[OLPC Security] Mac like target mode

Tim Flavin tim.flavin at gmail.com
Mon Jul 17 13:35:42 EDT 2006


On 7/11/06, Simson Garfinkel <simsong at acm.org> wrote:
(In several postings, It took me a while to understand that he was
talking about a boot ROM function and not a hardware function.  Also it
looks like I didn't explain how the my proposed integrity checker verifies
the system as it starts up.)
...
> -> Have an option that allows one computer to verify another
> computer. The second computer runs in some sort of "slave" mode (like
> booting a Mac with the T key held down to put it in target mode.)
> The root kit etc. on the second computer won't have a chance to run
> in this configuration.
 ...	

> However, what is your model for how the laptop entered a broken
> configuration to begin with?

> -> If it was a hostile act, then the hostile software would surely
> have patched, broken, or deleted the backup copies.
>

True the integrity checker just notes that the system is not secure and
lets you fix it from an external  copy that can be  verified as secure.

> My preferred way of fixing a laptop is to attach it to a known-good
> laptop using the "target" mode described in my previous message. Boot
> the broken laptop in target mode, connect with with a USB A -> USB A
> cable to a known good laptop, and have the known good laptop either:
>         a. repair the disk
>         b. reinstall the operating system.
>         c. wipe the laptop and start over.
>

...
> Clearly you want to have an integrity checker. Where is it? What
> prevents it from being compromised? What does it do when the system
>  is compromised, but the integrity checker isn't? How is the system
> fixed ?

The integrity checker has at least two parts.  The boot ROM that loads
the OS and
initrd, the initial ram disk, dose a SHA1 hash of the OS and initrd as it loads
them into memory, and uses the hash in an RSA signature validation process.
This is supposed to insure that OS and the programs in initrd have not been
compromised.  Initrd will contain an AIDE / tripwire program and database that
will verify the rest of the system.  It may also be necessary to do a
fsck and scan
for other problems like unexpected setuid programs in initrd.  Some of
this  could
be moved out of initrd into the normal file system after some basic checks have
been made.

The system can be booted either from internal flash or a USB disk  If
the integrity
checker finds a problem with the internal disk, it can verify and use
an external disk
to do the repair.  (Eventually it might be able to use it's wifi
connection to boot
from a nearby laptop or hotspot, but it isn't clear the boot ROM has
room for that
much functionality.)

Actually one the reasons that I started this thread was to see if this
was a viable
solution.


> I suggest that some very simple modifications to the BIOS could go a
> very long way.

Now I think I understand.  The BIOS in the target PC makes it look like a disk.

Unless you can use wifi, this requires a smart cable between the laptops.
(A chip set bug prevents us from using an on the go type connection.)

This would be the only reason to connect the laptops by cable, so the users
add cost and another thing that can break.  Since users will have USB
flash drives
around for other reasons, (backup, extra storage, program
distribution,) they will
already be familiar with them and probably have some extras on hand.  Note that
even if the there is a problem in the design of the integrity checker,
you can boot
the laptop from a known good flash drive and fix your system.


More information about the Security mailing list