Ticket #9537 (closed task: fixed)

Opened 5 years ago

Last modified 4 years ago

Test OFW security on XO-1.5

Reported by: wmb@… Owned by: wmb@…
Priority: blocker Milestone: 10.1.0
Component: ofw - open firmware Version: Development firmware
Keywords: Cc: martin@…, reuben, ed, dsd
Action Needed: no action Verified: no
Deployments affected: Blocked By: #9396, #9870, #9875
Blocking:

Description

The whole OFW security infrastructure needs to be tested on XO-1.5 - including allow and prevent cases for secure boot (and non-boot), FLASH rewrite, OS update (both manual and NANDblasting).

Change History

  Changed 4 years ago by wmb@…

One problem is that current OFW builds (Q3A14 and earlier) don't contain the OLPC keys in the SPI FLASH - the lines that include those keys in the olpc.bth build script are commented-out. This begs the question of whether we want to use the same keys for XO-1 and XO-1.5, or make new ones.

  Changed 4 years ago by wmb@…

  • status changed from new to assigned
  • next_action changed from test in build to test in release

Fixed by svn 1439. The fix will appear in q3a15.

  Changed 4 years ago by Quozl

No idea how to test, sorry. Suggestions?

  Changed 4 years ago by wmb@…

  • milestone changed from 1.5-F11 to 1.5-firmware-C1-SMT

  Changed 4 years ago by wmb@…

  • cc martin@… added
  • next_action changed from test in release to test in build

Action Needed changed to "test in build" for consistency with other bugs in the same state.

Martin, can you work with Quozl to help him learn how to test this?

  Changed 4 years ago by reuben

  • cc reuben, ed added

Q3A20 and OS56

On a B2 I created and injected an o1 key. i copied vmlinuz and initrd.img and signed them as runos.zip and runrd.zip and added them to the to /bootpart/boot/ . OFW appears to accept the signature of both runos and runrd, indicate by two unlock icons, and then the screen craps out after loading runrd.

On a B3 Ed and I repeated the same process with a serial cable. With a serial cable attached OFW appears to accept the signature of both runos and runrd, indicate by two unlock icons, and then the startup chime loops continuously. Nothing more is sent out the serial cable other then: RD Found (the same message that appears on the screen)

  Changed 4 years ago by Quozl

  • blocking 9858 added

  Changed 4 years ago by dsd

Can't reproduce exactly. My system boots the kernel, even though the screen dies as you describe and the initramfs craps out, both due to #9867

Here's what I'm working with:

  Changed 4 years ago by dsd

  • cc dsd added

  Changed 4 years ago by reuben

6 types of security: All testing was done using keys generated and placed in the augment slot of 1 i.e. x1.

1. OS: Signed runos.zip and runrd.zip. Signature pass and functional up to the point of #9867

2. Activation: symlinked runos.zip and runrd.zip to actos.zip and actrd.zip. Signatures pass. DSD says:

"it doesnt unfreeze dcon and act-gui doesnt support 24bpp framebuffer"

Placing lease.sig in int:\security\ works correctly.

3. Developer: Secured XO. XO does not check u:\security\develop.sig only int:\security\develop.sig. Removing SD card and placing develop.sig in int:\security\ works correctly.

disable-security - does not work. though this may be due to my manipulation of tags.

4. FS: For Secure reflash. See: #9873 and 9874

5. FW: Downgrade to q3a18.rom. Signed q3a22a.rom to bootfw.zip. Placed in int:\..Rebooted Firmware updated correctly.

6. OATS -- No idea how to test.

  Changed 4 years ago by Quozl

Remains a blocker, good progress today, cjb to handle next.

  Changed 4 years ago by Quozl

  • milestone changed from 1.5-firmware-C1-SMT to 1.5-software-final

  Changed 4 years ago by dsd

  • blockedby 9396, 9870, 9873, 9875 added

follow-up: ↓ 16   Changed 4 years ago by dsd

  • blockedby 9873 removed

All blockers fixed except for #9873 which is only pending a firmware release. OATS tested with an oatslite server running on my desktop, successfully delivered updated lease. so this bug can be closed.

  Changed 4 years ago by dsd

  • status changed from assigned to closed
  • resolution set to fixed

in reply to: ↑ 14   Changed 4 years ago by reuben

Replying to dsd:

All blockers fixed except for #9873 which is only pending a firmware release. OATS tested with an oatslite server running on my desktop, successfully delivered updated lease. so this bug can be closed.

Just curious, any docs for testing procedure on this or is this one of those you know it cause you wrote/developed it?

  Changed 4 years ago by dsd

* generate t1 key and install into mfg data on test laptop * install a lease on test laptop * setup oatslite (it has documentation and a sample config) * generate a better lease (i.e. one that expires later), put it in oatslite's lease directory * list your OATS server in /security/oats-server on the XO * run olpc-update-query -v -v --force * confirm that newer lease has been installed and system can still secure-boot

  Changed 4 years ago by Quozl

  • blocking 9858 removed

  Changed 4 years ago by Quozl

  • next_action changed from test in build to no action
Note: See TracTickets for help on using tickets.