[Cryptography] Help with Raspberry Pi IoT initialization...

Tom Mitchell mitch at niftyegg.com
Fri Mar 11 19:26:24 EST 2016


On Fri, Mar 11, 2016 at 2:41 AM, Matt Johnston <matt at ucc.asn.au> wrote:

> > On Thu 10/3/2016, at 12:58 pm, Phillip Hallam-Baker <
> phill at hallambaker.com> wrote:
> ...
> > The boot media has the following additional information:
>
.....

> ...
> > What is the best way to guarantee that I am authenticating the device
> boot media?
> > What is the best way to guarantee that the temporary key is erased from
> the boot media?
>
>
> To verify the boot media externally, partition the disk leaving 20k at the
> end, and put the signature there. The signature should be over the entirety
> of /dev/mmcblock0 apart from that last 20k. Ralf: a read-only "mount -o ro"
> shouldn't touch the bytes on the card, though a block-level signature would
> be better.
>
> If your SD card contents is smaller than ram size you could erase the boot
> media by copying the entire SD card image into RAM, write zeroes over the
> entire device, then copy the SD card image back over minus the key - should
> be safe? For good measure spread the key into parts across the card.


Below is a look at a running R-Pi for those without one.
A single micro SD card is partitioned and filesystems made.
/boot is vfat
/ is ext4  but this is not cast in stone.

The boot process is a little bit odd.  Last I looked the Pi boot used
functions
of the GPU to copy code into memory and then jump to the entry point.
This is commonly an OS image that loads in RAM and because
it runs in RAM it can do filesystem checks and repair things.
http://amitshah.bizhat.com/arm/arm_linux_boot-1.html

razn1:~/$ file /boot/kern*
/boot/kernel7.img: Linux kernel ARM boot executable zImage (little-endian)
/boot/kernel.img:  Linux kernel ARM boot executable zImage (little-endian)
Or a vmunix file like this on an ARM based pandaboard.
panda:~$ ls /boot/vmlinuz*
*/boot/vmlinuz*  /boot/vmlinuz-3.2.0-1464-omap4
/boot/vmlinuz-3.2.0-1466-omap4
https://www.kernel.org/doc/Documentation/filesystems/ramfs-rootfs-initramfs.txt

It is valuable look inside this image as it is the first good place to add
checks.
Memory limits things but with caution a lot can happen.

Once the file system checks are done it all opens up.
This is the easy place to prototype you checks and when ready
move them if needed.

Going back uboot has some network abilities and as a bootstrap
loader goes is bigger than a breadbox. Google uboot and friends.
http://elinux.org/RPi_U-Boot

With the OS up and running encrypted directories or partitions can be
mounted
with or without user login.

Any Raspberry-pi boot media and OS can be  opened up on a linux or
Windows machine. A linux VM makes a number of things easy when
Windows does not understand the filesystem.   The easy context is to
use a working R-Pi take a mSD/SD card reader and plug that into a USB port.
Login via SSH and copy files dd images alter boot commands compile binary
objects, duplicate mSD cards etc.
This and more can be automated including checksums of all key objects.
ldconfig can confuse some checksum strategies.


Output of df, mount ls -l /boot are below.

-=-=-=-=-=-=-=-=-=-=-
razn1:~$ df
Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/root        7534284 5154692   2023276  72% /
devtmpfs          494068       0    494068   0% /dev
tmpfs             498388       0    498388   0% /dev/shm
tmpfs             498388   50352    448036  11% /run
tmpfs               5120       4      5116   1% /run/lock
tmpfs             498388       0    498388   0% /sys/fs/cgroup
/dev/mmcblk0p1     57288   20312     36976  36% /boot
tmpfs              99680       0     99680   0% /run/user/1001

razn1:~$ mount
/dev/mmcblk0p2 on / type ext4 (rw,noatime,data=ordered)
devtmpfs on /dev type devtmpfs
(rw,relatime,size=494068k,nr_inodes=123517,mode=755)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts
(rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup
(rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/cpuset type cgroup
(rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup
(rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/blkio type cgroup
(rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/devices type cgroup
(rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup
(rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls type cgroup
(rw,nosuid,nodev,noexec,relatime,net_cls)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs
(rw,relatime,fd=22,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
mqueue on /dev/mqueue type mqueue (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
configfs on /sys/kernel/config type configfs (rw,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
/dev/mmcblk0p1 on /boot type vfat
(rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime)
tmpfs on /run/user/1001 type tmpfs
(rw,nosuid,nodev,relatime,size=99680k,mode=700,uid=1001,gid=1004)

razn1:~$ ls -l /boot
total 19872
-rwxr-xr-x 1 root root   10841 Mar  5 09:41 bcm2708-rpi-b.dtb
-rwxr-xr-x 1 root root   11120 Mar  5 09:41 bcm2708-rpi-b-plus.dtb
-rwxr-xr-x 1 root root   10871 Mar  5 09:41 bcm2708-rpi-cm.dtb
-rwxr-xr-x 1 root root   12108 Mar  5 09:41 bcm2709-rpi-2-b.dtb
-rwxr-xr-x 1 root root   12575 Mar  5 09:41 bcm2710-rpi-3-b.dtb
-rwxr-xr-x 1 root root   17920 Mar  5 09:41 bootcode.bin
-rwxr-xr-x 1 root root     120 Sep  8  2014 cmdline.txt
-rwxr-xr-x 1 root root    1323 May 15  2015 config.txt
-rwxr-xr-x 1 root root   18693 Mar  5 09:41 COPYING.linux
-rwxr-xr-x 1 root root    2505 Mar  5 09:41 fixup_cd.dat
-rwxr-xr-x 1 root root    6481 Mar  5 09:41 fixup.dat
-rwxr-xr-x 1 root root    9722 Mar  5 09:42 fixup_db.dat
-rwxr-xr-x 1 root root    9724 Mar  5 09:42 fixup_x.dat
-rwxr-xr-x 1 root root     137 Sep  9  2014 issue.txt
-rwxr-xr-x 1 root root 4046732 Mar  5 09:42 kernel7.img
-rwxr-xr-x 1 root root 3963140 Mar  5 09:42 kernel.img
-rwxr-xr-x 1 root root    1494 Mar  5 09:41 LICENCE.broadcom
-rwxr-xr-x 1 root root   18974 Sep 25  2013 LICENSE.oracle
drwxr-xr-x 2 root root    8192 Mar  5 09:43 overlays
-rwxr-xr-x 1 root root  612472 Mar  5 09:42 start_cd.elf
-rwxr-xr-x 1 root root 4888200 Mar  5 09:42 start_db.elf
-rwxr-xr-x 1 root root 2739672 Mar  5 09:42 start.elf
-rwxr-xr-x 1 root root 3840328 Mar  5 09:42 start_x.elf
-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160311/dc302539/attachment.html>


More information about the cryptography mailing list