ring security level escalation exploits
I have a military laptop here; it has two PowerPC750 CPUs, the kernel (VxWorks) is loaded from Flash0 (8Mbyte), the rootfs is mounted RO from Flash1 (64Mbyte), /var and /tmp are mounted in ram, and $home is mounted from an hw encrypted CF2 (LBA32).
The kernel Flash driver has ".write" method removed, so it's physically impossible to write into flash0 and/or flash1 without modifying the kernel, and reprogramming it requires physical access to the motherboard.
Game over, if you want to update the kernel or the rootfs, you have to:
- 1) to physically access the motherboard; not an easy task as the shell is waterproof, you need a suction cup to detach the hull
- 2) to turn on the write pin of the system flash0 and/or flash1
- 3) to turn on the boot serial
- 4) to attach a serial cable to the motherboard in order to download a special software able to reprogram the flash
VxWorks is a commercial OS, so I prepared a Linux kernel for the laptop, and a custom firmware (PPC assembly) to perpetually tftpboot from the optical network, so I can easily develop the kernel and the GNU/glibc-based rootfs without that "crazy" restrictions used for making VxWorks as RO.
And ... I think it must have cost as much as a Cadillac, a splash and waterproof laptop, which is no longer splash and water resistant as I damaged the seals to open it, in order to repurpose it as a dumb X11 terminal ...
... which is all LOL ... you know I love this kind of thing.
But hey? I am playing with a decommissioned military laptop, trashed away, among the many reasons to throw it away, because it was made when there were no dual-core CPUs, and cryptographic stuff was made by perpetually allocating a CPU in AMP to serve cryptographic stuff to the other CPU!
I have never seen an SMP PPC laptop around; PowerBooks from 603 to G3 to G4 only have one CPU!
Unfortunately, I am too ignorant to work on AMP and SMP kernel stuff, so ... the CPU1 stays disabled from the firmware up, while CPU0 runs Linux with no encryption for the CF2, which makes it even easier to deal with.
Anyway, apart from the uselessness of playing with unique military hardware in the world, you can get the idea about how deep the level of paranoia of a true "immutable" system can go