[OLPC Security] G1G1: Security, to enable or disable...

C. Scott Ananian cscott at laptop.org
Tue Jun 3 12:29:54 EDT 2008


On Tue, Jun 3, 2008 at 12:07 PM, ffm <ffm246 at gmail.com> wrote:
> Why were G1G1 machines shipped with firmware, kernel, and reflash locks
> enabled? (see http://wiki.laptop.org/go/Developer_keys )
>
> Theft is not a good reason, as they do not require activation leases.
>
> It only seems to be a bother for people who want to help out with the OLPC
> project.

The original reason is that it allowed our G1G1 users to more fully
exercise/test our secure boot paths, which are used in our deployment
countries.  This helps G1G1 users be more representative testers, and
did successfully flush out security logistics issues like the ones you
seem to be complaining about before they became a big issue for
deployment countries.

A secondary consideration was that secure boot is tied to "pretty
boot", since we assume that if you are a developer you won't be scared
of boot messages.  A non-tech-team charge was to ensure that G1G1
machines looked pretty while booting.  This seems trivial to us, but
was in fact a big concern for non-developers involved in the program.

These issues can probably be revisited before a second G1G1 program,
but my personal feeling is that we eventually do have to make the
antitheft security stuff "just work" and not get in ordinary people's
way (if you're a developer, you should be able to acquire a developer
key easily and you should do so).  Having G1G1 use a subset of these
features allows more extensive testing and thus helps us produce
better software for deployment countries.  So, contrary to your
statement that "it only seems to be a bother for people who want to
help out with the OLPC project", having security enabled is one of the
direct ways that people who want to help out *are in fact already
doing so*.  [And complaining about security when it gets in your way,
within reason, is also directly helping out. =) ]

G1G1 has always had slightly mixed goals, because N% of the people
buying G1G1 machines are developers, and ~(100-N)% are parents or
grandparents of small children.  I believe N is well below 50%, based
on devel@ traffic.  Machines sent out via our developer program are
always shipped out unsecured.  We assume that G1G1 developers have the
ability to request a developer key and disable security, and we
recommend they do so; the security features are not meant for them.
 --scott

-- 
 ( http://cscott.net/ )


More information about the Security mailing list