kristiandg
Posts: 3
Joined: Mon Apr 10, 2017 1:55 pm

Question about a Pi project...

Mon Apr 10, 2017 2:02 pm

Good morning all - just getting my feet wet on Pi. I've got a project I'm working on that uses the Raspberry-Asterisk builds, but there's a part I want to do that I'm not sure how...

After I refine my image, I certainly want to make it reproducible, which is easily done. But, I don't want anyone to just be able to duplicate it. My goal is to encrypt the drive with some sort of key that's in the bios on the Pi. My hope is, when the proper key is loaded in bios, it'll auto boot, but if someone images the drive and tries to run it on their Pi, it won't be able to boot. On an equal note, I want it to be somewhat interchangeable, so if we have to ship a replacement SD card to someone, it can just be swapped (so it's NOT keyed to the specific hardware).

Is there any way to achieve this?

User avatar
mahjongg
Forum Moderator
Forum Moderator
Posts: 12585
Joined: Sun Mar 11, 2012 12:19 am
Location: South Holland, The Netherlands

Re: Question about a Pi project...

Mon Apr 10, 2017 2:07 pm

kristiandg wrote:.

Is there any way to achieve this?
No there isn't

you did not do your homework.
The PI has no BIOS!

kristiandg
Posts: 3
Joined: Mon Apr 10, 2017 1:55 pm

Re: Question about a Pi project...

Mon Apr 10, 2017 3:18 pm

Well, I was using BIOS as a generalized term - but something to that effect is what I was trying to convey.

User avatar
DougieLawson
Posts: 37074
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Question about a Pi project...

Mon Apr 10, 2017 3:25 pm

Where do you propose to store the key? If I can access your RPi I can get your SDCard and run that on my RPi.

The question comes up so frequently I wonder why folks are failing to find it when they search Google. There's no way to secure a Raspberry without enclosing it in a strong cage and disconnecting it from any network.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

kristiandg
Posts: 3
Joined: Mon Apr 10, 2017 1:55 pm

Re: Question about a Pi project...

Mon Apr 10, 2017 3:38 pm

DougieLawson wrote:Where do you propose to store the key? If I can access your RPi I can get your SDCard and run that on my RPi.
I was hoping there was some way to store a simple cypher or passcode in the hardware itself somewhere, that could be used to unlock the SD on bootup.

I'm not worried about network-attached, and if someone's able to log in from there, then so be it - I was just trying to minimize the possibility of easily duplicating by simply imaging the SD.

User avatar
DougieLawson
Posts: 37074
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Question about a Pi project...

Mon Apr 10, 2017 4:34 pm

You're out of luck, there's no NVRAM on a Raspberry. There are some one-time programmable (OTP) bits but they're not burnable from userspace or kernel programs
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

unixcommando
Posts: 16
Joined: Sun Dec 04, 2016 6:08 pm

Re: Question about a Pi project...

Mon Apr 10, 2017 6:09 pm

Your best bet would be to write your own boot loader that can read a key from another USB device you provide, then ship both the SD card and the USB key together. Of course you'd have to make the key unreadable from another device so that could be a problem.

Then comes the other issue which is GNU Copyleft protection which requires your code to be open if it uses GPL software or libraries. The RPi like many other GPL devices is meant to be free and open, your encryption may run afoul of GPL.

Cheers
-Bob

YCN-
Posts: 246
Joined: Fri Jun 10, 2016 3:18 pm

Re: Question about a Pi project...

Tue Apr 11, 2017 7:50 am

Hi,

You can't (simply) encrypt the whole SD, but you definitively can encrypt part of the rootfs. And I think that can be sufficient for you isn't it ?
you can boot, and afterward have a script that will decrypt the part where your application will be stored.

It could do the following :
-> Ask for password
-> Decrypt
-> De-targz
-> compile, rm sources, keep executable (if needed)

And when shuting down (if needed):
-> Targz (if needed)
-> Encrypt (if needed)

It's a more user-like aproach but it can do what you want I think. If it's about drivers and stuff it can also be done with the proper scrypting (makefile, modprobe or insmod, mknode etc...).

User avatar
mahjongg
Forum Moderator
Forum Moderator
Posts: 12585
Joined: Sun Mar 11, 2012 12:19 am
Location: South Holland, The Netherlands

Re: Question about a Pi project...

Wed Apr 12, 2017 10:04 pm

not a beginners subject, moved to advanced users.

MarkDH102
Posts: 377
Joined: Fri Feb 13, 2015 3:18 pm

Re: Question about a Pi project...

Thu Apr 13, 2017 7:09 am

I guess that you could add a little 8 pin EEPROM / FRAM controlled over the SPI interface. Fill it full of random data and somewhere in the randomness, hide your encryption key?
Maybe it would be possible to store some application code in the EEPROM that you could load in at boot and run to decrypt.

Return to “Advanced users”