This is unfortunately directed mostly at AWS employees as none of the rest of use can do anything about it.
My issue is that the DeepLens device is so locked down that it's impossible to run anything other than a release of a distro from 6 years ago. I've dug into this at length and discovered the following:
- It's possible to enter the firmware, but there's no way to disable Secure Boot (at least on my v1.0).
- The EFI executable signed by AWS and booted by the firmware is actually a unified kernel image; it has the Linux kernel, initrd, and command line all built into it. This means no possibility of altering the arguments used to boot the kernel.
- You also can't use
kexec
to warm-boot another kernel as a chain-load workaround. Again, Secure Boot.
- It's not possible to use the various
/sys/firmware/efi
drivers to register new Secure Boot keys. I have nothing against Secure Boot, but generally it's implemented to allow end-users to set up their own keys or disable it entirely. The DeepLens obviously isn't a Windows-certified device, but it's interesting to note that for all the hate Secure Boot received the Windows certification process actually requires these features to be present.
- As far as I can tell the kernel doesn't ever actually get updated by
apt
because the contents of /boot
aren't actually booted. Doing so would require that AWS is distributing the signing key to devices to sign locally-built bundles. Linux 4.13.0 is from November 2018...
In short, it's kind of disingenuous to claim that
To protect the AWS DeepLens device from malicious attacks, it is configured to boot securely.
I guess technically it boots only the intended kernel, but that kernel is open to any exploits found since its release.
To that end, can we please get unlocked firmware? I don't care about warranty; I want to be able to use the device that I supposedly own in the way I see fit. It seems that AWS isn't interested in keeping the device current, so please allow us to take that on ourselves.
since it has been 2 years and deeplens is now being sunset, is it possible to revisit this?
agree with James. would like to upgrade the OS now that deeplens is retired by amazon