[Openec] fail-safe startup code?

Frieder Ferlemann frieder.ferlemann at web.de
Mon Aug 6 17:35:59 EDT 2007


Hi,

Mitch Bradley schrieb:
> OFW will have a way to restore a working NAND FLASH image from the
> school server.
> 
>> To achieve a more failsafe "failsafe.c" would have to be
>> able to download an image (received via UART or
>> maybe preferably by the one-wire from the battery)
>> to the flash.
>>   
> I'm pretty sure we don't want a feature like that on production machines
> because it would compromise the security.  If you can replace the EC
> code from outside, you can defeat the SPI FLASH write protect, which is
> the key to overall security.

yes, that's why I had put Ivan onto CC.

It eventually is possible that the kb3700 would also
(cryptographically hard) check the image it downloads.
Clearing memory first, then flashing the image as it
comes except for the last few bytes, then, ouch,
verify signature, then on success write the last few
bytes. On startup the EC could check whether the
last few bytes equal 0xFFFFffff in which case it would
not power up the XO and instead would wait for a
proper image. It may turn out that verifying the
signature could be a little too much for the resources
the kb3700 provides...
If OFW does it (and operates from flash addresses never
being written to) there's little point in trying to
implement a small subset of OFWs functionality in the
kb3700.

Greetings,
Frieder



More information about the Openec mailing list