On Wed, Jul 7, 2010 at 4:01 PM, C. Scott Ananian <csc...@laptop.org> wrote: > * Updating exactly every hour is vulnerable to an attacker who > arranges to remove the battery from the machine exactly 55 minutes > after power on, every time. This is still quite awkward, but to avoid > even this attack, the EC can pseudo-randomly decide exactly when to > update the EC based on a random seed passed in from OFW from the > Geode's HWRNG, with an *average* interval of an hour. We probably > don't have to perform this extra trickery if we just shorten the > interval to 6 minutes or so, but the means that the EC's EEPROM will > wear out at the end of the 5 year service life of the machine. We can > probably detect this condition (EEPROM no longer writes reliably) and > just disable passive kill security at this point, though, which might > be nice for freedom-loving reasons.
2010 thoughts: I like the idea of pseudo-random updates. Having a uniform 1/60 probability of update every minute makes powering off as a circumvention mechanism pointless, while reducing EEPROM writes. A very simple linear feedback shift register for generating pseudo-random bits would be sufficient, since the inputs and outputs of the system are hidden. --scott -- ( http://cscott.net/ ) _______________________________________________ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel