[OLPC Security] Bitfrost notes

Tim Flavin tim.flavin at gmail.com
Sun Feb 11 14:42:41 EST 2007 

This looks like a great approach to an almost intractable problem.
It looks like most of my comments will be minor nits that I want to pick.

Judging from recent comments on the mailing list, it might help to start
out by saying that the objective of the Bitfrost is to try to secure the laptop
against malware and discourage theft and diversion of the laptops.  Protecting
children against bad actors and government snooping should be parts of
other projects.  (Actually I would not trust government supplied software
to protect my privacy.  I would use an independent mechanism.)

The fact that the Bitfrost wiki version refers to the git version as
the complete
specification, and the git version refers to the wiki version as the
authoritative version is confusing.  Is the git version complete but
not authoritative while the the wiki version is
authoritative?


(Line and section numbers refer to Draft-19 - release 1 version in git.)

Section 1, line 273:

I assume tampering means disassembling the machine
and using a probe to reprogram the SPI chip.  Are you going to protect against
someone with a developers key?  It should be possible, but not necessary.
Does "modify firmware " just mean the FORTH code or the code for the rest
of the for the event controller?

(You might want to have several levels of developers keys that let you
modify the SPI memory and do less dangerous things.)

Section 7.4:

Just out of curiosity what makes DOS attacks especially easy on IPv6
networks?

Section 8. Protections:

When reading this section with a Unix mindset, I got really confused.  You
talk about protections that are by default enabled while many readers think
in terms of permissions that have various defaults.  If you defined
PROTECTIONS, ENABLED and DISABLED, like MUST and SHOULD
in the RFCs this may be easier to understand.

In line 613 when you say "While the laptop's protections are active,
this interface cannot be manipulated by the programs on the system
through any means..."  When are the laptop's protections ever not active?
Can't the cant the installer manipulate protections when installing
OLPC signed programs?


I really like P_SF_RUN. It will allow a lot of experimentation without having
to re-install the OS when you mess up.  Can you re-engage P_SF_RUN from
the BIOS when you get the machine in a state that will not boot?

8.5. P_NET: network policy protection

Is this just to keep programs from running a-muck, or are you going to
use them to keep the kids from talking to each other all night?

Is the user limited in what privileges she can grant using GUI?
(Apart from ones requiring a developer key.)


Just out of curiosity are you planning to use SELinux to provide some
of these protections?

I guess that's all for now.

Tim Flavin

More information about the Security mailing list