[OpenBIOS] Secure BIOS for voting?

[Nick Couchman]

>>> On 2013/07/19 at 06:01, <SAVIOCvs at aol.com> wrote: 
> I developed a voting system (see _www.SAVIOC.com_ (http://www.SAVIOC.com) ) 
> that uses ordinary old PCs,  yet is more transparent and trustworthy than 
> anything else in use  today.  All software, including the operating system 
> (FreeDOS) boots from a  floppy that can be verified by hash code.  The PC 
> never uses the hard  drive, and doesn't even need one.  Trustworthiness 
> comes 
> from people  with different interests being able to prevent each other from 
> doing anything  fraudulent.  I think the only significant potential 
> vulnerability is that  someone with physical access to the machines could 
> install a 
> malicious  BIOS.  Learning about the OpenBIOS project gave me hope of 
> overcoming that  vulnerability.
>  
> (1)  Is my hope justified?  Can a PC be booted from a floppy that  
> completely replaces the native BIOS in RAM, and then loads FreeDOS?  (Can  
> the 
> possibility of a malicious BIOS be made a non-issue?)
>  
> If all answers are YES, then the remaining very basic questions become  
> important.

Perhaps this is a digression, but why a floppy?  If you're using old hardware, that's fine, but at some point you probably want to use modern hardware, and I don't know of a modern hardware system that comes with a floppy drive, anymore.  Furthermore, my many years of experience with floppy disks tells me that they are unreliable - very prone to failures of a variety of types (dirty heads, physical damage to the medium, etc.).  Many of these types of failures mean mis-reads, which means bad checksums and failures in the security model you're trying to implement.  If you're looking for something compatible with very old hardware - hardware that does not support booting from USB flash drives - I'd recommend finding some older IDE flash chips (disk on chip) that you can use, instead.  These are probably pretty cheap, now, and should give you the capacity and reliability that you won't get with floppy disks.

>  
> (2)  Roughly how much space on the floppy would be required?

You can build the OpenBIOS tree and see how large the binary is.  I don't remember off the top of my head, so I can't tell you.  Many modern BIOS implementations are several MB - I believe 8MB is the average BIOS size (not openBIOS, just BIOS in general), with some as large as 12MB.  This presents another problem when using floppies...you'd need multiple ones.

> (3)  What downloads would I need?  OpenBIOS AND OpenFirmware AND  OpenBOOT? 
>  Anything else?

Probably just OpenBIOS.

> (4)  How are they downloaded?  
> http://www.openfirmware.info/index.php/Downloads displays  a page 
> beginning, "This page has been deleted."  All other links that imply  the 
> possibility 
> of downloading reach a page headlined, "The  page cannot be displayed".
>  

SVN check-out of the current source tree and build.  Decently modern versions are also included with Qemu, IIRC.

-Nick




--------
This e-mail may contain confidential and privileged material for the sole use of the intended recipient.  If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information.  In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way.  If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox.  Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR.