Talk:Maemo security

(Will community extensions to the kernel (modules) be permitted in Open/Closed modes?)
(Can network operators restrict you switching to Open mode?)
Line 37: Line 37:
-
Elena Reshetova: If device is SIM-locked (slide 5 of the presentation), you aren't allowed to use your own kernel. The only kernel, which will be allowed, is the kernel, which is shipped with the device, when you buy it from the operator. The reasons for this are simple, and I hope understandable: if we allowed to change the kernel, we can't be sure about security of the SIM-lock. Moreover, it is your choice to buy the device from the operator or from Nokia stores.
+
Elena Reshetova: If the device is SIM-locked, operator can restrict you to the usage of one particular kernel (slide 5), for example the one, which was shipped with a device. However, it is up to you to decide to buy the device from the operator or form the Nokia store.
===How granular is the encryption?===
===How granular is the encryption?===

Revision as of 08:43, 15 October 2009

Suggested questions:

Contents

Is there a diagram showing the security framework and components?

There were some diagrams in the presentation - can we see them.


Elena Reshetova: The presentation was uploaded, and currently it is the only information, which I can share.

What is "Open Mode" and can it be revoked remotely?

Is that the right terminology? Essentially can Nokia reach out the the 2nd stage bootloader and tell it to stop running unsigned kernels. Maybe this should be 2 questions.

What does closed mode restrict you from doing?

  • Terminal?
  • Root?
    • If the Aegis AC is used for the protected storage then root is probably disabled.
    • I don't think this Aegis has anything to do with Maemo

Elena Reshetova: We don't have any connection to the Aegis Project, mentioned above. This is a collision of names, I am sorry about it. In general "close" mode has its own security policy, which user won't be able to change.

  • Cellular is marked as a protected ressource in the slide. Can one still use it (phone, data, sms etc.) while running in open mode? While runnin a rebuilt kernel?

Elena Reshetova: If you use your own kernel, you are the one to set the security policy for the device, meaning that your SW in this case can make calls, send sms and so on (for example). Please note that the list of protected resources on the slide is given just as example (to show the possible granularity level), so it doesn't mean that we would have exactly these resources.

How easy is it to switch between Open and Closed modes?

Is it so trivial that you would want to and be able to do it several times a day and on the go (without restart)?

Elena Reshetova: I should be able to tell the exact procedure in the future, but for now I can say that it won't be so trivial (like press the GUI button :-)), and the restart is needed. The checks for the SW image are done by the Loader, and during the boot time, so you do need to restart.

Can network operators restrict you switching to Open mode?

Like if a device is sim-locked to a particular network, does the device get locked down in closed DRM mode only too? Can you always switch to open mode?


Elena Reshetova: If the device is SIM-locked, operator can restrict you to the usage of one particular kernel (slide 5), for example the one, which was shipped with a device. However, it is up to you to decide to buy the device from the operator or form the Nokia store.

How granular is the encryption?

If my app creates content in the closed mode can I see it in open mode?


Elena Reshetova: If your application uses the Protected Storage for encryption (slide 8) in the initial mode, and after you switch to another mode, the application won't be able to get decrypted data. If your application just stores the data in the filesystem, after switching to your own kernel, you will be able to access the data (because they are just plain files in the filesystem).

Can open applications use the privilege mechanisms in the Open and Closed modes?

Elena Reshetova: I guess the question is "Can the applications access protected resources in both modes?" I hope I got the question correctly. The answer is that the Device Security Policy (slide 7) defines the resources can be potentially granted to the SW coming from a particular SW source. When one uses the Nokia signed kernel, the device security policy is defined, and user can't change it. If one uses its own kernel (or community kernel for example), he (or community) is the one to define/change the device policy. This means that one can, for example, change the policy in the way that the SW coming from the maemo.org gets access to all protected resources (of course some content becomes unavailable when one switch to its own kernel, for example DRM). However, again, it is possible only while using your own kernel.

Can open applications use the DRM encryption mechanisms in the Open and Closed modes?

I can see that this could be useful. Maybe.

Will community extensions to the kernel (modules) be permitted in Open/Closed modes?

I can't see how - which leads to the question: How do community 'enhancements' to the kernel get adopted?

Elena Reshetova: In the "Open" mode any changes of the kernel are allowed. Regarding the "closed" mode, unfortunately I am not the right person to answer this question.

Is there any GPLv3 software impacted?

Please have a license discussion somewhere and let us know when you have consensus. What is Nokias position? Peter made a statement at the talk - can someone transcribe it and/or get Nokia to clarify.

What exactly is available to the end user?

  • storage encryption ?
  • PIM data encryption ?
  • encrypted/signed communications (phone, sms/mms, mails, IM) ?

How does closed mode affect on-device debugging?

For example, will ptrace(2) still work (eg gdb, strace & ltrace)? Will we be able to produce code dumps?

Will DRM-free data and DRM-free applications be accessible from both modes once they're installed/created in either of the two modes?

E.g.: I start in DRM-mode, install DRM-free applications from Extras, take 3 pictures, add some contacts. Then I switch to DRM-free mode: Will I be able to run the applications installed in DRM-free mode, view and edit my contacts and view and edit my own pictures? (And the other way round, of course, starting from DRM-free mode and switching to DRM afterwards.)

What is open mode good for at all?

Provided you don't consume digitally restricted media and don't purchase applications that in any way rely on DRM: You don't need DRM-mode then, but on the other hand why would you want DRM-free mode? What is it you cannot do in DRM-mode in such a scenario? Use case?

What is ARM's TrustZone?

The official ARM TrustZone page: http://www.arm.com/products/security/trustzone/index.html

Can the Trusted Execution Environment (TrEE) be used as a kill switch for the device even if it runs in open mode?

Maintaining the discussion

On the talk.maemo.org thread, I suggest that end-users are kept at arms' length from this page and we use it as a proper communication mechanism between the community and Elena et al. --Jaffa 10:43, 13 October 2009 (UTC)

More discussion in the #maemo chat which was going on concurrently with the talk and a few flickr photos. --Jaffa 11:20, 13 October 2009 (UTC)