[OLPC-devel] Secure BIOS on the OLPC

[Ivan Krstić]

John R. Hogerhuis wrote:
> There can be no technical solutions to phishing, it's a problem of
> educating the users to follow the school systems AUP.

For this *particular* instance of phishing, I provided a working
technical solution. Remember that we have some very young users.

> I think a hammer (or egads, a soldering iron) would do much more to
> prevent desired operation of the machine than that an OLPC can be loaded
> by the local admin with alternative firmware. Why should either
> considered an issue?

Because malicious software or worms, which are the threat that my
solution addresses, can't take either a hammer or a soldering iron to
the machines. It can, however, brick the BIOS if allowed.

> That's a feature not a bug. "Unsupported" does not mean "physically not
> permitted." Is there a requirement somewhere that the OLPC should be
> immune to its owners loading alternative software? 

I am cognizant of this dilemma, but contend that it's simply not
important enough when it comes to the BIOS. What are the valid,
non-contrived use cases for people wanting to hack their BIOS? When was
the last time you hacked your BIOS, or had any reason to?

Unlike everything else (the OS, etc) which we're explicitly making
hackable, the BIOS just starts the machine. The reasons for hacking this
process are extremely few and far between. We can already accommodate
countries that want control over the BIOS, and individual kids who want
to hack it, if they get in touch with us about it.

> If loading new software is not allowed simply setting the school policy
> to "not allowed" and not running as root should be sufficient.

Not allowing new BIOS loading is not *in the slightest* isomorphic to
not allowing new software.

> Upgrading of firmware should always require the users explicit assent.

When the user is a six-year old kid?

> The BIOS just has to be "that good" before release that automatic
> upgrades are generally not required. It's too dangerous to allow
> automatic upgrades of the firmware, cryptographically signed or not. 

That's a judgment call, and I've made it already; please focus on
addressing technical problems you see with the solution I proposed.

> But I'll admit that OLPC is a different animal. 

That's correct.

> I have a soldering iron that says you're wrong, but hey
> maybe soldering irons are not all that common.

Malware wielding soldering irons is mostly inexistent, actually.

> In general I'd recommend not succumbing to the temptation to lock down
> the machine from its local admin. 

See above. There's no locking down happening for ANY reasonable value of
locking down.

> Don't view the user as the enemy. They are not,

You're FUDing. Please re-read my message and try to understand the exact
problem that I'm attempting to address. We're building every sensible
aspect of the software to give more power to the users than any machine
that's ever been on the market.

-- 
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | GPG: 0x147C722D