[OLPC-devel] Secure BIOS on the OLPC

Krishna Sankar (ksankar) ksankar at cisco.com
Tue Aug 29 14:05:38 EDT 2006 

Actually, I kind of like this thought process, with some caveats. 

A)	We should not expect 6-year olds to reflash BIOS nor expect them
to know the difference between phishing and normal stuff.
 
B)	BIOS reflashing should be an adult/supervised activity -
possibly by parents or teachers or local computer person of some sort

C)	We do not want to open the machine to reflash the BIOS and
jumpers can get lost.

D)	While we do want these to be purposeful machines, with the
demeanor of a toaster, I do think we would need to update the BIOS, for
security reasons, fixing bugs or even enhancements. So we do need a way
out, that is scalable and coherent.

E)	In short, supporting Ivan (for a change ;o)) we do need a
mechanism to securely reflash the BIOS. 

F)	Policies etc will rule the mechanics - how the security
materials are inserted into the system, carried thru during the
lifecycle and replaces as and when necessary

G)	So long as we can a place for a public key which we trust for a
set of sequences (like updating the BIOS) and a method to safely update
the BIOS we are in good shape, me thinks. But we definitely need to
document the sequences, the various bit buckets we trust and the level
of trust we place on them.

H)	Naturally as John and others point out, we will never have a
fool-proof system, we do the best we can - collectively and improve on
it.

Cheers
<k/>

> -----Original Message-----
> From: devel-bounces at laptop.org 
> [mailto:devel-bounces at laptop.org] On Behalf Of William Bradley
> Sent: Tuesday, August 29, 2006 10:08 AM
> To: devel at laptop.org
> Subject: Re: [OLPC-devel] Secure BIOS on the OLPC
> 
> 
> This machine is for children.  Are we trying to give kids 
> basic access to information, or create yet another platform 
> for OS experimentation?  There is a desperate need for the 
> former and I'm excited about helping to fill it.  The latter 
> I could care less about.
> 
> This machine needs to Just Work.  That argues for treating 
> the BIOS as Something You Really Don't Want to Touch after 
> the machine is shipped.
> 
> I vote for making it *really* hard to reflash the BIOS.  Like 
> you have to open something, or insert a jumper, or something.
> 
> _______________________________________________
> Devel mailing list
> Devel at laptop.org
> http://mailman.laptop.org/mailman/listinfo/devel
>

More information about the Devel mailing list