTC = RTC =
rtc-reset; fi
* if LKGRTC < RTC; then LKGRTC = RTC; fi
The real bastard is to make those writes to the SPI Flash in a failsafe
way. On that track, I am 100% clueless in practical atomicity / checksum /
validation strategies to deal with low level HW.
--
Ticket URL: <http://dev.laptop.org/ticket/9564#comment:12>
One Laptop Per Child <http://laptop.org/>
OLPC bug tracking system
More information about the Bugs
mailing list