If you're not familiar with "Security Boot", "Boot Guard" or "BIOS Guard" stuffs, you might find this subject quite boring. In case that, I think the better way is to explain it as usual sarcasm style.
Previous features I mentioned are designed or claimed for better security integration on platform, it's like a series of locks that you might only pass with right identity. For example, assume as following scene:
Lock: blocks the boot flow unless the right key is accepted.
Right Keys: Can only manufactured by OS vendor and OEM/ ODM (OEM has the right to decide to use only OEM key or both of OEM and ODM keys)
Since right keys can only manufactured by OS vendor, OEM or ODM, here's the funny question: What if the right is leaked, who should be responsible for it?
Well, four kinds of situation:
(1) OS vendor's key leaked: No doubt that OS vendor should be responsible for it since none can access the key but their self, right?
(2) Only OEM Key used and it's leaked: Of course it's OEM's fault, however, if this method is used, OEM should maintain a safe server allowing ODM to upload the signature file to be signed by OEM's internal private key and download from the server. Guess what? Some OEM takes the effort quickly but some just take other methods...
(3) Only ODM key used and it's leaked: Of course it's ODM's fault, however, every one would blame it on OEM. If any bad things happen, ha ha, some poor engineer would be kicked out. Don't worry about the supervisor, they always find the way out.
(4) OEM and ODM keys used and one leaked: Why we need this method? Why not only OEM key used? Well, it's because some OEM's too lazy to build the safe server responsible for ODM's signature, but still wanna ensure which ODM leaks their key and make sure ODM wouldn't produce other non-official keys. Oh man, it's really complicated, right? More to that, what if OEM or ODM would like to change or testify their own keys in the same BIOS code-base? There we need the compile switch provided by IBV to determine if the OEM/ ODM keys changed or not in current compile time. It's complicated, however, once built, it's easy to use to OEM or ODM, and lazy OEM doesn't have to own the safe server. How lazy and brilliant. By the way, I'm the guy worldwide first figured out this working model to satisfy the lazy OEM supervisor...
Finally, based on the experience I shared previously. I realize there are two ways to work in OEM:
(1) To Follow and get SLAPPED by supervisor.
-> Advantage: Keep your job well and stable.
-> Disadvantage: Get slapped all the time.
(2) To Create and get FIRED by supervisor.
-> Advantage: Be creative to flexible working models to satisfy various needs.
-> Disadvantage: Be creative is bitching and jealous supervisor finds excuse to fire you someday.
Any way, it's been cool to share some experience with you, if you find any questions, suggestions or comments, please give me some feed-backs, thanks a lot!
No comments:
Post a Comment