[OLPC-devel] Secure BIOS on the OLPC

Drew Van Zandt drew.vanzandt at gmail.com
Fri Sep 1 08:34:04 EDT 2006 

> 1.If BIOS is from OLPC, we can have control in software that will
> decide BIOS should be updated or not. And there should be no reason
> not to allow user to auto update BIOS signed by OLPC.

A scenario Jim noted previously (in passing):
Motivation: Hacker (or group) says "gee, lots of OLPC's, would make
great botnet.  I personally would make $$$$$$ from it."

Method: Hacker waits for root compromise exploit *at OLPC
headquarters* - I've seen several of this level of security hole
appear over the years, it WILL happen again.  Hacker grabs root certs,
makes himself a botnet BIOS, and automatically compromises (possibly
useful but now botnet members) say.... 250,000 OLPC's.  Being smart,
he simultaneously changes the BIOS update keys.

Result: Nothing we can do about it short of manually opening every
laptop and reflashing it, and we'll get the rep as bot-infested PC's.


If the button is in place along with the key, the attack vector
becomes key theft + phishing.  That drops the potential gain in
machines by a LOT, and slows the attack (allows response)... phishing
isn't instantaneous, so we'd have time to deal with the key theft.

The downside of having the buttonpress requirement seems like a minor
irritation that will only come up when the OLPC is used in situations
it's not designed for.  (Even a 6-year old can handle the buttons for
two OLPC's at once, and the kids are supposed to have the laptops all
the time.)  The dangers of a fully automated BIOS update aren't fully
understood, but a few examples demonstrate enough risk to scare me
off.

I'd ask those who want fully automated updates if they'd be willing to
have their own BIOSes on all PC's they use updated under the same
scheme as what they're proposing, but I realize that's not an entirely
fair question.  :-)  "But it's different when it's me/just one PC/not
children..."  It is different... but I still lobby for the button, not
that *I* have any say in it other than trying to convince you through
the list.

This seems to come up repeatedly on the list; should it be
documented/discussed on the Wiki?

--DTVZ

More information about the Devel mailing list