Thread: [Announce] busybox-power for Harmattan
View Single Post
iDont is offline iDont
2013-02-13 , 20:17
Posts: 268 | Thanked: 1,053 times | Joined on May 2010 @ The Netherlands
#57
Originally Posted by nbedford View Post
I have busybox-power all setup and working, but I have a question, which is possibly a little off topic, but I would like to better understand for myself.

I installed the openmode kernel available from http://maemo.cloud-7.de/HARM/N9/1.3/openmode-kernel
I assumed (maybe mistakenly) that this was what people refered to as standard openmode?

However, I have opensh installed correctly with AEGIS_FIXED_ORIGIN and this shell provides all capabilities, including tcb-sign so can resign refhashlist.

So basically my question, is my kernel normal openmode or aegis neutered ?
Basically, this is the current situation:

1. A vanilla device is in Normal Mode.
2. Flashing any custom kernel (i.e. one not signed by Nokia) will put your device in Open Mode. You'll need to reflash the whole rootfs if you want your device to go back in Normal mode; just flashing Nokia's kernel won't do IIRC. Open Mode allows you to install packages with all capabilities via the AEGIS_FIXED_ORIGIN trick.
3. If your custom kernel contains this patch: http://maemo.cloud-7.de/HARM/N9/1.2/...openmode.patch, aegis is neutered (the patch should be pretty self-explanatory). Hence, a device in "Open Mode", does not necessarily run an aegis-neutered kernel.

In Open Mode, aegis still enforces the origin check on protected files in your filesystem. That's why we differentiate between Open Mode and Patched Open Mode: we still need to "crack" (or a better term: "unseal") aegis and disable the origin check (this is aegisctl's job) in non-patched Open Mode & Normal Mode. Otherwise aegis would deny access to /bin/busybox as soon as our version gets installed, something you don't want to experience .
When aegis is neutered, we can freely configure aegis as we like, so we don't need aegisctl to unseal aegis. That's why busybox-power-noaegis is able to drop this dependency.

Having all capabilities in non-patched Open Mode does not drop the dependency on aegisctl, as there will always be a brief period in which the hash of /bin/busybox won't match the one in the refhashlist. See the current installation workflow as to why this is true: disable the origin check, install new /bin/busybox (hashes mismatch at this point -> without disabled origin check, the system would now be "broken"), update the refhashlist, resign the refhashlist, reload the refhashlist, enable the origin check.

--
The kernel image you linked contains the neutering patch, although that isn't documented anywhere AFAICS. I guess most people run an aegis-neutered kernel (why still have aegis enforcing stuff when you can install packages with all capabilities?), though I'm not aware of any statistics regarding this subject.

So yes, you are running an aegis-neutered (patched) Open Mode kernel. You can install busybox-power-noaegis, which will replace busybox-power automagically, and uninstall aegisctl if you wish.

If you have any more questions regarding this subject, please don't hesitate to ask them .
Last edited by iDont; 2013-02-13 at 20:55. Reason: typo
 

The Following 5 Users Say Thank You to iDont For This Useful Post: