#11682 NORM 1.75-fi: Corrupted bootfw files are fatal to secure boot; ecfw updates are not
Zarro Boogs per Child
bugtracker at laptop.org
Thu Mar 8 00:08:18 EST 2012
#11682: Corrupted bootfw files are fatal to secure boot; ecfw updates are not
-------------------------------------------+--------------------------------
Reporter: greenfeld | Owner: wmb at firmworks.com
Type: defect | Status: new
Priority: normal | Milestone: 1.75-firmware
Component: ofw - open firmware | Version: Development build as of this date
Resolution: | Keywords:
Next_action: review | Verified: 0
Deployment_affected: | Blockedby:
Blocking: |
-------------------------------------------+--------------------------------
Changes (by Quozl):
* cc: pgf, rsmith (added)
* next_action: diagnose => review
Comment:
We don't flash an EC or OpenFirmware image if we can detect it has been
tampered with.
For ecfw.zip, this is handled in ''?ec-update'' ... the image is loaded,
then checked in ''ec-up-to-date?'' for the correct length and XO-EC non-
cryptographic signature.
If this check fails, boot continues without a cryptographic signature
check being made, and without reflashing.
If this check passes, then the cryptographic signature check is done, and
if this passes then the image is handled to ''do-ec-update'' for final
checks and reflashing.
The purpose of this design is to:
* prevent bricking of a non-secure laptop when an incorrect file is
provided,
* prevent flashing to a secure laptop of firmware that does not pass the
signature check, whether this be due to tampering, mismatch between
installed deployment firmware keys and the build being used, etc.
I don't think we should be concentrating on helping image creators know
whether they signed their image correctly or not. There are other tools
for that.
I have not heard of any requirement to force a laptop not to boot on the
grounds that a specific version of EC firmware is required. The EC
firmware team might like to comment.
I don't know why booting is blocked with an bootfw.zip present that does
not pass cryptographic signature check.
I see no reason for the EC and OpenFirmware reflash check processes to be
identical.
--
Ticket URL: <http://dev.laptop.org/ticket/11682#comment:3>
One Laptop Per Child <http://laptop.org/>
OLPC bug tracking system
More information about the Bugs
mailing list