[OLPC Security] G1G1: Security, to enable or disable...

C. Scott Ananian cscott at laptop.org
Wed Jun 4 12:50:22 EDT 2008 

On Tue, Jun 3, 2008 at 11:58 PM, Michael Stone <michael at laptop.org> wrote:
> Scott - were there other justifications given for the NAND reflash lock?
> I vaguely recall that you argued that, by default, OFW ought to be
> prohibited from writing unsigned data to the NAND on the grounds that
> bugs in the prohibited code paths might otherwise violate security goals
> of clients shipping passive-kill or active-kill technologies. Did I
> recall your justification correctly?

I'm confused, Michael.  I outlined the reasons above for shipping the
machines with security enabled.  But you seem to be talking about
reflash capability, which is strange.  No one seems to be arguing that
G1G1 machines want to be using copy-nand except you -- and maybe Kim?

Briefly restating my opinion:

 1) I find the additional testing of the secure code path and the
developer key request mechanism achieve by shipping G1G1 with
activation but not developer keys extremely useful.  But then, I'm the
primary developer/maintainer of these systems, so I feel more strongly
the necessity of making them work.

 2) I feel that developers program machines (as opposed to G1G1
machines) should probably be shipping out with security disabled, or
with instruction on how to get a developer key, so that developers
don't have to jump an unnecessary "how do I upgrade to a development
build" hurdle.   But this can probably be accomplished by sending
developers program folks an email when we approve their request.

 3) Once security is enabled on the machine, our current security
architecture requires that we will need to restrict writes to NAND in
order to protect the root account.  I'm not going to revisit this
debate now, because it's off-topic and dependent on our security work
with Uruguay next week, etc, etc.  This thread is about #1, which we
did for G1G1v1 and I would support for G1G1v2, and #2, which we did in
the past but apparently have not been doing recently.  Let's start a
different thread (preferably post-Uruguay's visit) if we want to
reopen #3.
  --scott

-- 
 ( http://cscott.net/ )

More information about the Security mailing list