On Wed, 2006-08-30 at 14:56 -0400, Jonathan S. Shapiro wrote: > I am not aware of any general-purpose computer that is "designed to deny > *owners* access to install or run modified versions of the software > inside them". Perhaps some are being developed. This description > certainly does not fit the TCPM-based technology that is being > implemented in PC's.
Full disclosure: I *am* aware of at least one open source vendor that *will* design a device that will deny this access to owners: The EROS Group, LLC. The device is a surgical instrument. To ensure the safety of patients, the ability to revise the device firmware is restricted. While a hospital may own the device, the hospital is not competent to rebuild the firmware or to certify it. Setting this aside, there is an obvious safety problem with any firmware replacement that might be installed through error or mistake. For both reasons, it is appropriate to restrict the update process in a way that helps to ensure that the certification process has been run properly on the update. This is a case where the interests of the patient clearly override the interests of the owner. While it will run open source code, this device is not (and should not be) an open device. We are also designing a broader range of devices where the TC-equivalent boot firmware will not be replaceable unless the OS is trusted. The owner of this device would be able to install any OS they want, but an OS that has not been signed by us will not be able to replace the secure boot firmware. This does not stop the foreign OS from running, but it *does* prevent the device from authenticating itself if a foreign OS is executing. The devices in question perform critical sensing functions in the context of a sensor and actuator network, and may be subject to organized, professional, and well-funded attack. In the view of the customer/owner, it is an essential requirement that no unauthorized update be installable in such a way that the device can masquerade as authentic. In many cases, the owner will choose to actively prohibit any OS update where the OS is unsigned. Believe it or not, this isn't a military application. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
