FOSDEM'10: Maemo 6 platform security [LWN.net]

February 10, 2010

This article was contributed by Koen Vervloesem

One of the keynote speakers at FOSDEM 2010 in Brussels was Elena Reshetova, a senior security engineer at the Nokia Maemo Security team. Last October at the Maemo Summit 2009, she gave a short introduction to Maemo 6 Platform Security, a set of mechanisms and techniques to protect the Maemo 6 platform; at FOSDEM she gave a more technical overview.

Security of a platform depends on a whole "stack" of solutions: at the bottom there are hardware enablers, such as a TPM (Trusted Platform Module) chip in PCs. On top of that, software implements integrity protection, layered above that is access control, and then privacy protection. On each of these levels, the platform needs key management for encryption and signing keys, and all this is coordinated by a particular security policy. For Maemo 6, Nokia is working on this whole security stack.

DRM

It's no secret that Nokia wants to attract a larger commercial offering to its application store for Maemo. Therefore, the security framework of Maemo 6 will enforce DRM (digital rights management or digital restrictions management, depending on the viewpoint) policies. According to Elena, this is needed to be able to attract a larger developer offering: "DRM will enable a lot more use cases for Maemo devices, such as games and commercial applications."

When talking about DRM, most of the time that means locking down the platform. Elena assured the assembled open source audience that Maemo remains an open source platform, even when DRM comes into play. Maemo 6 will have two device modes: one mode has DRM protection, which means that users can't tinker with their platform. But there will also be an open source mode, which will have the same functionality as Maemo 5 on the N900. In this mode, users are free to hack their device, compile and flash their own kernel, define their own security policy, and do low-level platform development. However, they won't be able to run protected software or play protected media files.

The Maemo 6 device's boot process is assisted by a hardware enabler: the ARM TrustZone security extension to the ARM Cortex-A8 processor creates a trusted execution environment (TrEE) with two main keys: a root public key and a root device specific key. The boot ROM of the device checks the integrity of the boot loader and refuses to load it if it has been tampered with. Incidentally, this means that users cannot swap out Nokia's boot loader for another one. However, if Nokia's loader passes the integrity check, then it checks the integrity of the software (including Nokia's kernel). If that doesn't pass (e.g. the user compiled a custom kernel that isn't signed by Nokia) and the device is SIM locked by the carrier, the device refuses to boot. If the integrity check fails and the device is not SIM locked, then it boots an unsigned software image with restricted security functionality: DRM keys are disabled so that content from the closed mode can't be decrypted.

So, in open mode, the user cannot run DRM-protected software purchased from the Ovi Store or play music bought from the Nokia Comes With Music store. It is only if the software verifies as that shipped by Nokia that the boot loader starts the Nokia signed software image (including the kernel root file system and important system components like drivers and Application Manager), which has the DRM keys enabled and thus can decrypt DRM-protected content.

This system gives users a choice. If they want to have full access to their devices, they will continue to be able to do so in Maemo 6 just like now, but without access to DRM-protected services. Users can also switch between the open and closed modes (e.g. between a 'community' kernel and Nokia's kernel), so that after working in the open mode, users can return to the DRM-protected mode to play some music. If the application doesn't use the protected storage but just stores its data as plain files in the file system, like most non-commercial applications will do, those files are accessible in both modes. Switching modes requires rebooting the device, though, because the checks for the integrity of the software are done by the boot loader.

A new kind of access control

Because Maemo is close to a standard Linux distribution, it won't surprise that Nokia has taken a close look at the classical Linux and UNIX access control mechanisms and their extensions. The classical UNIX access control mechanisms are discretionary access controls (DAC) and were created primarily for servers and desktops with multiple users. Nokia's criteria for their Maemo platform, which is essentially a single-user system, are completely different. For starters, Elena mentioned that the platform needs mandatory access control on the process level: processes should be protected from other processes. Moreover, it needs a good level of flexibility and granularity, and all of that should require only minimal changes to the current Linux DAC model Maemo uses.

Nokia's engineers looked at existing security extensions, such as FreeBSD access controls, MLS, Biba, SELinux, RBAC, AppArmor and TOMOYO Linux, but none of them were a good match to Nokia's requirements. For example, SELinux has fine-grained access control, but needs large, complex policies that require filesystem extended attributes to store the metadata. Moreover, most of these mechanisms don't provide protection from off-line attacks, which is crucial for a mobile device.

So the main goal of Nokia's engineers was to create a lightweight system on top of existing Linux security mechanisms, while having to make the smallest possible change to existing applications. The Maemo 6 security system starts from the principle of least privilege: every application should be able to access only a limited set of needed resources. Therefore, there will be a list of protected resources, and any application that wants to use them will have to declare that in an "Aegis Manifest" file. This is an optional XML file (new as part of the Maemo 6 security model) inside a Debian package, generated automatically by the Maemo SDK (Software Development Kit) based on the source code. That means that developers don't have to worry about it and don't have to change their code. According to Elena, the full list of protected resources is not yet finalized, but components like cellular functionality or location information will be on that list. The former should be protected because misuse could harm the device, while the latter should be protected because misuse could cause harm to the user.

Secure software distribution

The Maemo 6 security framework also has a solution for secure software distribution. Each package has a "software source", which can be a software repository or a home page of the software author. Each known software source has an asymmetric key pair: the private key that has been used to sign the package, and the public key used to verify this package. On top of that, each software source is assigned a trust level. Updating a specific package is only possible from the same software source or from a software source with a higher trust level.

All of this is configured in the Aegis security policy, which contains the mapping between software sources and what the software is allowed to do. So while each application can declare the access control rights it needs in its Aegis Manifest file, ultimately the Aegis security policy decides if these access control rights are granted, based on the risk level associated to the software source.

For example, software from the Ovi Store is assigned a different trust level than software from maemo.org or the home page of an arbitrary software package. The Aegis security policy is accessible only to the application installer and can only be changed by an authorized update, meaning that the trust levels cannot be changed by the user but only by Nokia. Users always have the option to run the device in the open mode, which gives them the capability to define their own security policy.

Integrity and privacy protection

Integrity protection is handled by the Aegis Validator. This component ensures the integrity of all executable components, such as binaries and libraries. It not only protects against runtime manipulations, but also against off-line attacks. A kernel module calculates a cryptographic hash, currently SHA-1, of each file. The reference hashes, which come inside the package or can be computed during installation time, are then stored in the Aegis Protected Storage

The Aegis Protected Storage ensures the integrity of data and configuration files after installation. It can not only be used to sign and verify data, but also to protect the user's privacy by encrypting their data with an encryption key that is stored in hardware. However, applications have to explicitly use the Aegis Protected Storage APIs to place files in the protected storage. The Protected Storage APIs can be used in both of the device's modes, but with an obvious caveat: if an application uses the API to encrypt data in the closed mode, it won't be able to decrypt it in the open mode, and vice versa.

Open source

Nokia is doing its best to behave like a good citizen in the open source world. Elena said they are offering their security additions to the upstream D-Bus project. In addition, recently Nokia created a Maemo 6 Platform Security project at gitorious.org, and the first available code is from the libcreds library, which allows getting and setting the credentials of another process in a secure way. The credentials that libcreds can handle include the user id, group id, supplementary groups, and capabilities defined by the kernel. At the end of her talk, Elena said that, over time, it is Nokia's goal to open source most of the Maemo 6 security framework.

However, DRM threatens the open nature of the Maemo 6 platform. In her talk, Elena stressed how simple it is to use Platform Security because the user doesn't have to worry about key management. All encryption and signing keys of the platform are ultimately based on hardware keys of the ARM TrustZone. So if users backup their data by a simple one-to-one copy and lose their Maemo 6 device, they can't read their backup anymore. Moreover, given that the device's private key is carved in hardware in the chip factory, users can't be sure that they are the only one with access to the private key. Users don't have any control over the key, but Nokia is promoting its Maemo platform as an open platform without restrictions.

Those conflicting signals generated a lot of questions from the audience, many of whom had bad memories of the Trusted Platform Module and "Trusted Computing". So all in all, it looks like the Maemo 6 Platform Security will become a challenge for Nokia's relationship with the Maemo community. Luckily, Nokia is clearly listening to these concerns: the Finnish company has opened a wiki page with questions and official answers about the topic, and it welcomes users to add their questions to the discussion page.

Index entries for this article
Security	Distribution security
Security	Mobile phones
GuestArticles	Vervloesem, Koen

to post comments

FOSDEM'10: Maemo 6 platform security

Posted Feb 11, 2010 7:01 UTC (Thu) by corsac (subscriber, #49696) [Link]

TPM is not only about locking down the user. Trusted computing means reducing the trusted part to
really be able to observe and analyse it, and thus be really trustful.

It can be really useful when on the hand of the user (or a company), you can rely on it for your own
secure operations.

In Maemo6 case, though, the private key is not on the user hand, which means he can't really use it
for himself, as it seems.

FOSDEM'10: Maemo 6 platform security

Posted Feb 11, 2010 9:54 UTC (Thu) by liljencrantz (guest, #28458) [Link]

I can run any kernel I wish on the device, but in order to run DRM:ed files, either applications or media, I will need to run a kernel signed by Nokia. That seems pretty fair and reasonable to me.

What I'm curious about, though, is what level of tinkering will I be able to do in future Maemo versions in the trusted mode? Will I still be able to get full root access, install Debian in a chroot, rip out proprietary apps I don't like and replace them with something open, etc.?

If that is indeed the plan, then Nokia should be congratulated for truly getting it.

Another thing I'm kind of curious about, when running in untrusted mode, is it still possible t make use of the TPM to get features like secure storage of file hashes?

this is not my beautiful house

Posted Feb 11, 2010 11:05 UTC (Thu) by wingo (guest, #26929) [Link] (7 responses)

Seems like excellent engineering, but something about this just rubs me wrong.

Articles on this page usually focus on preserving the user's autonomy: the user of a web browser, or the user who runs a server, or such. But this article is about preserving Nokia's ability to control these devices, which belong to the user.

I am disappointed that the article was not more critical of the intent of this "security" module.

this is not my beautiful house

Posted Feb 11, 2010 14:27 UTC (Thu) by liljencrantz (guest, #28458) [Link] (6 responses)

So long as I can opt out of slavery, I don't mind if companies try to lure me into the cage by filling it with ever so fluffy pillows.

this is not my beautiful house

Posted Feb 11, 2010 15:00 UTC (Thu) by wingo (guest, #26929) [Link] (5 responses)

The existence of DRM affects freedom negatively, even if you have no device with DRM.

this is not my beautiful house

Posted Feb 11, 2010 16:17 UTC (Thu) by Tuna-Fish (guest, #61751) [Link]

The interesting part is that most mobile phones have been DRM'ed since their first appearance -- having DRM there is not new, being able to opt out of it is.

this is not my beautiful house

Posted Feb 11, 2010 19:09 UTC (Thu) by drag (guest, #31333) [Link] (3 responses)

Even if you as a user choose to remain free from coercive relationships like that imposed by DRM, if a significant fraction of people are lured into such a situation, it gives the coercive party more power -- to the point that perhaps there will be no device on the market that preserves your freedom.

That is why it's up to the open source folks to prove to people that having DRM is detrimental. If there are actually compelling and good reasons why DRM should not be used then we need to help people understand it and also prove it.

Right?

This is a good opportunity to do this. Even though the platform is restrictive enough to make DRM seem feasible it's completely opt-out. Prove to people that DRM is not necessary then they can opt-out. Once Nokia and everybody else in the world sees that people are opting out and are not sacrificing freedom for comfort then it will be that much more easy in the future to convince people to make devices more open.

Like the other person said these sort of hand held devices started out with very negative approach to end user freedoms.. but have now started to progress in our direction.

The reality of the situation is that people are, and should be, free to make decisions on what sort of trade-offs they are willing to make in their lives. The world is full of necessary evils and compromises between people with different viewpoints and ethical frameworks. The more we are able to prove that freedom is self-evident then the more freedom we, and other people, are going to get.

this is not my beautiful house

Posted Feb 11, 2010 20:55 UTC (Thu) by vadim (subscriber, #35271) [Link] (2 responses)

That is why it's up to the open source folks to prove to people that having DRM is detrimental. If there are actually compelling and good reasons why DRM should not be used then we need to help people understand it and also prove it.

There's nothing to prove. The DRM people amply proved it is detrimental already, with things like activation servers going down and making people unable to play the games/music they paid for. As a consumer there's no logical reason to subscribe to such a scheme. The only reason people do is because large companies put it in front of huge amounts of content, making avoiding it very difficult.

this is not my beautiful house

Posted Feb 12, 2010 15:37 UTC (Fri) by wookey (guest, #5501) [Link] (1 responses)

erm, but surely that is a logical reason for a consumer (access to that huge amount of content)? That's exactly the trade that many people are willing to make (but relatively few readers here).

this is not my beautiful house

Posted Feb 12, 2010 16:33 UTC (Fri) by vadim (subscriber, #35271) [Link]

It's not a fair trade, though. If you're unhappy with a restaurant's
policies, you can go to another, and get the same food for the most part.
If you don't like an establishment's dress code, for instance, you can
also get your steak at a place that's not so restrictive.

But if you're unhappy with the entretainment media's industry, there's
simply nowhere to go. There's no place that will for instance sell the
same content as on BluRay without the DRM attached. There's no shop that
sells Windows without activation. And some of those things form chains of
lock in: To perform your job you need to access a website, to acess it you
must use IE, and to use IE you must use Windows. You're not entirely free
to make a choice in such a case because the odds are stacked against you.

In a case where you can obtain the same thing with either DRM or without
it, people overwhelmingly go for the option without, as can be seen from
the success of DRM-less web music shops.

FOSDEM'10: Maemo 6 platform security

Posted Feb 11, 2010 13:08 UTC (Thu) by vadim (subscriber, #35271) [Link]

DRMed music? Eew. Not paying a cent for that, especially now that most shops dropped it.

Otherwise seems reasonable enough, but I wonder if it will be possible to set an application for sale in the Ovi store for the non-restricted version.

FOSDEM'10: Maemo 6 platform security

Posted Feb 11, 2010 18:51 UTC (Thu) by brinkmd (guest, #45122) [Link] (4 responses)

I was very disappointed in the talk, which promised to make "DRM business and freedom lovers happy with the same device". Nothing like that happened.

First, Nokia is right that on an embedded device, a security model is required that separates processes, and the Aegis framework seems to do the job. That part of the architecture was interesting and seemed reasonably well designed given the practical constraints.

However, the DRM architecture is just a projection of the TPM security model on Maemo. What made the presentation particular troubling is that no consideration at all was given to the criticism of TPM, which naturally applies to Maemo without modification. In fact, Nokia made two disingenious claims:

1. Nokia claims that users are "free to choose" between free devices + software, DRM encumbered devices + software and sim-locked devices. But these options are not equal: certain services will require the DRM software stack, and operators will sell sim-locked devices at a price point with which the free devices can not compete in the mass market. Elena said that (paraphrased) "it's up to the operator to decide if the device is sim-locked or not, and up to the user to buy it or not, there is nothing Nokia can do about it." which is blatantly wrong, as it is Nokia who provides operators with the opportunity to sim-lock the device and content providers to require a DRM software stack in the first place.

2. Nokia claims that they are interested in the opinion of the community, but not a single word was said about Nokia's response to the TPM criticism of the last decade, which culminated in the compromises that are documented in the GPLv3. We had conferences all over the world. Nokia was present at these conferences. Now they try to repeat the process as if nothing happened. The Maemo security framework that was presented is incompatible with the GPLv3. Nokia is not listening.

The danger from this is that there will be two separate free software stacks down the road, a stack that is compatible with DRM, and a stack that is incompatible with the DRM. This may very well be the biggest fork in the history of free software, and Nokia wants to make sure people stay on their side of the fence. Instead of harmony, there might be a deep division. The loser here is Elena: She either is ignorant of this or deceived her audience.

FOSDEM'10: Maemo 6 platform security

Posted Feb 11, 2010 20:29 UTC (Thu) by mlankhorst (subscriber, #52260) [Link] (1 responses)

And I was thinking of buying a device based on maemo. I'll pass now. Like the parent poster said, most devices will be sold with simlock and a plan. 2 year plan with maemo phone is still cheaper than buying the phone separately. Maemo was nice from what I read, but I really don't want a smartphone if it doesn't allow me to run my own kernel if I decide to do so.

Is there any phone I can buy with a plan that's still open and actually works and of which the next or current version isn't going to restrict what I can do when I buy it with a plan?

FOSDEM'10: Maemo 6 platform security

Posted Feb 12, 2010 11:08 UTC (Fri) by brinkmd (guest, #45122) [Link]

Boycotting Maemo may not be your best option. A boycot only makes sense if there is strong internal force to push in the direction of the boycotters: The boycott strenghtens this internal force by weakening the alternatives. I don't know what Nokia employees and close associates think about this, so one would have to figure that out first. The Maemo is still the free-est phone device on the mass market.

The Neo Freerunner with OpenMoko is still available, and if your needs are extremely modest, it may be a viable alternative for you. In that case, congratulations, you will have the free-est phone on the market. There may be other niche devices that I don't know about.

You could develop the next killer application for the phone and release it under GPLv3. Then when people go to Nokia and ask why it is not available on the device by default they will be embarrassed.

FOSDEM'10: Maemo 6 platform security

Posted Feb 12, 2010 12:31 UTC (Fri) by buchanmilne (guest, #42315) [Link] (1 responses)

"it's up to the operator to decide if the device is sim- locked or not, and up to the user to buy it or not, there is nothing Nokia can do about it." which is blatantly wrong, as it is Nokia who provides operators with the opportunity to sim-lock the device and content providers to require a DRM software stack in the first place.

If you believe it is blatantly wrong to allow SIM card locking, then you need to get your country's communications regulations changed to prohibit it.

For example, in South Africa, SIM locking is not allowed. I haven't found it explicitly in the regulations, but the handset subsidy regulations specifies conditions that can not be met (by competing operators) if hand sets are locked.

The regulator has the power (in the mobile operator licenses) to force the operators to do what is in the best interest of their "shareholders" (you), whereas Nokia only has the power to offer a product to the operators . If Nokia did not offer the feature, then in countries where SIM locking is the norm Nokia would sell fewer phones via operator channels, and more users would be locked into proprietary platforms and into networks.

FOSDEM'10: Maemo 6 platform security

Posted Feb 12, 2010 14:17 UTC (Fri) by brinkmd (guest, #45122) [Link]

If the users have a choice to refuse to buy SIM-locked devices, then Nokia has a choice to build such devices or not. In particular, Nokia then has further a choice to spend their dollars on better free software applications, or on DRM infrastructure that allows the proprietary market to enter the platform (they are trying to do both now).

Saying that adding DRM to the platform is necessary to get better games for example is actually quite an insult. Are the available games for GNU/Linux not good enough to attract a large number of people? If games are so important, why does Nokia not spend the millions it costs to develop DRM technology on developing awesome free software games?

Apple found a viable business model with the iphone, and Google (with Android) and Nokia (with Maemo) are now trying to imitate it. That's understandable. I am not sure if that's the only viable strategy for a phone company these days, but let's assume it is necessary. Then Nokia could still communicate these actions in a way that respects what the community decide with regards to DRM in the last decade, and answer the concerns about a deep fork in the code base with regards to the GPLv3.

FOSDEM'10: Maemo 6 platform security

Posted Feb 11, 2010 23:38 UTC (Thu) by shane (subscriber, #3335) [Link]

I love, love, LOVE my new Nokia N900 phone. It is the phone I always wanted. (I was hoping for a Grumpy Editor review, but it seems like Google preempted this by giving him a free Android phone.) It's not prefect, but I figured a lot of issues would be fixed by improved software over time (it really is mostly open source), and the rest would be improved by better hardware in the next version of the phone.

Now it sounds like this was one shining moment of freedom, quickly to fade away. :(

Of course vendors want to own the device. Carriers too. Sadly users have disappeared from the equation. *sign*