please don't switch to kexec (was Re: R70/R71 on debug v3 board ?)

Andy Green andy at openmoko.com
Mon Feb 11 12:36:27 CET 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Somebody in the thread at some point said:
> On Mon, Feb 11, 2008 at 10:01:49AM +0000, Andy Green wrote:
>>> Anything that can be done in software is not a sufficient level of
>>> protection.  We want to reliably claim that this nor flash is read-only,
>>> and that users can always recover, no matter what they do on the
>>> software side.
>> How about if it doesn't ship with flash_unlock?
> 
> no. it's still very easily possible for malicious code to circumvent that.

Well, if it can get in the phone and run as root, yes.

>>> In fact, the NOR flash is only for users who don't have a debug board.
>>> Users that have a debug board can always recover via jtag.  So making
>>> this dependent on the debug board is a perfect solution.
>> I can see the logic, but I can also see it puts us in a unique position
>> with it for the next couple of weeks until RTM, we're not going to be
>> able to generally update whatever it is we put in there subsequently.
> 
> Well, that is the whole point :)  the nor u-boot must be finished for
> emergency boots before shipping the product.

It seems Werner has that much working, so that end of the existing plan
is okay.

>> That's annoying because it seems soon we will discard U-Boot and move to
>> using a kexec-ed kernel directly (thus getting out of this crazy system
>> of implementing things twice once for kernel and once for U-Boot).  And
>> we have 2MByte NOR there that can do this.
> 
> I know werner has been wanting to do that for a long time.  But this
> really sucks.  Do you realize that you are just scrapping the ability to 
> boot any different OS on the device?

No I don't think so -- Linux can just be a large U-Boot for these
purposes, like Two Kernel Monte:

http://sourceforge.net/projects/monte/

> It's supposed to be an open device.  Open not only in a way that you can
> write your own apps, but open also in the way that you can hack the OS.
> That you can in fact replace the OS, and run e.g. the (for GTA01
> existing) NetBSD port.  There might be more 
...
> Do you really believe this is the right step for an _open_ device?

I believe that U-Boot is just a broken down Linux, so logically if we
use the full-strength original actual Linux we can do a *superset* of
what was possible with U-Boot, including acting as a bootloader for BSD
or whatever.  There's nothing especially smelly about Linux for this
purpose (except footprint, but we have the space) that can't be said
about U-Boot the same.  It's just U-Boot modestly says it is a
"bootloader" and Linux says it is an "operating system".

>> We can recover a bricked device with the debug board, it seems to me we
>> take so much care avoiding the one scenario we create a problem along
>> with definitively fixing the possibility of corruption and that has to
>> be balanced.
> 
> _we_ can.  We are the 'elite' who has those boards. In the future, 99.9%
> of all users will not have a debug board.  What is the RMA strategy for
> people who accidentially bricked their devices?  Where are the OpenMoko
> support centers in every major country that can do such a thing after
> sending in the device (without having to care about customs and
> excessive intercontinental shipping fees, ...)?  Who is going yo pay for
> it?

If the problem we're trying to solve is evil haxxors, then I guess we
should keep the hardware gating for NOR write: it truly limits what can
be done... otherwise we should allow NOR upgrades because it's hard
enough to brick already.

- -Andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHsDM7OjLpvpq7dMoRAn6NAJ9yi+id44YUwRoqLNbMHEUX6gDRtACfaooR
pohsuegyo5Lst1Jub/HotEM=
=4YWY
-----END PGP SIGNATURE-----




More information about the openmoko-kernel mailing list