[Cryptography] Help with Raspberry Pi IoT initialization...
Phillip Hallam-Baker
phill at hallambaker.com
Thu Mar 10 19:57:40 EST 2016
On Thu, Mar 10, 2016 at 9:06 AM, Thierry Moreau
<thierry.moreau at connotech.com> wrote:
> A day dreamer wrote:
>
> On 10/03/16 04:58 AM, Phillip Hallam-Baker wrote:
>>
>> So here is the deal, I have a draw full of Raspberry Pi devices. I would
>> like to be able to take create a variation of the Raspberry Pi boot
>> media that provides the Pi with the ability to securely boot into my
>> cryptographic environment (aka Mesh Profile) and provide SSH access, TLS
>> cert chained to my root, etc. etc.
>>
>> The idea is that I take a RPi out of one draw, I take an SD boot card
>> out of another drawer that has my personal boot media image. The machine
>> boots and ...
>>
>>
>> The way I propose to do this is as follows:
>>
>> The boot media has the following additional information:
>>
>> * A digital signature of the boot partition excluding itself
>>
>> When run, the run once tool does the following:
>>
>> ? Verifies the boot media signature
>
>
> If you take the personal SD boot card from a personal drawer, why do you
> want a signature verification in the first place?
So I have the option of putting the SD boot disk into a trusted device
(e.g. my personal laptop that never leaves my sight) and verifying
that nobody has tampered with it while in the drawer.
I am aware of the problems with the bootstrap trust problem. That is
not what I asked for help with.
More information about the cryptography
mailing list