Talk:Maemo security

A wiki is probably the best tool we have but it's not perfect. To make it work better please sign your comments and try to maintain some structure.

Putting three ~ and a : at the start of a new comment sounds sane if you have an account; otherwise some identifier would be polite.

Suggested questions:

Contents

What is "Open Mode" and can it be revoked remotely?

lbt Essentially can Nokia reach out the the 2nd stage bootloader and tell it to stop running unsigned kernels. Maybe this should be 2 questions.

--elena_r 08:37, 28 October 2009 (UTC):

Short answer: "Open mode" allows for a user/developer to have their own security policy on a device. This means that a user/developer can change the kernel and the important system components in the way he wants/needs. This mode can't be revoked remotely.
More detailed answer: Let me explain the modes a bit more that there are no confusions. Sorry, if I would be too academic or a bit too high-level, but it is the best way to explain things at the moment, as soon as we can't fully share the details now (work is still in progress).
About the first mode (it got the name "close mode", but it sounds too strong, so let's call it "normal mode"at the moment, before we have the final names): The device is called to be in the "normal mode", if it has booted the Nokia signed SW Image. This includes the kernel, rootfs, and important system components, which are part of our Trusted Computing Base. The examples of such components are drivers, applications like Application manager (input gate for the SW on the platform) and many others.
If any of such components is modified (not via system update), the device is in the "open mode". The checks for the components signature are done during the boot process (see presentation), so the current assumption that in order to change the mode, the reboot is needed. Moreover, in order to get back to the "normal mode" from the "open mode", one has to get all components back that the Nokia signature check is successful. The details of the procedure should be available later.

Can open applications use the DRM encryption mechanisms in the Open and Closed modes?

lbt I can see that this could be useful. Maybe.


Is there any GPLv3 software impacted?

lbt this is @ community: Please have a license discussion somewhere and let us know when you have consensus.

lbt What is Nokias position? Peter made a statement at the talk - can someone transcribe it and/or get Nokia to clarify.

What exactly is available to the end user?

  • storage encryption ?
  • PIM data encryption ?
  • encrypted/signed communications (phone, sms/mms, mails, IM) ?

How does closed mode affect on-device debugging?

lma For example, will ptrace(2) still work (eg gdb, strace & ltrace)? Will we be able to produce code dumps?

Will DRM-free data and DRM-free applications be accessible from both modes once they're installed/created in either of the two modes?

E.g.: I start in DRM-mode, install DRM-free applications from Extras, take 3 pictures, add some contacts. Then I switch to DRM-free mode: Will I be able to run the applications installed in DRM-free mode, view and edit my contacts and view and edit my own pictures? (And the other way round, of course, starting from DRM-free mode and switching to DRM afterwards.)

What is open mode good for at all?

Provided you don't consume digitally restricted media and don't purchase applications that in any way rely on DRM: You don't need DRM-mode then, but on the other hand why would you want DRM-free mode? What is it you cannot do in DRM-mode in such a scenario? Use case?

What is ARM's TrustZone?

The official ARM TrustZone page: http://www.arm.com/products/security/trustzone/index.html

Can the Trusted Execution Environment (TrEE) be used as a kill switch for the device even if it runs in open mode?

Will a SIM-locked device with a contract become unlocked at the end of the contract?

lbt It seems very reasonable to allow the phone to be locked for the duration if that is part of the carrier's contract. After that it should be able to access 'open' mode. Will this be possible? How?

Corsac: In France for example, it's free (and mandatory) for carriers to accept sim-unlock after 6 months. It may be done before with some fee.

Would Nokia be prepared to have Bruce Schneier and co review the security architecture?

lbt a review by a respected external expert like Bruce would be very beneficial to both parties.

Will a TPM chip be added?

r-r: Could it serve other security purpose then in Open mode? Corsac: afaik, TPM is x86 only. But that's the purpose of ARM TrustZone. And we already asked the question, see above.

How are important upgrades handled?

r-r: Do they require to sign a whole new system image?


Maintaining the discussion

On the talk.maemo.org thread, I suggest that end-users are kept at arms' length from this page and we use it as a proper communication mechanism between the community and Elena et al. --Jaffa 10:43, 13 October 2009 (UTC)

More discussion in the #maemo chat which was going on concurrently with the talk and a few flickr photos. --Jaffa 11:20, 13 October 2009 (UTC)


Proposed Structure

User FAQ

Community answers to common FAQs based on the technical answers below

  • Can I switch modes


Security Functionality (What can be done)

  • Privilege
  • DRM

Security Framework and Flow (How is it done)

  • boot
    • bootROM
    • Loader
      • simlock issues?
    • kernel
  • Runtime
    • Privilege Management
      • Ovi/Maemo
    • Encryption

Interoperability

  • Key backup/transfer

Customisation (Eg Enterprise, Partner)

  •  ??