#11682 NORM 1.75-fi: Corrupted bootfw files are fatal to secure boot; ecfw updates are not

Zarro Boogs per Child bugtracker at laptop.org
Thu Mar 8 00:08:18 EST 2012

#11682: Corrupted bootfw files are fatal to secure boot; ecfw updates are not
           Reporter:  greenfeld            |       Owner:  wmb at firmworks.com                
               Type:  defect               |      Status:  new                              
           Priority:  normal               |   Milestone:  1.75-firmware                    
          Component:  ofw - open firmware  |     Version:  Development build as of this date
         Resolution:                       |    Keywords:                                   
        Next_action:  review               |    Verified:  0                                
Deployment_affected:                       |   Blockedby:                                   
           Blocking:                       |  
Changes (by Quozl):

 * cc: pgf, rsmith (added)
  * next_action:  diagnose => review


 We don't flash an EC or OpenFirmware image if we can detect it has been
 tampered with.

 For ecfw.zip, this is handled in ''?ec-update'' ... the image is loaded,
 then checked in ''ec-up-to-date?'' for the correct length and XO-EC non-
 cryptographic signature.

 If this check fails, boot continues without a cryptographic signature
 check being made, and without reflashing.

 If this check passes, then the cryptographic signature check is done, and
 if this passes then the image is handled to ''do-ec-update'' for final
 checks and reflashing.

 The purpose of this design is to:
  * prevent bricking of a non-secure laptop when an incorrect file is
  * prevent flashing to a secure laptop of firmware that does not pass the
 signature check, whether this be due to tampering, mismatch between
 installed deployment firmware keys and the build being used, etc.

 I don't think we should be concentrating on helping image creators know
 whether they signed their image correctly or not.  There are other tools
 for that.

 I have not heard of any requirement to force a laptop not to boot on the
 grounds that a specific version of EC firmware is required.  The EC
 firmware team might like to comment.

 I don't know why booting is blocked with an bootfw.zip present that does
 not pass cryptographic signature check.

 I see no reason for the EC and OpenFirmware reflash check processes to be

Ticket URL: <http://dev.laptop.org/ticket/11682#comment:3>
One Laptop Per Child <http://laptop.org/>
OLPC bug tracking system

More information about the Bugs mailing list