code signing/secure boot sequence (Re: [OLPC-devel] Re: wireless/libertas: miscellaneous fixes)
Christopher Blizzard
blizzard at redhat.com
Tue Jul 11 00:05:24 EDT 2006
Adam Back wrote:
> Chris Blizzard wrote:
>> You don't have to drive it from a program that's contained in the
>> BIOS - you just need to have enough set up to be able to load a
>> program from somewhere else that can handle the real re-install.
>
> I think you'll want to sign the images in this install process. Can
> you use the RPM code signing to do it?
>
> Seems like you'll be doing something a bit like the secure boot
> sequences used by the TPM -- load a BIOS, it fetches the installer
> over the network, verifies a signature on it, then goes to the next
> stage; each stage verifying signatures on the next...
>
> Adam
I'd rather avoid signing for a couple of reasons -
1. It requires knowing a huge amount about trust relationships. Much
like in the SSL world, signed code/certificates require that you trust a
third party. And what's the failure case when you load unsigned code?
The best trust relationships are those of the person sitting next to
you. You know that they have a certain image that you want. And you
have to work together using the client (the install target) and the
server (the install server) to do an install.
My one and only concern with this is the virus problem. It's a real
concern, too. We need some sharp thinking on it. But I don't want to
resort to a TPM-like system to try and eradicate it. I suspect that if
a person's base system libraries stick to the unix model (that is,
your system is read only) that a lot of virus problems are avoided. And
assuming that you're using that as the base image for your re-install
you're going to be in good shape.
2. It all feels pretty orwellian to me. We're building a free system
here, I want that freedom to extend to the install experience as well.
If someone comes along and builds a better mousetrap OLPC experience,
they should be allowed to install it.
This doesn't mean that we shouldn't use checksums for data integrity and
some kind of PIN system to figure out who we're talking to for the
install experience. But I don't want the what-ifs to end up creating a
system that's unusable and impractical to implement and support either.
We're trying to create a great experience for our users here; not
something that is mathmatically proven to be impossible to crack.
--Chris
More information about the Devel
mailing list