[onerng talk] install & access

ianG iang at iang.org
Wed Nov 5 20:09:34 GMT 2014


On 5/11/2014 19:14 pm, Jim Cheetham wrote:
> On Nov 6, 2014 7:10 AM, "Paul Campbell" <paul at taniwha.com> wrote:
>> On Wed, 05 Nov 2014 13:00:50 ianG wrote:
>>> I'm assuming here that any flashing
>>> will require the new package to be signed by a key bedded into to the
>>> non-flashable code?
> 
> At this stage there is no embedded key, no "non-flashable" storage,


This was where I was on the wrong path!


> therefore integrity checking needs you to check the signature of the full
> content of the flash storage itself, offline (i.e in the host OS startup
> scripts)


Right, so now I see what is happening -- the host startup script has to
read off the flash and check it for sig against a local key.

> Adding such extra storage would increase the system complexity, not
> something we're doing at this stage. If we do it later, we need to consider
> how the owner of the device will be able to inspect the storage to make
> sure it is correct and that there's no other data in there ... which
> probably wouldn't be easy especially if they couldn't trust the firmware to
> check for them.


Yeah, I can see where this is going.

> Mind you, I can see a 64-bit key *physically* encoded as a row of DIP
> switches, or jumpers ... that might be cool, very unwieldy though.


Well.  At that stage I'd say just burn the code deep in ROM, and take
out the firmware.  If you need to upgrade, buy a new one.  If an
attacker can attack yours ... then you have bigger problems.

But for now, try not to let the perfect be the enemy of the good.


iang



More information about the Discuss mailing list