LWN: Comments on "The OLPC and BIOS upgrades"

The OLPC and BIOS upgrades

jg — Tue, 12 Sep 2006 02:03:51 +0000

Screws/switches cost money, both the switches and the assembly time.

They increase the number of holes in the case (bad for keeping dust/water out), increasing failures.

The OLPC and BIOS upgrades

jg — Mon, 11 Sep 2006 22:25:44 +0000

Hmmm... We're going to ask kids to retype random passwords, when they
can't remember their own passwords?

Or turn an upgrade into a manual process that only teachers can do?

Do you think anything will get upgraded if it requires work on a per-machine basis?

The OLPC and BIOS upgrades

jg — Mon, 11 Sep 2006 22:22:57 +0000

Which is why we have to protect the BIOS rom so carefully: it is what
will allow someone to get a fresh copy of the system bits reinstalled onto
NAND flash.

The OLPC and BIOS upgrades

jg — Mon, 11 Sep 2006 22:21:45 +0000

We can't afford another ROM.

Remember, we have to make an inexpensive machine....

There is a reason it is called the $100 laptop (though it is innovative in
very many ways).

The OLPC and BIOS upgrades

jg — Mon, 11 Sep 2006 22:20:12 +0000

Oh, we plan to have the reflash utility check that the battery is installed
and charged, or not be willing to proceed. This minimizes the window
of vulnerability greatly.

The OLPC and BIOS upgrades

jg — Mon, 11 Sep 2006 22:19:02 +0000

You presume that people all over the world have USB keys.

Not so. Some people are *really* poor.

And logistically, updating a school of hundreds or thousands of
laptops with *any* procedure that requires touching the machines
is basically saying it won't happen (some of/all of) the time.

A removable BIOS?

jg — Mon, 11 Sep 2006 22:15:48 +0000

Sockets cost money.... We have such a socket on the development boards.

But it turns out that if the embedded controller code, stored in the
same flash that the BIOS is stored in, is trashed, the board doesn't
even power up enough to be able to use a PLCC Flash part. (The
embedded controller is responsible for battery and other
power control in the machine). We've done this
(once).

You *REALLY* don't want to have the BIOS rom completely trashed. Recovery
at that point may require complex stuff talking to the embedded controller,
and is so painful we decided when we managed to do this once it wasn't
worth even trying to fix the board.

The OLPC and BIOS upgrades

Klavs — Mon, 11 Sep 2006 02:33:53 +0000

Not as I see it. GPLv3 is written to protect against a situation where your hardware won't run something, not signed by an unknown key (ie. TiVO). In this situation, the installed software (of which the specific part, can be easily replaced by the user, without breaking the whole) simply won't do an automatic update, per default, without this correct signing. ie. no user lock-in. Just a precaution, that the user is free to remove/change as they see fit.

A removable BIOS?

jimwelch — Thu, 07 Sep 2006 14:55:21 +0000

I like this idea. Just like the memory card in my phone, cheap connector, cheap card, Small (looks like a credit card when shiped). I don't know if the final design has a place to put it, like a battery compartment on a real laptop. What is the storage capacity on a phone card? What is the standard?

The OLPC and BIOS upgrades

bronson — Tue, 05 Sep 2006 00:27:59 +0000

This is incompatible with GPL3 isn't it? GPL3 would force you to distribute the private keys, allowing crooks to sign binaries, so worms can run rampant. GPL3 makes it impossible to secure the BIOS using crypto.

...right?

The OLPC and BIOS upgrades

emj — Mon, 04 Sep 2006 14:05:16 +0000

The whole idea with using LinuxBIOS is that you don't need any bootloader drivers for USB devices.... The complexity goes up quite abit if you need a driver for USB flash devices as well..

A removable BIOS?

thomask — Thu, 31 Aug 2006 21:25:00 +0000

As an additional measure, how about using removable media (like an SD card or something) for the BIOS? That would at least mean that if the system got bricked you'd only have to replace a small and cheap piece of hardware, rather than a large and expensive one.

The OLPC and BIOS upgrades

iabervon — Thu, 31 Aug 2006 17:10:59 +0000

If nothing else, just about any device will get broken if power runs out halfway through replacing the BIOS; unless there's twice as much storage for the BIOS, there can't be either complete image on the system. So you at least need some way to recover from this.

Personally, I think the best idea is to have a ROM bootloader, capable of flashing the BIOS from a USB device or from a ROM original if the system is powered up with some arrangement that's hard to do accidentally. You can't replace the bootloader, but you shouldn't need to, because it doesn't do anything other that replace the BIOS or start running it. It should probably also be possible to replace the BIOS if the current BIOS permits it (generally, if the new image is signed by a key known to the existing BIOS). With this scheme, the user always has the ultimate control, able to do whatever with a USB device and physical access; the nation can preconfigure the machines with their own images, and can mass-update machines if it has set this up (and the machines are still using their BIOS). So there is the potential for a bricking or backdoor virus, but physical access is sufficient to recover from this situation. Users can hack on the BIOS, but the mechanism they use to change it is not easy to subvert, since it requires external storage and out-of-band actions (e.g., removing the battery). Of course, BIOS developers would add their own key to their own BIOS, and be able to update it easily, but these users will be harder to fool.

The OLPC and BIOS upgrades

leoc — Thu, 31 Aug 2006 16:25:10 +0000

I agree 100%. As we see with other operating systems, no amount of money thrown at the problem is going to stop end users from doing bad things, more so when you are talking about people who have very little computer experience. The system should probably have some read-only-hardware method to restore the machine to the way it was when it was first turned on.

The OLPC and BIOS upgrades

hamjudo — Thu, 31 Aug 2006 14:55:06 +0000

This is approaching the wrong problem. The root problem is that the system can be bricked at all. There should be a real ROM in there somewhere for emergency use and a hardware way to force it to boot off of the real ROM.

It can be complex to prevent accidental invocation, like holding a combination of keys while powering it on, and that gets you N seconds to do some other combination of keys, or it falls back to the normal boot.

The OLPC and BIOS upgrades

nlucas — Thu, 31 Aug 2006 12:48:32 +0000

So what make LinuxBIOS different from other BIOS on this aspect?

It seems to me it works the same, so any solution that works on a regular PC BIOS should work for the LinuxBIOS on the OLPC.

Unless they will be running in super-user mode all the time...

The OLPC and BIOS upgrades

gerv — Thu, 31 Aug 2006 12:38:01 +0000

How about forcing the user to type a phrase, which can be configured on a per-machine basis at install time? So, to reflash the BIOS, they would need to type "I know that typing in this sentence is dangerous, and will only do so if told to by someone I trust", or the equivalent in the local language. (OK, the phrase could use work; focus on the idea.)

Gerv

The OLPC and BIOS upgrades

NRArnot — Thu, 31 Aug 2006 10:04:42 +0000

Rather than keystrokes, what's wrong with an interlock? This could be made easier than the classic write-protect jumper on the motherboard, but hard enough that young children couldn't be too easily prompted into using it. For example, a screw on the bottom of the thing that releases a microswitch when removed?