[OLPC Security] Bitfrost and dual-boot

C. Scott Ananian cscott at laptop.org
Thu May 29 18:39:46 EDT 2008


On Thu, May 29, 2008 at 6:03 PM, Michael Stone <michael at laptop.org> wrote:
> On Thu, May 29, 2008 at 05:53:49PM -0400, Michael Stone wrote:
>> On Thu, May 29, 2008 at 02:58:07PM -0600, Jameson Chema Quinn wrote:
>> In recent builds, any process running as user OLPC can execute code as
>> uid 0 via the setuid-0 user-olpc-executable /usr/bin/sudo.
>
> A small correction: in recent builds, /bin/su is 04550 root/wheel, user
> olpc is a member of wheel, and /usr/bin/sudo is a thin wrapper around
> /bin/su.

And to elaborate: the idea is that untrusted code should not be
running as the 'olpc' user: 'olpc' is a trusted account.  Activities
run/should be running as their own unique UUIDs, which are isolated
from the olpc account.

As to some other issues brought up:

* Windows runs from an SD card, but there is not much space left on
that SD card to store user files.  User files are stored in NAND at
the moment.  In the dual-boot scenario which OFW2 will enable, we will
either partition the NAND (likely also expand amount on onboard NAND),
or limit Windows to the storage on the SD card (probably necessitating
an increase in the size of the SD card).  None of this has been
decided yet.

* It is worth separating out the various bitfrost protections.
Initial activation security is implemented by OFW; it doesn't matter
whether windows or linux is running after the firmware cedes control.
Other bitfrost protections are OS-dependent, and you are likely to
give up at least some security when you install Windows on the XO.
  --scott

-- 
 ( http://cscott.net/ )



More information about the Devel mailing list