The OLPC and BIOS upgrades
Many aspects of the OLPC systems are interesting; one of those is that they will use LinuxBIOS as their onboard, boot-time firmware. LinuxBIOS will bring a high degree of flexibility to the system, and some complexity as well. There is a real possibility that, as the result of some late bug or security problem, an in-field upgrade to LinuxBIOS will be called for. In addition, some users may want to hack on the firmware and install their own version - after all, the source is available. For both reasons, the OLPC systems will be able to rewrite their BIOS on demand.
There is a potential problem there, however. If it is too easy to rewrite the BIOS, no end of unpleasant things could happen. In the worst case, some sort of OLPC-based worm could, over a brief period, turn all online systems into expensive bricks. Or, perhaps even worse, the mass implantation of a low-level back door could be performed. For this reason, the OLPC design requires the user to give explicit permission before the BIOS can be rewritten. In particular, a specific sequence of keys on the keyboard must be held down before rewriting the BIOS will be possible.
Ivan Krstić has recently been thinking about the BIOS issue; in particular, he is worried that the keyboard-based interlock still leaves the system open to phishing attacks. The target user base for the OLPC, remember, will be very young. If something pops up on their screen telling them to push a certain set of keys, some of them may well do it. Adults may be immune to this sort of attack, but children need to be treated with more care.
So Ivan floated a proposal for a different way of doing things. It does away with the keyboard interlock; instead, the operating system is always forbidden to rewrite the BIOS. The BIOS, however, can rewrite itself, and would do so upon finding a new BIOS image in a specific place in the filesystem. That image would have to be cryptographically signed, however, so attackers would, presumably, be unable to get a new BIOS image written. Ivan says:
Some who responded were not entirely happy with this approach, however. The potential for performing BIOS upgrades (even if properly signed) without the user's knowledge or consent is troubling. If a bug is found in the signature verification code, the fully automated mass bricking scenario becomes real again. Users who want to put in their own version of the BIOS will be frustrated - they cannot be given the signing key without compromising the entire mechanism (though this problem can be mitigated through the addition of a unique key for each system). Some countries may be unwilling to buy and distribute the OLPC systems without the ability to create and install their own BIOS images. And so on; see the list archive for the full discussion thread.
There was no obvious consensus reached on the list - and no immediate decision to change the OLPC hardware design. It is an issue requiring some additional thought, however. The OLPC systems are designed, in general, to be easy to fix when a user breaks things - they are meant to be experimented with. A BIOS-level bricking, however, is decidedly not easy to fix; it is not a scenario which can be allowed to come about. So it will be interesting to see what solution the OLPC designers arrive at in the end.
(Update: the OLPC project has decided to implement the new mechanism as originally described in the article).
Posted Aug 31, 2006 10:04 UTC (Thu)
by NRArnot (subscriber, #3033)
[Link] (1 responses)
Posted Sep 12, 2006 2:03 UTC (Tue)
by jg (guest, #17537)
[Link]
They increase the number of holes in the case (bad for keeping dust/water out), increasing failures.
Posted Aug 31, 2006 12:38 UTC (Thu)
by gerv (guest, #3376)
[Link] (1 responses)
Gerv
Posted Sep 11, 2006 22:25 UTC (Mon)
by jg (guest, #17537)
[Link]
Or turn an upgrade into a manual process that only teachers can do?
Do you think anything will get upgraded if it requires work on a per-machine basis?
Posted Aug 31, 2006 12:48 UTC (Thu)
by nlucas (guest, #33793)
[Link]
It seems to me it works the same, so any solution that works on a regular PC BIOS should work for the LinuxBIOS on the OLPC.
Unless they will be running in super-user mode all the time...
Posted Aug 31, 2006 14:55 UTC (Thu)
by hamjudo (guest, #363)
[Link] (10 responses)
It can be complex to prevent accidental invocation, like holding a combination of keys while powering it on, and that gets you N seconds to do some other combination of keys, or it falls back to the normal boot.
Posted Aug 31, 2006 16:25 UTC (Thu)
by leoc (guest, #39773)
[Link] (1 responses)
Posted Sep 11, 2006 22:22 UTC (Mon)
by jg (guest, #17537)
[Link]
Posted Aug 31, 2006 17:10 UTC (Thu)
by iabervon (subscriber, #722)
[Link] (3 responses)
Personally, I think the best idea is to have a ROM bootloader, capable of flashing the BIOS from a USB device or from a ROM original if the system is powered up with some arrangement that's hard to do accidentally. You can't replace the bootloader, but you shouldn't need to, because it doesn't do anything other that replace the BIOS or start running it. It should probably also be possible to replace the BIOS if the current BIOS permits it (generally, if the new image is signed by a key known to the existing BIOS). With this scheme, the user always has the ultimate control, able to do whatever with a USB device and physical access; the nation can preconfigure the machines with their own images, and can mass-update machines if it has set this up (and the machines are still using their BIOS). So there is the potential for a bricking or backdoor virus, but physical access is sufficient to recover from this situation. Users can hack on the BIOS, but the mechanism they use to change it is not easy to subvert, since it requires external storage and out-of-band actions (e.g., removing the battery). Of course, BIOS developers would add their own key to their own BIOS, and be able to update it easily, but these users will be harder to fool.
Posted Sep 4, 2006 14:05 UTC (Mon)
by emj (guest, #14307)
[Link]
Posted Sep 11, 2006 22:19 UTC (Mon)
by jg (guest, #17537)
[Link]
Not so. Some people are *really* poor.
And logistically, updating a school of hundreds or thousands of
Posted Sep 11, 2006 22:20 UTC (Mon)
by jg (guest, #17537)
[Link]
Posted Aug 31, 2006 21:25 UTC (Thu)
by thomask (guest, #17985)
[Link] (2 responses)
Posted Sep 7, 2006 14:55 UTC (Thu)
by jimwelch (guest, #178)
[Link]
Posted Sep 11, 2006 22:15 UTC (Mon)
by jg (guest, #17537)
[Link]
But it turns out that if the embedded controller code, stored in the
You *REALLY* don't want to have the BIOS rom completely trashed. Recovery
Posted Sep 11, 2006 22:21 UTC (Mon)
by jg (guest, #17537)
[Link]
Remember, we have to make an inexpensive machine....
There is a reason it is called the $100 laptop (though it is innovative in
Posted Sep 5, 2006 0:27 UTC (Tue)
by bronson (subscriber, #4806)
[Link] (1 responses)
...right?
Posted Sep 11, 2006 2:33 UTC (Mon)
by Klavs (guest, #10563)
[Link]
Rather than keystrokes, what's wrong with an interlock? This could be made easier than the classic write-protect jumper on the motherboard, but hard enough that young children couldn't be too easily prompted into using it. For example, a screw on the bottom of the thing that releases a microswitch when removed? The OLPC and BIOS upgrades
Screws/switches cost money, both the switches and the assembly time.The OLPC and BIOS upgrades
How about forcing the user to type a phrase, which can be configured on a per-machine basis at install time? So, to reflash the BIOS, they would need to type "I know that typing in this sentence is dangerous, and will only do so if told to by someone I trust", or the equivalent in the local language. (OK, the phrase could use work; focus on the idea.)The OLPC and BIOS upgrades
Hmmm... We're going to ask kids to retype random passwords, when theyThe OLPC and BIOS upgrades
can't remember their own passwords?
So what make LinuxBIOS different from other BIOS on this aspect?The OLPC and BIOS upgrades
This is approaching the wrong problem. The root problem is that the system can be bricked at all. There should be a real ROM in there somewhere for emergency use and a hardware way to force it to boot off of the real ROM.The OLPC and BIOS upgrades
I agree 100%. As we see with other operating systems, no amount of money thrown at the problem is going to stop end users from doing bad things, more so when you are talking about people who have very little computer experience. The system should probably have some read-only-hardware method to restore the machine to the way it was when it was first turned on.The OLPC and BIOS upgrades
Which is why we have to protect the BIOS rom so carefully: it is whatThe OLPC and BIOS upgrades
will allow someone to get a fresh copy of the system bits reinstalled onto
NAND flash.
If nothing else, just about any device will get broken if power runs out halfway through replacing the BIOS; unless there's twice as much storage for the BIOS, there can't be either complete image on the system. So you at least need some way to recover from this.The OLPC and BIOS upgrades
The whole idea with using LinuxBIOS is that you don't need any bootloader drivers for USB devices.... The complexity goes up quite abit if you need a driver for USB flash devices as well..The OLPC and BIOS upgrades
You presume that people all over the world have USB keys.The OLPC and BIOS upgrades
laptops with *any* procedure that requires touching the machines
is basically saying it won't happen (some of/all of) the time.
Oh, we plan to have the reflash utility check that the battery is installedThe OLPC and BIOS upgrades
and charged, or not be willing to proceed. This minimizes the window
of vulnerability greatly.
As an additional measure, how about using removable media (like an SD card or something) for the BIOS? That would at least mean that if the system got bricked you'd only have to replace a small and cheap piece of hardware, rather than a large and expensive one.A removable BIOS?
I like this idea. Just like the memory card in my phone, cheap connector, cheap card, Small (looks like a credit card when shiped). I don't know if the final design has a place to put it, like a battery compartment on a real laptop. What is the storage capacity on a phone card? What is the standard?A removable BIOS?
Sockets cost money.... We have such a socket on the development boards.A removable BIOS?
same flash that the BIOS is stored in, is trashed, the board doesn't
even power up enough to be able to use a PLCC Flash part. (The
embedded controller is responsible for battery and other
power control in the machine). We've done this
(once).
at that point may require complex stuff talking to the embedded controller,
and is so painful we decided when we managed to do this once it wasn't
worth even trying to fix the board.
We can't afford another ROM.The OLPC and BIOS upgrades
very many ways).
This is incompatible with GPL3 isn't it? GPL3 would force you to distribute the private keys, allowing crooks to sign binaries, so worms can run rampant. GPL3 makes it impossible to secure the BIOS using crypto.The OLPC and BIOS upgrades
Not as I see it. GPLv3 is written to protect against a situation where your hardware won't run something, not signed by an unknown key (ie. TiVO). In this situation, the installed software (of which the specific part, can be easily replaced by the user, without breaking the whole) simply won't do an automatic update, per default, without this correct signing. ie. no user lock-in. Just a precaution, that the user is free to remove/change as they see fit.The OLPC and BIOS upgrades