[OLPC-devel] Secure BIOS on the OLPC

[Carl-Daniel Hailfinger]

Ivan Krstić wrote:
> [This is important, and your comments are requested -- please read.]
> 
> While working on the OLPC security policy and threat model, I spent some
> time thinking about how we're going to perform BIOS updates.
> 
> At some unpleasant hour of the morning last night, I had a flash of
> inspiration, and I think I've solved this in a much better way. Here's how:
> [...]
> If the file is present, the LB payload verifies that the binary is
> cryptographically signed by OLPC. This is all done within the known-good
> LB payload.
> [...]
> Voila. This is now a completely secure BIOS solution which requires no
> TPM, allows fully automatic upgrades without the user's cooperation
> (such as pressing keys), and fully protects both against phishing and
> automated attacks -- in fact, it's vector-independent.

And it fully automates bricking of thousands of machines if the key
is ever compromised. In that aspect, the new suggestion is much worse
than the older one. Flashing a new BIOS against the will of the user
is *evil* (and generates quite a lot of bad publicity if you look at
the Playstation Portable forced firmware upgrades).

> The design also
> allows provisions to be made for kids that are brave enough to want to
> hack their BIOSes, as well as for countries which want to offer
> additional non-OLPC BIOSes.

Once you make these provisions, how are you going to be sure a worm
author doesn't use them? "Hey, I'm a kid wanting to hack the BIOS, can
I have a signing key?"

Besides that, this new signing mechanism would make the laptops as
closed as the Xbox. There should remain at least one way to flash a
non-signed BIOS without resorting to a soldering iron. Possibly
require a USB keyfob to be plugged in or something
(like the original solution with keypress).


Regards,
Carl-Daniel