[OLPC-devel] Secure BIOS on the OLPC

Carl-Daniel Hailfinger c-d.hailfinger.devel.2006 at gmx.net
Fri Sep 1 10:06:19 EDT 2006


Hi,

since it has been decided that the "signed BIOS" method will be used,
let me comment on one thing that smells fishy in the implementation
proposal:

Ivan Krstić wrote:
> Instead, the EC boots with the SPI #WE enabled, but can receive a
> special instruction that permanently disables the line until the EC is
> rebooted (without the ability to re-enable it until then).
> [...]
> 4. Fully regardless of the previous-step, LB always signals the EC to
> disable the SPI #WE before kexecing the regular kernel.

The special instruction to permanently disable #WE can't be that
special because the EC code also has to be able to reenable #WE on
reboot. So #WE is indeed not disabled permanently. It all depends
on the EC *thinking* that the machine has been rebooted.

If you hope this can be made secure, please read up on the Intel
CPUID disaster. The problem was similar: If CPUID reading has been
disabled once, disallow reading it until a reboot. Hackers tricked
the system into thinking it had rebooted and could read the CPUID
just fine. Now the prize question is: Can we be absolutely sure
the EC code can't be tricked the same way?


Regards,
Carl-Daniel



More information about the Devel mailing list