XO-2
Carl-Daniel Hailfinger
c-d.hailfinger.devel.2006 at gmx.net
Thu May 22 11:36:21 EDT 2008
On 22.05.2008 17:01, C. Scott Ananian wrote:
> On 5/22/08, Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006 at gmx.net> wrote:
>
>> > h) hardware-protected RTC (bitfrost desiderata)
>> I'd be very interested in the reasons for that. P_THEFT is still mostly
>> unimplemented for cost reasons. A hardware-protected RTC will not
>> improve the current state at all as long as the hardware side of P_THEFT
>> is not implemented. It will certainly raise cost, though.
>>
>
> Not the case: epoxy-coating the motherboard was not cost-effective,
> meaning that the cost of bypassing P_THEFT by circuit-board changes
> was already expensive enough to be infeasible -- and of course epoxy
> adds to manufacture, repair, and rework costs. The economics weren't
> with it.
>
As I stated before on this list, bypassing P_THEFT is very easy. You
don't even have to desolder the complete flash chip, one pin is
sufficient. All of this is doable for less than $1 per laptop if you
have access to cheap labor. $1 per laptop is _not_ expensive enough to
be infeasible. I am very willing to publish a video tutorial of the
procedure if you think I can't do that. The only downside would be that
everybody then knows how to bypass P_THEFT.
> We actually know exactly how much it costs to bypass P_THEFT in bulk,
> since some of original manufacture run ended up with a firmware bug
> which bricked them in exactly the way P_THEFT would.
>
If you came up with a cost of more than $2, the recovery/bypass was
missing the obvious shortcuts or you had a requirement not to solder.
> Hardware-protected RTC helps with the security of ongoing
> theft-deterrence, which is orthogonal to initial activitation security
> (which it seems you are discussing).
Agreed on the orthogonality.
> Contrary to your claim, initial
> activation security is being heavily deployed and does seem to be
> successful.
>
A statement of security is a nice theft deterrent. This may change once
the bad guys realize circumvention is very doable.
>> > i) better protection for firmware FLASH, to avoid the possibility of
>> > bricking a machine if the power is removed at the wrong time.
>>
>> Protection for firmware flashing against bricking is easy if the flash
>> chip is big enough. OTOH, performing an update of EC microcode is a much
>> more difficult thing to protect against failure.
>>
>
> Yes, there were some design details with Gen 1 hardware that turned
> out to make it difficult to safely reflash, even though the flash chip
> is big enough to accomodate a backup OFW. The EC is perfectly capable
> of recovering OFW, but the EC memory map coincides with the erase
> block size of the SPI flash, unfortunately, so there's a critical
> window during which all of the EC code must be erased. We hope to fix
> that with Gen 2.
>
There are SPI flash chips on the market which have an erase granularity
of half the size of the EC code or even less. Selecting such a chip
should work even for Gen 1 unless I'm missing a key detail.
>> > k) more open software: we may not need an EC, and if we do we may be
>> > able to ensure its code is open. We may change the wireless device,
>> > and/or be able to switch to open firmware for it.
>>
>> I believe item k) was already in the contracts with Quanta and Marvell,
>> unless the official announcements back then were wrong. It has been
>> stated repeatedly by OLPC officials that the only thing preventing a
>> full open source wireless firmware is the lack of time for porting the
>> code to another embedded OS. There were also statements like "We are
>> working with Quanta to release EC source code", so I think that's also
>> mostly a problem with lack of time.
>>
>
> Yes, it was intended, but the production schedule and component
> availability forced us to build on some pre-existing closed-source
> components, and now that we've reached this point in the manufacturing
> cycle for XO-1, we have very little leverage left with Quanta. We did
> make our best effort, but there were also some unforeseen interactions
> with the manufacturing contract we signed with Quanta. Quanta
> designed the motherboard and took responsibility for making
> modifications for manufacturability and to address defects, and now
> they've ended up with significant IP rights in our schematic. This
> has made it hard to properly support the open EC effort, since by the
> terms of the contract we can't even show them the pinout of the EC.
> We recently hired Paul Fox as firmware engineer, so we're still hard
> at work on this. We hope that we can work out agreements with Quanta
> to publish at least pinout information for the EC. It's complicated
> by the fact that most of Quanta's team working on the XO-1 design has
> moved on to other projects now.
>
That's really a nice writeup of the current situation. Could you please
put it (perhaps even verbatim) into the wiki and link it from the EC and
OpenEC pages? Thanks!
> The http://www.open80211s.org/ effort is being funded by OLPC to try
> to address the wireless firmware issue (among other goals). I don't
> really know what mesh solutions are being considered for XO-2, but
> there are more vendors with 802.11s solutions now than there were when
> we designed the XO-1, so we have more choices and leverage.
>
That's good to hear. Again, adding this info to the wiki would help
public perception a lot.
Regards,
Carl-Daniel
More information about the Devel
mailing list