Ticket #11609 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

add visual response to escape key ignored in secure mode

Reported by: Quozl Owned by: Quozl
Priority: low Milestone: 12.1.0
Component: ofw - open firmware Version: Development firmware
Keywords: Cc: reuben, wmb@…
Action Needed: no action Verified: no
Deployments affected: Blocked By:
Blocking:

Description

the ok prompt is not to be accessible when the system is secured. this is working fine.

however, when diagnosing system behaviour, it is not easy to differentiate between a failed escape key, failed keyboard, or secured laptop.

test case: with a system secured, and no developer key present, use the keyboard to attempt access to the ok prompt, verify that something is displayed to indicate failure.

Attachments

11609.patch (0.5 kB) - added by Quozl 2 years ago.
Patch to print "Secured, continuing" if the escape key was pressed at boot when the system is secured.
11609-b.patch (0.5 kB) - added by Quozl 2 years ago.
Second patch, using pending-char, no longer consumes the ESC key that is needed to gain the ok prompt on a locked laptop with a developer key present. Tested.

Change History

Changed 2 years ago by Quozl

Patch to print "Secured, continuing" if the escape key was pressed at boot when the system is secured.

Changed 2 years ago by Quozl

  • cc wmb@… added
  • next_action changed from communicate to review

Mitch, what do you think of this change? Caution is warranted because it is a change to the secure boot path.

I've tested it here with a secure laptop. Two downsides:

  • the visible causes the signed boot search to appear,
  • the escape is consumed, requiring two escapes when a developer key is present, but that could be fixed using pending-char instead of key.

Changed 2 years ago by reuben

My only comment is that I'd be cautious to change dev key behavior much. As it stands I've seen in the field what appears to be a regression or significant delay added between pressing ESC key and getting the ok prompt when using a dev key.

Changed 2 years ago by Quozl

This isn't developer key behaviour being changed, once I change to using pending-char.

I can explain the significant delay you see in the field. It is not a regression.

The code that captures the ESC key when the laptop is unlocked, runs before any device or filesystem access occurs. So it has a very predictable response. Pressing ESC as soon as the XO icon appears or the startup sound begins will always work.

But the code that captures the key when the laptop is locked, with a developer key present, runs after a device and filesystem search for /security/develop.sig. Since the NAND FLASH on XO-1 has a jffs2 filesystem, the time it takes to open this filesystem can be large, and can vary.

I have updated http://wiki.laptop.org/go/Ok

Changed 2 years ago by Quozl

Second patch, using pending-char, no longer consumes the ESC key that is needed to gain the ok prompt on a locked laptop with a developer key present. Tested.

Changed 2 years ago by Quozl

  • next_action changed from review to add to release

Has completed local testing, pushed as svn 3007.

Changed 2 years ago by Quozl

Is in Q2F12. Yet to be in Q3 or Q4.

Changed 2 years ago by Quozl

Is in Q3C07. Yet to be in Q4.

Changed 2 years ago by Quozl

  • next_action changed from add to release to add to build

Is in Q4D17.

Changed 2 years ago by dsd

  • next_action changed from add to build to test in build

Test in 12.1.0 build 15.

Changed 2 years ago by dsd

I checked this on Q2F12. Seems to be working OK but maybe I found a corner case.

When booting with a developer key on USB, I press escape and see: Secured, continuing.

A moment later, it seeks and finds the developer key and gives me the prompt.

Is this the intended design?

Changed 2 years ago by Quozl

Yes, intended. I saw that too and considered it. It still gives useful information, in that the laptop is secured.

Changed 2 years ago by greenfeld

  • status changed from new to closed
  • next_action changed from test in build to no action
  • resolution set to fixed

One sees "Secured Continuing" on XO-1, 1.5, & 1.75 with 12.1.0 os16 when pressing the ESC key.

If a developer key is present we get a OFW prompt; if it is not we continue booting normally in secure mode.

Note: See TracTickets for help on using tickets.