[sugar] security status and important milestone reached

[Ivan Krstić]

Things have been very quiet about the progress of the Bitfrost  
security implementation. Due to a very complex chain of  
implementation dependencies, we've had to wait until recently to be  
able to kick the security work into high gear. I'm happy to report  
that this has now happened and things are moving along quickly.

11 days ago, we merged our FRS containerization solution into a  
branch of our kernel tree:
     http://dev.laptop.org/git.do?p=olpc-2.6;a=shortlog;h=vserver

This branch will get other development updates and is slated, barring  
unforeseen problems, to become the build branch for Trial-2, meaning  
the Trial-2 build will run a container-enabled kernel by default. A  
few days ago, Mitch Bradley reported having successfully integrated  
our BIOS cryptography code into Open Firmware, and he and I will be  
spending part of the next week hammering out the details of this  
integration.

On behalf of the security team, I am particularly pleased to announce  
we've just reached a very important milestone: we have integrated  
automatic containerization with Sugar on build 472 (based on Fedora  
Core 7) through the Rainbow userspace security service, and with only  
a trivial patch to Sugar (http://dev.laptop.org/~krstic/sugar- 
rainbow.patch). Concretely, we have an XO in the office where  
clicking an activity icon shows the activity as usual, but the  
loading machinery in the background automatically launched the  
activity in a container. No restrictions are yet imposed on the  
containers -- that's where our work will turn now, as well as towards  
working with the Sugar team to bring this functionality soon to a  
Sugar near you. I hope to also announce working secure activation  
(delivery chain protection) code soon.

Cheers,

--
Ivan Krsti? <krstic at solarsail.hcs.harvard.edu> | GPG: 0x147C722D