[OLPC-devel] Secure BIOS on the OLPC

[Ivan Krstić]

Carl-Daniel Hailfinger wrote:
> And it fully automates bricking of thousands of machines if the key
> is ever compromised. 

If 3 separately kept private keys, two of which will live in a bank
vault, are compromised.

> Flashing a new BIOS against the will of the user
> is *evil* (and generates quite a lot of bad publicity if you look at
> the Playstation Portable forced firmware upgrades).

I'm not familiar with these (I'll read up on them), but I imagine they
change actual user-visible system functionality in some way? That's not
what any of our BIOS upgrades will do.

In principle, though, I agree with you. Power users never considered
upgrades that do things behind their backs a feature. But I think you'll
find the exact opposite holds for most computer users, and this becomes
particularly compelling when many of your users are too young to be able
to make a reasonable decision about whether to agree or disagree with a
security prompt.

Finally, remember that BIOS flashing is really a fully opaque operation.
While software upgrades tell you things like "I want to upgrade version
x of this software to version y, here's what will be different", how do
you see this happening for BIOS upgrades? In other words, in what cases
does the user know enough about the system to be able to authoritatively
refuse a BIOS upgrade?

> Once you make these provisions, how are you going to be sure a worm
> author doesn't use them? "Hey, I'm a kid wanting to hack the BIOS, can
> I have a signing key?"

Developer signing keys are issued for each machine individually, based
on the serial number.

> There should remain at least one way to flash a
> non-signed BIOS without resorting to a soldering iron. Possibly
> require a USB keyfob to be plugged in or something
> (like the original solution with keypress).

I've been toying with the same idea. Let me think about that some more.

-- 
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | GPG: 0x147C722D