<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Mar 11, 2016 at 2:41 AM, Matt Johnston <span dir="ltr"><<a href="mailto:matt@ucc.asn.au" target="_blank">matt@ucc.asn.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">> On Thu 10/3/2016, at 12:58 pm, Phillip Hallam-Baker <<a href="mailto:phill@hallambaker.com">phill@hallambaker.com</a>> wrote:<br>
...<br>
<span class="">> The boot media has the following additional information:</span><span class=""><br></span></blockquote><div>..... </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span class="">
</span>...<br>
<span class="">> What is the best way to guarantee that I am authenticating the device boot media?<br>
> What is the best way to guarantee that the temporary key is erased from the boot media?<br>
<br>
<br>
</span>To verify the boot media externally, partition the disk leaving 20k at the end, and put the signature there. The signature should be over the entirety of /dev/mmcblock0 apart from that last 20k. Ralf: a read-only "mount -o ro" shouldn't touch the bytes on the card, though a block-level signature would be better.<br>
<br>
If your SD card contents is smaller than ram size you could erase the boot media by copying the entire SD card image into RAM, write zeroes over the entire device, then copy the SD card image back over minus the key - should be safe? For good measure spread the key into parts across the card.</blockquote><div><br></div><div>Below is a look at a running R-Pi for those without one.<br>A single micro SD card is partitioned and filesystems made.<br>/boot is vfat</div><div>/ is ext4 but this is not cast in stone.<br><br>The boot process is a little bit odd. Last I looked the Pi boot used functions</div><div>of the GPU to copy code into memory and then jump to the entry point.<br>This is commonly an OS image that loads in RAM and because</div><div>it runs in RAM it can do filesystem checks and repair things.<br><a href="http://amitshah.bizhat.com/arm/arm_linux_boot-1.html">http://amitshah.bizhat.com/arm/arm_linux_boot-1.html</a> </div><div><br></div><div><div>razn1:~/$ file /boot/kern*</div><div>/boot/kernel7.img: Linux kernel ARM boot executable zImage (little-endian)</div><div>/boot/kernel.img: Linux kernel ARM boot executable zImage (little-endian)</div><div>Or a vmunix file like this on an ARM based pandaboard.<br>panda:~$ ls /boot/vmlinuz*<br><span class=""><b>/boot/vmlinuz</b></span><span class=""> /boot/vmlinuz-3.2.0-1464-omap4 /boot/vmlinuz-3.2.0-1466-omap4</span></div><div><span class=""><a href="https://www.kernel.org/doc/Documentation/filesystems/ramfs-rootfs-initramfs.txt">https://www.kernel.org/doc/Documentation/filesystems/ramfs-rootfs-initramfs.txt</a><br><br>It is valuable look inside this image as it is the first good place to add checks.<br>Memory limits things but with caution a lot can happen. </span></div>
<p class="">Once the file system checks are done it all opens up.<br>This is the easy place to prototype you checks and when ready<br>move them if needed.</p><p class="">Going back uboot has some network abilities and as a bootstrap<br>loader goes is bigger than a breadbox. Google uboot and friends. <br><a href="http://elinux.org/RPi_U-Boot">http://elinux.org/RPi_U-Boot</a><br><br>With the OS up and running encrypted directories or partitions can be mounted<br>with or without user login. <br><br>Any Raspberry-pi boot media and OS can be opened up on a linux or <br>Windows machine. A linux VM makes a number of things easy when <br>Windows does not understand the filesystem. The easy context is to <br>use a working R-Pi take a mSD/SD card reader and plug that into a USB port.<br>Login via SSH and copy files dd images alter boot commands compile binary<br>objects, duplicate mSD cards etc. <br>This and more can be automated including checksums of all key objects.<br>ldconfig can confuse some checksum strategies. </p><p class=""><br>Output of df, mount ls -l /boot are below.</p><p class="">-=-=-=-=-=-=-=-=-=-=-</p></div>razn1:~$ df<br>Filesystem 1K-blocks Used Available Use% Mounted on<br>/dev/root 7534284 5154692 2023276 72% /<br>devtmpfs 494068 0 494068 0% /dev<br>tmpfs 498388 0 498388 0% /dev/shm<br>tmpfs 498388 50352 448036 11% /run<br>tmpfs 5120 4 5116 1% /run/lock<br>tmpfs 498388 0 498388 0% /sys/fs/cgroup<br>/dev/mmcblk0p1 57288 20312 36976 36% /boot<br>tmpfs 99680 0 99680 0% /run/user/1001<p class=""><span class="">razn1:~$ mount<br>/dev/mmcblk0p2 on / type ext4 (rw,noatime,data=ordered)<br>devtmpfs on /dev type devtmpfs (rw,relatime,size=494068k,nr_inodes=123517,mode=755)<br>sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)<br>proc on /proc type proc (rw,relatime)<br>tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)<br>devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)<br>tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755)<br>tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)<br>tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)<br>cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)<br>cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)<br>cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)<br>cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)<br>cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)<br>cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)<br>cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls)<br>systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=22,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)<br>mqueue on /dev/mqueue type mqueue (rw,relatime)<br>debugfs on /sys/kernel/debug type debugfs (rw,relatime)<br>configfs on /sys/kernel/config type configfs (rw,relatime) <br></span>fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)<br>/dev/mmcblk0p1 on /boot type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro)<br>binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime)<br>tmpfs on /run/user/1001 type tmpfs (rw,nosuid,nodev,relatime,size=99680k,mode=700,uid=1001,gid=1004)</p><p class="">razn1:~$ ls -l /boot<br>total 19872<br>-rwxr-xr-x 1 root root 10841 Mar 5 09:41 bcm2708-rpi-b.dtb<br>-rwxr-xr-x 1 root root 11120 Mar 5 09:41 bcm2708-rpi-b-plus.dtb<br>-rwxr-xr-x 1 root root 10871 Mar 5 09:41 bcm2708-rpi-cm.dtb<br>-rwxr-xr-x 1 root root 12108 Mar 5 09:41 bcm2709-rpi-2-b.dtb<br>-rwxr-xr-x 1 root root 12575 Mar 5 09:41 bcm2710-rpi-3-b.dtb<br>-rwxr-xr-x 1 root root 17920 Mar 5 09:41 bootcode.bin<br>-rwxr-xr-x 1 root root 120 Sep 8 2014 cmdline.txt<br>-rwxr-xr-x 1 root root 1323 May 15 2015 config.txt<br>-rwxr-xr-x 1 root root 18693 Mar 5 09:41 COPYING.linux<br>-rwxr-xr-x 1 root root 2505 Mar 5 09:41 fixup_cd.dat<br>-rwxr-xr-x 1 root root 6481 Mar 5 09:41 fixup.dat<br>-rwxr-xr-x 1 root root 9722 Mar 5 09:42 fixup_db.dat<br>-rwxr-xr-x 1 root root 9724 Mar 5 09:42 fixup_x.dat<br>-rwxr-xr-x 1 root root 137 Sep 9 2014 issue.txt<br>-rwxr-xr-x 1 root root 4046732 Mar 5 09:42 kernel7.img<br>-rwxr-xr-x 1 root root 3963140 Mar 5 09:42 kernel.img<br>-rwxr-xr-x 1 root root 1494 Mar 5 09:41 LICENCE.broadcom<br>-rwxr-xr-x 1 root root 18974 Sep 25 2013 LICENSE.oracle<br>drwxr-xr-x 2 root root 8192 Mar 5 09:43 overlays<br>-rwxr-xr-x 1 root root 612472 Mar 5 09:42 start_cd.elf<br>-rwxr-xr-x 1 root root 4888200 Mar 5 09:42 start_db.elf<br>-rwxr-xr-x 1 root root 2739672 Mar 5 09:42 start.elf<br>-rwxr-xr-x 1 root root 3840328 Mar 5 09:42 start_x.elf</p></div>-- <br><div class="gmail_signature"><div dir="ltr"> T o m M i t c h e l l</div></div>
</div></div>