[OpenBIOS] r588 - cpu/x86 cpu/x86/pc/olpc ofw/fs
svn at openbios.org
svn at openbios.org
Fri Aug 31 03:03:19 CEST 2007
Author: wmb
Date: 2007-08-31 03:03:19 +0200 (Fri, 31 Aug 2007)
New Revision: 588
Added:
cpu/x86/pc/olpc/lzip.fth
cpu/x86/pc/olpc/security.fth
Modified:
cpu/x86/call.fth
cpu/x86/pc/olpc/crypto.fth
cpu/x86/pc/olpc/fw.bth
cpu/x86/pc/olpc/linux.fth
cpu/x86/pc/olpc/loaddropins.fth
cpu/x86/pc/olpc/olpc.bth
ofw/fs/zipfs.fth
Log:
OLPC - First cut at secure booting.
Modified: cpu/x86/call.fth
===================================================================
--- cpu/x86/call.fth 2007-08-31 01:02:04 UTC (rev 587)
+++ cpu/x86/call.fth 2007-08-31 01:03:19 UTC (rev 588)
@@ -1,7 +1,7 @@
\ See license at end of file
purpose: From Forth, call the C subroutine whose address is on the stack
-code sp-call ( [ arg5 .. arg0 ] adr sp -- [ arg5 .. arg0 ] result )
+code sp-call ( [ arg7 .. arg0 ] adr sp -- [ arg5 .. arg0 ] result )
bx pop \ Get the new stack pointer
ax pop \ Get the subroutine address
@@ -9,7 +9,9 @@
rp 'user saved-rp mov \ Save for callbacks
sp bx xchg \ Switch to new SP, with EBX set to old SP
- 5 /n* [ebx] push \ Copy the arguments to the new stack
+ 7 /n* [ebx] push \ Copy the arguments to the new stack
+ 6 /n* [ebx] push
+ 5 /n* [ebx] push
4 /n* [ebx] push
3 /n* [ebx] push
2 /n* [ebx] push
Modified: cpu/x86/pc/olpc/crypto.fth
===================================================================
--- cpu/x86/pc/olpc/crypto.fth 2007-08-31 01:02:04 UTC (rev 587)
+++ cpu/x86/pc/olpc/crypto.fth 2007-08-31 01:03:19 UTC (rev 588)
@@ -2,9 +2,11 @@
\ See license at end of file
h# c0000 constant crypto-base \ The address the code is linked to run at
-h# c0000 constant hasher-base \ The address the code is linked to run at
+h# d0000 constant crypto-bss \ The address the code is linked to run at
+h# 10000 constant /crypto-bss
0 [if]
+h# c0000 constant hasher-base \ The address the code is linked to run at
variable hashlen
d# 128 buffer: hashbuf
@@ -20,21 +22,36 @@
;
[then]
-0 value hashname
+0 value crypto-loaded?
+: load-crypto ( -- error? )
+ crypto-loaded? if false exit then
+ " crypto" find-drop-in 0= if true exit then ( prog$ )
+ 2dup crypto-base swap move free-mem ( )
+ true to crypto-loaded?
+ false
+;
+
+h# 200 buffer: pubkey
+0 value /pubkey
+: load-key ( name$ -- error? )
+ find-drop-in 0= if true exit then ( key$ )
+ dup h# 200 > if free-mem true exit then ( key$ )
+ dup to /pubkey ( key$ )
+ 2dup pubkey swap move ( key$ )
+ free-mem
+ false
+;
+
: signature-bad? ( data$ sig$ hashname$ -- mismatch? )
- $cstr to hashname ( data$ sig$ )
- " crypto" find-drop-in 0= if 4drop true exit then ( data$ sig$ prog$ )
- 2dup crypto-base swap move free-mem ( data$ sig$ )
+ $cstr >r ( data$ sig$ r: 'hashname )
- " pubkey" find-drop-in 0= if 4drop true exit then ( data$ sig$ key$ )
- 2>r ( data$ sig$ r: key$ )
- swap 2swap swap ( siglen sigadr datalen dataadr r: key$ )
- 2r@ swap 2swap ( siglen sigadr keylen keyadr datalen dataadr r: key$ )
+ swap 2swap swap ( siglen sigadr datalen dataadr )
+ /pubkey pubkey 2swap ( siglen sigadr keylen keyadr datalen dataadr )
+ r> ( siglen sigadr keylen keyadr datalen dataadr 'hashname )
- hashname ( siglen sigadr keylen keyadr datalen dataadr hash r: key$ )
- crypto-base dup h# 10 - sp-call >r 3drop 4drop r> ( result r: key$ )
- 2r> free-mem
+ crypto-bss /crypto-bss erase
+ crypto-base dup h# 10 - sp-call >r 3drop 4drop r> ( result )
\ XXX free-mem in suspend.fth and fw.bth after find-drop-in
\ XXX clean out dead code in usb.fth
Modified: cpu/x86/pc/olpc/fw.bth
===================================================================
--- cpu/x86/pc/olpc/fw.bth 2007-08-31 01:02:04 UTC (rev 587)
+++ cpu/x86/pc/olpc/fw.bth 2007-08-31 01:03:19 UTC (rev 588)
@@ -335,6 +335,8 @@
fload ${BP}/cpu/x86/pc/olpc/nandstat.fth
\ fload ${BP}/cpu/x86/pc/olpc/carousel.fth \ Carouseled NAND writing
fload ${BP}/cpu/x86/pc/olpc/crypto.fth \ Cryptographic image validation
+fload ${BP}/cpu/x86/pc/olpc/lzip.fth \ Access zip images from memory
+fload ${BP}/cpu/x86/pc/olpc/security.fth
fload ${BP}/ofw/gui/ofpong.fth
[then]
@@ -542,7 +544,7 @@
;
: newrom
- " flash http:\\10.20.0.104\new.rom" eval
+ " flash http:\\10.20.0.14\new.rom" eval
\ " wifi media lab 802.11" eval
\ " flash http:\\18.85.46.172\new.rom" eval
;
Modified: cpu/x86/pc/olpc/linux.fth
===================================================================
--- cpu/x86/pc/olpc/linux.fth 2007-08-31 01:02:04 UTC (rev 587)
+++ cpu/x86/pc/olpc/linux.fth 2007-08-31 01:03:19 UTC (rev 588)
@@ -181,8 +181,8 @@
d# 256 buffer: ramdisk-buf
' ramdisk-buf " ramdisk" chosen-string
-: load-ramdisk ( -- )
- " ramdisk" eval dup 0= if 2drop exit then ( name$ )
+defer load-ramdisk
+: $load-ramdisk ( name$ -- )
0 to /ramdisk ( name$ )
['] load-path behavior >r ( name$ r: xt )
@@ -195,6 +195,11 @@
throw
loaded to /ramdisk to ramdisk-adr
;
+: cv-load-ramdisk ( -- )
+ " ramdisk" eval dup 0= if 2drop exit then ( name$ )
+ $load-ramdisk
+;
+' cv-load-ramdisk to load-ramdisk
: claim-params ( -- )
[ifdef] virtual-mode
Modified: cpu/x86/pc/olpc/loaddropins.fth
===================================================================
--- cpu/x86/pc/olpc/loaddropins.fth 2007-08-31 01:02:04 UTC (rev 587)
+++ cpu/x86/pc/olpc/loaddropins.fth 2007-08-31 01:03:19 UTC (rev 588)
@@ -38,7 +38,6 @@
" ${BP}/ofw/termemu/gallant.obf" " font" $add-deflated-dropin
-\ " /space/bios-crypto/bios_crypto.img" " crypto" $add-deflated-dropin
-\ " /space/bios-crypto/bios_hash.img" " hasher" $add-deflated-dropin
-\ " /space/bios-crypto/wmbtest256.public" " pubkey" $add-dropin \ Incompressible
-\ " /space/bios-crypto/usb8388.bin.sig256" " usb8388.sig" $add-dropin \ Incompressible
+ " crypto.img" " crypto" $add-deflated-dropin
+ " os.public" " oskey" $add-dropin \ Incompressible
+ " fw.public" " fwkey" $add-dropin \ Incompressible
Added: cpu/x86/pc/olpc/lzip.fth
===================================================================
--- cpu/x86/pc/olpc/lzip.fth (rev 0)
+++ cpu/x86/pc/olpc/lzip.fth 2007-08-31 01:03:19 UTC (rev 588)
@@ -0,0 +1,70 @@
+\ See license at end of file
+purpose: Package for treating the data at load-base as a device
+
+dev /
+new-device
+" lzip" device-name
+
+headerless
+0 instance value seek-ptr
+0 instance value image-size
+0 instance value base-adr
+
+headers
+external
+: seek ( d.offset -- status )
+ 0<> over image-size u> or if drop true exit then \ Seek offset too big
+ to seek-ptr
+ false
+;
+
+: open ( -- flag )
+ 0 to seek-ptr ( )
+ load-base to base-adr ( )
+ file-size @ to image-size ( )
+ my-args dup if ( adr len )
+ " zip-file-system" find-package 0= if ( adr len ph )
+ 2drop false exit
+ then ( adr len ph )
+ interpose
+ else ( adr len )
+ 2drop ( )
+ then ( )
+ true ( true )
+;
+: close ( -- ) ;
+: size ( -- d.size ) image-size 0 ;
+: read ( adr len -- actual )
+ seek-ptr + image-size min seek-ptr - ( adr len' )
+ tuck ( len adr len )
+ base-adr seek-ptr + -rot move ( len )
+ dup seek-ptr + to seek-ptr ( len )
+;
+\ Having a load method is pointless since the image is already at load-base
+
+finish-device
+device-end
+
+\ LICENSE_BEGIN
+\ Copyright (c) 2007 FirmWorks
+\
+\ Permission is hereby granted, free of charge, to any person obtaining
+\ a copy of this software and associated documentation files (the
+\ "Software"), to deal in the Software without restriction, including
+\ without limitation the rights to use, copy, modify, merge, publish,
+\ distribute, sublicense, and/or sell copies of the Software, and to
+\ permit persons to whom the Software is furnished to do so, subject to
+\ the following conditions:
+\
+\ The above copyright notice and this permission notice shall be
+\ included in all copies or substantial portions of the Software.
+\
+\ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+\ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+\ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+\ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+\ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+\ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+\ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+\
+\ LICENSE_END
Modified: cpu/x86/pc/olpc/olpc.bth
===================================================================
--- cpu/x86/pc/olpc/olpc.bth 2007-08-31 01:02:04 UTC (rev 587)
+++ cpu/x86/pc/olpc/olpc.bth 2007-08-31 01:03:19 UTC (rev 588)
@@ -24,6 +24,7 @@
in: ${BP}/dev/olpc/cafecamera/build/cafecamera.fc
in: ${BP}/clients/memtest86/memtest
in: ec.img
+in: crypto.img
in: usb8388.bin
in: ${BP}/dev/pci/build/pcibridg.fc
Added: cpu/x86/pc/olpc/security.fth
===================================================================
--- cpu/x86/pc/olpc/security.fth (rev 0)
+++ cpu/x86/pc/olpc/security.fth 2007-08-31 01:03:19 UTC (rev 588)
@@ -0,0 +1,443 @@
+purpose: OLPC secure boot
+\ See license at end of file
+
+\ Specs at http://wiki.laptop.org/go/Firmware_Security
+
+: boot-device-list " disk sd nand" ;
+
+true value debug-security?
+: ?lease-debug ( msg$ -- )
+ debug-security? if type else 2drop then
+;
+: ?lease-debug-cr ( msg$2 -- )
+ debug-security? if type cr else 2drop then
+;
+
+: fail-load ( -- )
+ screen-ih stdout !
+ ." OS Load Failed" cr
+ quit
+ begin again
+;
+
+h# 20 buffer: cn-buf \ filename prefix - either "act" or "run"
+h# 20 buffer: fn-buf \ filename tail - either "os" or "rd"
+h# 100 buffer: pn-buf \ pathname - either "\boot" or "\boot-alt"
+h# 100 buffer: dn-buf \ device name
+
+\ These macro definitions make it easy to compose device specifier strings
+\ from the above name components.
+also macros definitions
+: FN fn-buf count ;
+: CN cn-buf count ;
+: DN dn-buf count ;
+: PN pn-buf count ;
+previous definitions
+
+d# 256 constant /sig
+/sig buffer: sig-buf
+
+: hex-decode ( hex$ -- true | sig$ false )
+ dup /sig 2* <> if
+ ( ." Bad signature length" cr )
+ 2drop true exit
+ then ( hex$ )
+ sig-buf -rot ( adr hex$ )
+ bounds ?do ( adr )
+ i 2 push-hex $number pop-base if ( adr )
+ 2drop true unloop exit
+ then ( adr n )
+ over c! 1+ ( adr' )
+ 2 +loop ( adr )
+ sig-buf tuck - false ( sig$ false )
+;
+
+: parse-sig ( sig01$ -- true | hashname$ sig$ false )
+ dup d# 89 < if 2drop true exit then
+ bl left-parse-string " sig01:" $= 0= if 2drop true exit then ( rem$ )
+ bl left-parse-string dup d# 6 <> if 4drop true exit then 2swap ( hash$ rem$ )
+ bl left-parse-string nip d# 64 <> if 4drop true exit then ( hash$ rem$ )
+ newline left-parse-string 2swap nip 0<> if 4drop true exit then ( hash$ data$ )
+ hex-decode if 2drop true else false then
+;
+
+: zip-extent ( name$ -- adr len )
+ expand$ open-dev ?dup 0= if " " exit then
+ >r
+ " offset" r@ $call-method load-base +
+ " size" r@ $call-method drop
+ r> close-dev
+;
+: sig$ ( -- adr len ) " /lzip:\data.sig" zip-extent ;
+: img$ ( -- adr len ) " /lzip:\data.img" zip-extent ;
+: bundle-name$ ( -- $ ) " ${DN}:${PN}\${CN}${FN}.zip" expand$ ;
+
+: bundle-present? ( -- flag )
+ bundle-name$
+ " Trying " ?lease-debug 2dup ?lease-debug-cr
+ ['] (boot-read) catch if 2drop false exit then
+ true
+;
+
+d# 32 buffer: hashname
+\ fn-buf and pn-buf must contain the base file name and path
+: valid? ( data$ sig$ -- okay? )
+ parse-sig if
+ ." Bad signature format in " bundle-name$ type cr
+ false exit
+ then ( data$ hashname$ sig$ )
+
+ \ Check for duplicate hashname attacks
+ 2swap 2dup hashname count $= if ( data$ sig$ hashname$ )
+ ." Duplicate hash name in " bundle-name$ type cr
+ 4drop false exit
+ then
+
+ d# 31 min hashname place ( data$ sig$ )
+
+ hashname count signature-bad? 0=
+;
+
+d# 2007 d# 12 * 8 1- + d# 31 * d# 27 + constant earliest
+0. 2value current-seconds
+
+\ This isn't an accurate calculation of seconds, but it
+\ is sufficient for comparison purposes so long as we
+\ use the same calculation in all cases. It is not good
+\ if we need to do arithmetic on dates.
+: get-date ( -- error? )
+ time&date ( s m h d m y )
+ d# 12 * swap 1- + ( s m h d m' ) \ Months start at 1
+ d# 31 * swap 1- + ( s m h d' ) \ Days start at 1
+ dup earliest < if ( s m h d' )
+ screen-ih stdout !
+ ." The clock is not set properly" cr
+ 4drop true exit
+ then ( s m h d' )
+ d# 24 * + ( s m h' )
+ d# 60 * + ( s m' ) \ Can't overflow so far
+ d# 60 um* ( s d.s' )
+ swap 0 d+ to current-seconds
+ false
+;
+
+: break$ ( $ n -- tail$ head$ )
+ dup >r /string ( tail$ )
+ over r@ - r> ( tail$ head$ )
+;
+
+0. 2value exp-seconds \ Accumulator for parsing data/time strings
+
+\ This is a factor used for parsing 2-digit fields from date/time strings.
+\ Radix is the number to scale the result by, i.e. one more than the maximum
+\ value of the field. Adjust is 0 for fields whose first valid value is 0
+\ (hours, minutes, seconds) or 1 for fields that start at 1 (month,day).
+: numfield ( exp$ adjust radix -- exp$' )
+ >r >r ( exp$ r: radix adjust )
+ 2 break$ $number throw ( exp$' num r: radix adjust )
+ r> - ( exp$ num' r: radix )
+ dup r@ u>= throw ( exp$ num r: radix )
+
+ \ No need to multiply the top half because it can only become nonzero
+ \ on the last call to scale-time
+ exp-seconds drop r> um* ( exp$ num d.seconds )
+ rot 0 d+ to exp-seconds ( exp$ )
+;
+
+: (expiration-to-seconds) ( expiration$ -- true | d.seconds false )
+ 4 break$ $number throw ( exp$' year )
+ dup d# 2999 u> throw ( exp$' year )
+ 0 to exp-seconds ( exp$' )
+
+ 1 d# 12 numfield ( exp$' ) \ Month
+ 1 d# 31 numfield ( exp$' ) \ Day
+
+ 1 break$ " T" $= 0= throw ( exp$' )
+
+ 0 d# 24 numfield ( exp$' ) \ Hour
+ 0 d# 60 numfield ( exp$' ) \ Minute
+ 0 d# 60 numfield ( exp$' ) \ Second
+
+ " Z" $= 0= throw ( )
+ exp-seconds
+;
+
+: expiration-to-seconds ( expiration$ -- true | d.seconds false )
+ push-decimal
+ ['] (expiration-to-seconds) catch ( x x true | d.seconds false )
+ pop-base
+ dup if nip nip then
+;
+
+: expired? ( expiration$ -- bad? )
+ expiration-to-seconds if true exit then
+ current-seconds d<
+;
+
+d# 1024 constant /sec-line-max
+/sec-line-max buffer: sec-line-buf
+
+\ Remove bogus null characters from the end of tags on old machines
+: ?-null ( adr len -- adr' len' )
+ dup if
+ 2dup + 1- c@ 0= if 1- then ( adr len' )
+ then
+;
+
+d# 65 buffer: machine-id-buf
+
+: get-my-sn ( -- error? )
+
+ " SN" find-tag 0= if true exit then ( adr len )
+ ?-null dup d# 11 <> if 2drop true exit then ( adr len )
+ machine-id-buf swap move
+
+ [char] : machine-id-buf d# 11 + c!
+
+ " U#" find-tag 0= if true exit then ( adr len )
+ ?-null dup d# 36 <> if 2drop true exit then ( adr len )
+ machine-id-buf d# 12 + swap move
+
+ [char] : machine-id-buf d# 48 + c!
+
+ false
+;
+: my-sn$ ( -- adr len ) machine-id-buf d# 11 ;
+
+: check-machine-signature ( sig$ expiration$ -- -1|1 )
+ 0 hashname c!
+ machine-id-buf d# 49 + swap move ( sig$ )
+ machine-id-buf d# 65 2swap valid? if 1 else -1 then
+;
+
+\ -1 means lease is for this machine and is invalid
+\ 1 means lease is for this machine and is valid
+\ 0 means lease is not for this machine
+: check-lease ( lease$ -- -1|0|1 )
+ bl left-parse-string " act01:" $= 0= if
+ " Not act01:" ?lease-debug-cr
+ 2drop -1 exit
+ then
+ bl left-parse-string ( rem$ serial$ )
+ my-sn$ $= 0= if ( rem$ )
+ " is for a different system" ?lease-debug-cr
+ 2drop 0 exit
+ then ( rem$ )
+ bl left-parse-string ( sig$ expiration$ )
+ dup d# 16 <> if ( sig$ expiration$ )
+ " has bad expiration format" ?lease-debug-cr
+ 4drop -1 exit
+ then ( sig$ expiration$ )
+ 2dup expired? if
+ " expired" ?lease-debug-cr
+ 4drop -1 exit
+ then ( sig$ expiration$ )
+ check-machine-signature ( -1|1 )
+
+ dup 0< if
+ " has bad signature" ?lease-debug-cr
+ else
+ " valid" ?lease-debug-cr
+ then
+;
+
+: lease-valid? ( -- flag )
+ " ${DN}:\security\lease.sig" expand$ ( name$ )
+ " Trying " ?lease-debug 2dup ?lease-debug-cr
+ r/o open-file if drop false exit then ( ih )
+ >r ( r: ih )
+ " Lease " ?lease-debug ( r: ih )
+ begin
+ sec-line-buf /sec-line-max r@ read-line if ( actual -eof? )
+ 2drop r> close-file drop false exit
+ then ( actual -eof? )
+ while ( actual )
+ sec-line-buf swap check-lease case ( -1|0|1 )
+ 1 of r> close-file drop true exit endof
+ -1 of r> close-file drop false exit endof
+ endcase
+ repeat
+ r> close-file drop false
+;
+
+: ?leased ( -- )
+ lease-valid? if " run" else " act" then cn-buf place
+;
+
+: olpc-load-image ( list$ pathname$ -- okay? )
+ pn-buf place ( list$ )
+ begin dup while ( list$ )
+ bl left-parse-string ( list$ devname$ )
+ dn-buf place ( list$' )
+ ?leased ( list$ )
+ bundle-present? if ( list$ )
+ " OS found - " ?lease-debug
+ 0 hashname c!
+ img$ sig$ valid? if
+ " Signature valid" ?lease-debug-cr
+ img$ tuck load-base swap move !load-size
+ 2drop true exit
+ else
+ " Signature invalid" ?lease-debug-cr
+ then
+ then ( list$ )
+ repeat ( list$ )
+ 2drop false
+;
+
+: secure-load ( -- okay? )
+ load-crypto if ( )
+ ." Can't get crypt code" cr ( )
+ false exit
+ then ( )
+
+ get-my-sn if false exit then
+ get-date if false exit then
+
+ " oskey" load-key if ( )
+ ." Can't find OS public key" cr ( )
+ false exit
+ then ( )
+
+ " os" fn-buf place
+
+ boot-device-list " \boot" olpc-load-image if true exit then
+ " nand" " \boot-alt" olpc-load-image if true exit then
+ false
+;
+
+\ Call this after the kernel has already been moved away from load-base
+\ We assume that pn-buf already has the path prefix string
+: secure-load-ramdisk ( -- )
+\ Bad idea, because the cmdline would need to be signed too
+\ " /lzip:\cmdline" zip-extent to cmdline
+
+ " rd" fn-buf place
+ bundle-present? if
+ " RD found - " ?lease-debug
+ 0 hashname c!
+ img$ sig$ valid? if
+ " Signature valid" ?lease-debug-cr
+ " /lzip:\data.img" $load-ramdisk exit
+ else
+ " Signature invalid" ?lease-debug-cr
+ fail-load
+ then
+ then
+;
+
+: check-devel-key ( adr len -- -1|0|1 )
+ bl left-parse-string " dev01:" $= 0= if 2drop -1 exit then ( rem$ )
+ bl left-parse-string ( rem$ serial$ )
+ my-sn$ $= 0= if 2drop 0 exit then ( rem$ )
+
+ " 00000000T000000Z" check-machine-signature
+;
+
+: has-developer-key? ( -- flag )
+ " ${DN}:\security\develop.sig" expand$ ( name$ )
+ r/o open-file if drop false exit then ( ih )
+ >r
+ begin
+ sec-line-buf /sec-line-max r@ read-line if ( actual -eof? )
+ 2drop r> close-file drop false exit
+ then ( actual -eof? )
+ while ( actual )
+ sec-line-buf swap check-devel-key case ( -1|0|1 )
+ 1 of r> close-file drop true exit endof
+ -1 of r> close-file drop false exit endof
+ endcase
+ repeat
+ r> close-file drop false
+;
+
+: developer-device-list " disk sd nand" ;
+
+: developer? ( -- flag )
+ get-my-sn if false exit then
+
+ load-crypto if ( )
+ ." Can't get crypt code" cr ( )
+ false exit
+ then ( )
+
+ " fwkey" load-key if ( )
+ ." Can't find firmware public key" cr ( )
+ false exit
+ then ( )
+
+ developer-device-list
+ begin dup while ( list$ )
+ bl left-parse-string dn-buf place ( list$' )
+ has-developer-key? if ( list$' )
+ 2drop true exit
+ then ( list$ )
+ repeat ( list$ )
+ 2drop false
+;
+
+: do-secure-boot ( -- )
+ debug-security? if screen-ih stdout ! then
+ ['] secure-load-ramdisk to load-ramdisk
+ secure-load 0= if fail-load then
+ loaded sync-cache " init-program" $find if execute else 2drop then
+ go
+;
+
+: wp? ( -- flag ) " wp" find-tag dup if nip nip then ;
+
+: secure-boot ( -- ) wp? if do-secure-boot else boot then ;
+" secure-boot" ' boot-command set-config-string-default
+
+\ For dn in boot-device-list
+\ if
+
+fexit
+
+Firmware security use cases:
+
+a) load image signing:
+
+Package: {run,act}{os,rd}.zip
+Expiration: none
+Signed object: OS or RD image file in .zip file
+Signature: sha256_rsa256.sig in .zip file
+Verification Algorithm: sha256 -> rsa256
+Verification Key: OLPC-run-public-key
+
+Rule: Don't run the image if the signature fails
+
+b) Firmware update key
+
+Package: /boot/bootfw.zip
+Expiration: none (but should be versioned to avoid repeated updates)
+Signed object: image in .zip file
+Signature1: sha255.rsa in .zip file
+Signature2: whirl.rsa in .zip file
+Verification Algorithm: sha256 -> rsa256, whirlpool -> rsa256
+Verification Key: OLPC-fw-public-key
+
+Rule: If the developer key is valid, enter unlocked firmware state
+
+c) Developer key
+
+Package: /security/develop.key
+Expiration: none
+Signed object: <serial#>:<uuid>:00000000T000000Z (representing the machine)
+Signature: rsa256 data in sig01 line
+Verification Algorithm: rsa256
+Verification Key: OLPC-devel-public-key
+
+Rule: If the developer key is valid, enter unlocked firmware state
+
+d) Activation lease
+
+Package: /security/lease
+Expiration: Yes - time on signature line
+Signed object: <serial#>:<uuid>:<expiration time> (representing the machine)
+Signature: rsa256 data in sig01 line
+Verification Algorithm: rsa256
+Verification Key: OLPC-act-public-key
+
+Rule: If the lease is invalid, invoke act{os,rd}.zip instead of run{os,rd}.zip
+
Modified: ofw/fs/zipfs.fth
===================================================================
--- ofw/fs/zipfs.fth 2007-08-31 01:02:04 UTC (rev 587)
+++ ofw/fs/zipfs.fth 2007-08-31 01:03:19 UTC (rev 588)
@@ -5,7 +5,10 @@
0 instance value base-adr
0 instance value image-size
0 instance value seek-ptr
+external
+\ Expose for the OLPC security scheme
0 instance value offset
+headerless
: clip-size ( adr len -- adr len' )
seek-ptr + image-size umin seek-ptr -
More information about the OpenBIOS
mailing list