12-16-2011 01:50 AM
> Then the app tries to install net_rim_cldc.
> Does this mean that during the boot sequence, the hash/signature of every module that is needed to complete the boot and get the core apps running is re-computed?
My understanding is that any module can access "private" OS methods only if it signed by RIM. I suppose that OS launcher verifies the signature of the first "boot" module before it calls it, after that any other module which is not signed by RIM can only use the public APIs.
FYI there are hundreds of variants of net_rim_cldc.cod signed by RIM (for different OS builds and devices). Some people even prepare their own hybrid OSes by combining .cod files from different official OS builds. But all those .cod files can be used only because they are signed by RIM.
> Note that a customer who is very concerned about security may not want to trust any claims
> RIM may make about not having malicious insiders, not having undocumented API behavior
I'd say that this user should not use RIM products or make a deal with them and get a copy of the source code.
On the other hand, source code is not enough, he need to also prepare his own build tools (he cannot trust RIM's build tools), need to sign the cod files with his own private keys, need to prepare a special hardware which validates the cod files against his own key and so on.
12-16-2011 01:52 AM
> there may be some things about the OS or environment
You can check the hashes of all the OS modules, they are always identical for the same binary.
Of course, if user upgrades the OS, core modules will get new hashes.
12-16-2011 05:31 AM