[PATCH] Adding password protection to U-boot

Roland Häder roland at mxchange.org
Tue Jun 10 19:11:25 CEST 2008


Hi,

I'm a non-C# hacker but you ask me for comments:

> - Password stored as SHA256 non-salted hash and written in the env
> var. partition (a salting method can be added afterwards)
You should really add a salting method to your patch. :) Brute-force attacks 
can easily done on the SHA256 hash if no salt is given. Salts are making it 
not impossible to "crack the password" but slows it down depending on the 
length of the salt. So a salt shall be:

- Pseudo-random characters at least (real-random is only possible in 
Lotto. ;) )
- Variable length (I don't want to make suggestions here, maybe 10 chars are 
fine? Or 20? How much space do we have left for this?

> - If the password is set, user is prompted for a password after a
> serial connection is established
Nicely done. :) Keeps some bad guys busy for long time if your smartphone 
falls into the wrong hands.

> - If the device is locked down, a DFU flashing attempt will produce an
> on-screen error on the Neo
Well done, again. :)

> - uncomment _USE_PASSWORD in password.h to activate this patch
Okay, this does not go to me. Because I use the MokoMakefile to (try to) build 
the images.

Roland

PS: BTW, what is the status about my ticket regarding broken libxsettings 
package?

-- 
(GNU) PGP ID: 0x4D385570
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.openmoko.org/pipermail/openmoko-devel/attachments/20080610/5f16acb6/attachment.pgp 


More information about the openmoko-devel mailing list