#11682 NORM 1.75-fi: Corrupted bootfw files are fatal to secure boot; ecfw updates are not

Zarro Boogs per Child bugtracker at laptop.org
Tue Mar 13 09:22:22 EDT 2012 

#11682: Corrupted bootfw files are fatal to secure boot; ecfw updates are not
-------------------------------------------+--------------------------------
           Reporter:  greenfeld            |       Owner:  wmb at firmworks.com                
               Type:  defect               |      Status:  new                              
           Priority:  normal               |   Milestone:  1.75-firmware                    
          Component:  ofw - open firmware  |     Version:  Development build as of this date
         Resolution:                       |    Keywords:                                   
        Next_action:  review               |    Verified:  0                                
Deployment_affected:                       |   Blockedby:                                   
           Blocking:                       |  
-------------------------------------------+--------------------------------

Comment(by rsmith):

 Replying to [comment:9 wmb at firmworks.com]:

 > I don't have a strong opinion about how it should work - but I will
 offer the following argument in favor of refusing to boot:
 >
 > Suppose that a security vulnerability is found in OFW, that we wish to
 fix as part of an OS upgrade.  Corrupting the bootfw file could be an
 attack to prevent upgrading that OFW.

 In the past some of our most problematic firmware problems were related to
 firmware decisions (or bugs) that keep the laptop from booting so I feel
 like we have lots of history that boot fails cause _way_ more problems vs
 increasing security.

 I don't believe the above scenario is a very valid attack vector because
 its for a known security flaw.  You have to know there is a security flaw
 that exists before you know to corrupt a firmware on external media.  If
 the attacker already knows enough to be exploiting said flaw then they
 have plenty of other tools at their disposal.  Otherwise the automatic
 firmware upgrades will proceed as normal.

 Are the check paths for the external bootfw.zip and internal bootfw.zip
 the same?  If so then corrupted firmware on the internal eMMC would also
 cause failure to boot and require a full re-flash.

 Unless someone with a lot of deployment security experience like dsd or
 someone in Uruguay can present a specific case against boot-continue then
 I have a strong opinion against boot-fail.  It should ignore the files
 (with some fail notice) and go on allowing the rest of the security stack
 to make decisions.

-- 
Ticket URL: <http://dev.laptop.org/ticket/11682#comment:10>
One Laptop Per Child <http://laptop.org/>
OLPC bug tracking system

More information about the Bugs mailing list