Friday, June 29, 2007

GPL3 the pain child is born..-> implications for cellphones??

As of last, Linus was against pulling in GPL3 for kernel... what sayeth he now??? Gotta read it sometime later this weekend..


GPL V3: - there is GPL and LGPL - Good!!

One feature I am worried upon is the "non tviozation" concept:
Imagine.. one day Linus says ok to GPL v3 for linux, all apps are GPL V3. Now, using today's technology, the h/w vendor who releases a GPL V3 based software for a cellphone..needs to ensure that you dont have a malicious "cracked" version running on the board. How does they do it? by providing signature for images.. Does "non tvio" software mean the signatures are published? Errr.. beats the purpose right? Does this imply that the vendor should impart the tools to make the modified s/w run on thier boards -Errrr.... why should the vendor want to give the key to the safe? Solution: hardware firewalls..
TI for example provides on 2430,3430 some really advanced firewall features, which can be used in this scenario:
properiotory signed code accesses/provides features to the critical components (e.g. SIM/MegaSIM cards), exposes if needed heavily controlled LGPL APIs -> communicated with GPLV3 baseport and s/w.. the firewall configuration will be such that only the prop code(on prop processor as an e.g.), can access the critical components.. the "Application OS" does not have rights..
Why this wont work:
  • To an extent this is already present in the concept of "mobile processor" vs "application processor" concept.. but lots of companies (including TI, Infenion, Freescale) are looking for single processor systems to reduce cost.. imagine the resultant overheads.. just to ensure security..
  • Easier said than done.. how do u prevent a "cracked" keypad driver not grabbing all keystokes and passing it to ethernet driver for transmission over GPRS?

Cell phone security is a very very complex thing compared to desktop OS: I kind of predict.. it is only a matter of time before some "fruitcake"-brained cokers decide to do something abt it... and make life a wee bit more difficult..

TVIO, I think is a moot point.. end of the day, they put a hashkey in ROM, before the app processor runs, compare hash key to image hash.. if it matches, continue.. else.. poof.. solid hardware security.. add a fuse and blow out the processor to a unusable state... lol.. no wonder the FSF folks are pissed....

But it does not hide the real threat... How do u make cell phones with GPLV3 code?

Read this to listen to the kernel hacker's mind:

No comments: