[PATCH] Adding password protection to U-boot
Roland Häder
roland at mxchange.org
Tue Jun 10 19:11:25 CEST 2008
Hi,
I'm a non-C# hacker but you ask me for comments:
> - Password stored as SHA256 non-salted hash and written in the env
> var. partition (a salting method can be added afterwards)
You should really add a salting method to your patch. :) Brute-force attacks
can easily done on the SHA256 hash if no salt is given. Salts are making it
not impossible to "crack the password" but slows it down depending on the
length of the salt. So a salt shall be:
- Pseudo-random characters at least (real-random is only possible in
Lotto. ;) )
- Variable length (I don't want to make suggestions here, maybe 10 chars are
fine? Or 20? How much space do we have left for this?
> - If the password is set, user is prompted for a password after a
> serial connection is established
Nicely done. :) Keeps some bad guys busy for long time if your smartphone
falls into the wrong hands.
> - If the device is locked down, a DFU flashing attempt will produce an
> on-screen error on the Neo
Well done, again. :)
> - uncomment _USE_PASSWORD in password.h to activate this patch
Okay, this does not go to me. Because I use the MokoMakefile to (try to) build
the images.
Roland
PS: BTW, what is the status about my ticket regarding broken libxsettings
package?
--
(GNU) PGP ID: 0x4D385570
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.openmoko.org/pipermail/openmoko-devel/attachments/20080610/5f16acb6/attachment.pgp
More information about the openmoko-devel
mailing list