[Arm-netbook] ARM's OOB para-virtualization & FreeZone in A10?

[Henrik Nordström]

tis 2012-07-10 klockan 11:17 -0700 skrev freebirds at fastmail.fm:

> Regardless of my needs for it, I am shocked none of you are supporting
> Richard Stallman's advocacy of truly open source hardware. 

Ofcourse we are. But we are not supportign the view that every advance
in technology is inherently evil because there may be some evil
application of said technology.

Hardware is not evil/good. Most of the threats you have described so far
is nonsense and completely misguided, based on a little grain of truth
and then blown completely out of proportion and context.

And you routinely reject the very technologies which are the key to
solving the basic threats you describe. By rejecting trusted computing
you leave yourself permanently vulnerable to others tampering with your
systems, installing BIOS trojans, messing with your installed operating
system, replacing vital system software with trojans etc. Only trusted
computing have the capability to protect you from others tampering with
your systems. All other software solutions is easily circumvented unless
you routinely make use of offline fingerprinting of your complete system
storing the fingerprints and equipment needed for verifying the
fingerprints somewhere you know is tamper proof.

> Raspberry pi, the first ARM device I researched
> uses Broadcom which is not open source hardware and has TrustZone.

ARM Cortex is not open hardware. It's a closely guarded trade secret.

In fact none of the off the shelf CPUs you can find on the market is
open hardware.

> I
> ordered a Lemote Yeeloong with a 8 SSD instead of the 160 GB HD as SSD
> does not have a HPA. Though I do need more storage than 8 GB and today
> am purchasing a 32 GB SD card.

What SSD do not have support for HPA?

And SD certainly do have HPA equivalent partitioning.

But HPA is only a threat if you have a BIOS/bootloader capable of using
it and you completely ignore it. Additionally any use of HPA in SATA/SAS
is easily detected if you care to look for it. It's somewhat harder to
detect in SD as the tools for controlling & configuring SD is less
common and many uses of SD is behind translators where this level of
control of the SD interface is not possible.

> UEFI and Microsoft 8 will preclude installing Linux. Apple precludes
> installing Linux. That alone should cause Linux users to search for or
> create open source hardware.

UEFI do not preclude installing Linux. Microsoft enforcing an UEFI + TPM
policy on hardware manufacturer that only Microsoft signed software may
be booted by their hardware and users not given any means to gain
control over their own hardware is precluding freedom, and it's very
doubtful they will get away with that requirement in the long run. But
there is solutions being developed to that problem as well.

>  ARM and MIPS hardware, with the exception
> of Lemote, are not truly open source. Linux is much more complicated to
> install then simply downloading an ISO and burning it to a  DVD.

Average X86 hardware is absolutely not open source hardware.

> I predict Microsoft and Apple will prevail.

They will be around for considerable time and there will be numerous
fights over user freedom to control their hardware. But I have absolute
fait in openness will preclude in the long run.

> There will fewer newbie Linux users.

I doubt. The rate of newbie Linux users have never been higher, and no
signs of decline.

> Being a semi-newbie Linux user, I find the tutorials on
> installing Linux on ARM and MIPS too complicated and too few SDcards
> preinstalled with Linux for sale.

Do you find ANY installation instructions how to install anything else
than Linux on those hardware platforms?

ARM and MIPS are messy platforms due to a long history of embedded
market with high emphasis on launch and forget in the consumer segment,
and very little interest in free software principles.

Things are improving considerably in the last couple years and you can
now find (almost) one-click Linux installers for several ARM hardware
platforms. For example
http://fedoraproject.org/wiki/Fedora_ARM_Installer

> If I were not desperate, I would not even try.

Installing on a new hardware plaform which is locked by the manufacturer
is an ugly business. Not something for the faint hearted.

> Gordon Bobic, I appreciate your giving more advice on AV and using AV in
> Firefox and Thunderbird. Yet, all of you are ignoring that AV does not
> scan BIOS, HPA of hard drives and graphic cards.

A good AV scans the running system for any known malware. But an AV can
per definition not protect you from targeted threats, only well known
malware / viruses.

BIOS and hard drive content is protected by making use of a trusted boot
process such as ARM TrustZone or x86 UEFI + TPM. There is other
implementations of similar technology as well, but the underlying
principle is the same, system boot process is protected (and optionally
even encrypted) by hardware using a hardware specific key to make sure
it can't be tampered with. At it's strictest setting any unauthorized
(not authorized by you) change in boot software (bios/bootloader +
kernel etc) or hardware gets noticed and renders the system unbootable.
The rest is easily protected within your selected operating system by
encrypting the harddrive and enforinc strict security policies on the
applications you run by using selinux or similar technology to sandbox
each application.

Regards
Henrik