[OLPC Security] G1G1: Security, to enable or disable...

Michael Stone michael at laptop.org
Tue Jun 3 23:58:11 EDT 2008


Shipping G1G1 machines with NAND reflash locks enabled makes little
sense to me. What good is protection against malicious reflash when any
attacker who can perform a reflash has physical access to the device and
has password-free root access in default configurations?

Instead, the justification that I recall most strongly from when I last
inquired about the purpose of enabling the NAND reflash lock on G1G1
machines is that it is primarily intended to reduce support costs by
making it harder to test non-Released builds via reflash. I countered
that the value of the extra testing we might receive would far outweigh
the extra support costs that we might incur but, evidently, my argument
was not decisive.

Scott - were there other justifications given for the NAND reflash lock?
I vaguely recall that you argued that, by default, OFW ought to be
prohibited from writing unsigned data to the NAND on the grounds that
bugs in the prohibited code paths might otherwise violate security goals
of clients shipping passive-kill or active-kill technologies. Did I
recall your justification correctly?

Michael


More information about the Security mailing list