Integrity checking of OS images

[James Cameron]

On Tue, Feb 08, 2011 at 01:01:36AM +1100, Sridhar Dhanapalan wrote:
> Are OS images checked for integrity by the XO before they are written
> to the flash storage? I suspect not.

As Chris said, yes.

The image is checked for transmission integrity *as* it is written to
the flash storage [1], not before.  A transmission error will result in a
partially written internal storage.  The laptop should not be used until
a successful install occurs.  It may appear to work but fail later.

For XO-1.5, the .zd format contains block hashes [2].  If the data in
these blocks do not match the hash, the fs-update ceases with an error:

Bad hash for eblock# 
Your USB key may be bad.  Please try a different one.
See http://wiki.laptop.org/go/Bad_hash

This should detect bit errors in downloads.

There are other possible errors too, such as "Short read of zdata file"
which will happen if the file is incompletely downloaded.

> The schools we deal with don't always have reliable Internet, so some
> failsafe mechanism to prevent them from using damaged images would be
> helpful. We can't expect them to learn md5sum to check the image first
> - that is too technical.

You should give them the option.  You never know when you have a school
teacher or aid who has a clue, and it would save them repeating the huge
download.

I suggest you capture the output after a successful fs-update for use in
your instructions, along with a comment that "anything else is bad,
please ask for help."  The output is different for signed installs using
deployment keys.

References:

1.  
http://tracker.coreboot.org/trac/openfirmware/browser/cpu/x86/pc/olpc/via/fsupdate.fth#L159
checks the hash,

2.  git://dev.laptop.org/bios-crypto file zhashfs.c creates the hash.

-- 
James Cameron
http://quozl.linux.org.au/