Tuesday, April 2, 2019

yocto trust boot

https://elinux.org/images/e/e0/Josserand-schulz-secure-boot.pdf

https://www.linux.com/news/event/open-source-summit-na/2017/4/pros-and-cons-system-update-and-integrity-protection-schemes

EMMC: Replay Protected Memory Block (RPMB)
https://www.jedec.org/sites/default/files/Victo_Tsai(1).pdf

https://manpages.debian.org/unstable/mmc-utils/mmc.1.en.html
        mmc rpmb write-key <rpmb device> <key file>
                Program authentication key which is 32 bytes length and stored
                in the specified file. Also you can specify '-' instead of
                key file path to read the key from stdin.
                NOTE!  This is a one-time programmable (unreversible) change.
                Example:
                  $ echo -n AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHH | \
                    mmc rpmb write-key /dev/mmcblk0rpmb -
        mmc rpmb read-counter <rpmb device>
                Counter value for the <rpmb device> will be read to stdout.
        mmc rpmb read-block <rpmb device> <address> <blocks count> <output file> [key file]
                Blocks of 256 bytes will be read from <rpmb device> to output
                file or stdout if '-' is specified. If key is specified - read
                data will be verified. Instead of regular path you can specify
                '-' to read key from stdin.
                Example:
                  $ echo -n AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHH | \
                    mmc rpmb read-block /dev/mmcblk0rpmb 0x02 2 /tmp/block -
                or read two blocks without verification
                  $ mmc rpmb read-block /dev/mmcblk0rpmb 0x02 2 /tmp/block
        mmc rpmb write-block <rpmb device> <address> <256 byte data file> <key file>
                Block of 256 bytes will be written from data file to
                <rpmb device>. Also you can specify '-' instead of key
                file path or data file to read the data from stdin.
                Example:
                  $ (awk 'BEGIN {while (c++<256) printf "a"}' | \
                    echo -n AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHH) | \
                    mmc rpmb write-block /dev/mmcblk0rpmb 0x02 - -

IMA/EVM
https://elinux.org/images/2/2e/2017_ELC_Integrity_System_Update.pdf
EVM tied to per-machine key
Does not protect integrity of directory content and therefore susceptible to offline attacks
- Disable services by removing filles
- Replace trusted content with symlinks to untrusted content

DM-Verity
... add this

No comments:

Post a Comment