i486
Posts: 172
Joined: Sun Aug 28, 2016 3:41 pm
Location: BG

SD card password

Sun Aug 28, 2016 4:19 pm

Hello. I am not sure whether such feature exists or can be added. Maybe RPi has something like BIOS of PC-s where can be configured system options.

The question/suggestion is: SD cards can be locked with password. RPi can ask for password at boot time like PC BIOS password but this password is used later to get access to SD card. By this was the system is locked when turned off. Is this possible now or can it be added?

User avatar
CarlRJ
Posts: 599
Joined: Thu Feb 20, 2014 4:00 am
Location: San Diego, California

Re: SD card password

Sun Aug 28, 2016 8:50 pm

I am not aware of a direct way to do what you ask (a simple password blocking access to the card), but another approach is to encrypt a disk (called FDE or "Full Disk Encryption") or filesystem. I don't know if any work has been done on FDE for the Raspberry Pi, but in principal (if either the necessary software has already been ported or if you do it yourself), one could have an SD (MicroSD) card with three partitions, the usual boot and root partitions, and then a third partition that was encrypted (along with suitable scripts and config files added to, say, the systemd config system, such that it demanded a password and used that to decrypt, and then mount, the third partition). Then you could keep all the useful stuff (the interesting/specialized applications and private files) on the encrypted partition. If someone boots from the card without the password, at best they get a running OS but no access to the interesting bits, which are safely locked away behind the encryption.

If anyone does have FDE, or similar, running on the Pi, I'd love to hear about it.

i486
Posts: 172
Joined: Sun Aug 28, 2016 3:41 pm
Location: BG

Re: SD card password

Sun Aug 28, 2016 9:01 pm

FDE is another thing. SD card password is simple for use standard function and is used in many mobile phones and other devices. When the card is password protected, it can be unlocked for current session (until power off).

User avatar
davidcoton
Posts: 4538
Joined: Mon Sep 01, 2014 2:37 pm
Location: Cambridge, UK

Re: SD card password

Sun Aug 28, 2016 9:18 pm

AIUI, the Pi runs a minimal ROM-based bootstrap on its GPU, then transfers control to the CPUs running code from the SDCard. There is no way to update the boot ROM (except a new SOC). Therefore there is no possibility of password locking an SDCard on current hardware. The scheme suggested above (encrypting a partition on the SDCard) is the nearest thing possible on a Pi.
Signature retired

MarkR
Posts: 154
Joined: Fri Jan 25, 2013 1:55 pm

Re: SD card password

Sun Aug 28, 2016 9:20 pm

You would need to use full disc encryption to be resistant to a competent adversary, otherwise they can just take the sd card and mount the (unencrypted) filesystem from another machine, make necessary modifications to bypass the password, then use it normally.

Having said that, the boot code (needed to reach the password-prompt and mount the rest of the filesystem) would still need to be store unencrypted. The "evil maid" attack, where someone can temporarily gain physical access, make modifications, then return the device undetected, could swap the unencrypted portion with one which appears identical but stores a copy of the password or keys elsewhere (or sends it over wifi or something).

So probably, your best bet is full disc encryption, plus a very strong glue (or potting compound) which makes it physically impossible to remove the sd card and replace it undetected. That would certainly discourage most attackers.

i486
Posts: 172
Joined: Sun Aug 28, 2016 3:41 pm
Location: BG

Re: SD card password

Sun Aug 28, 2016 9:42 pm

davidcoton wrote:AIUI, the Pi runs a minimal ROM-based bootstrap on its GPU, then transfers control to the CPUs running code from the SDCard. There is no way to update the boot ROM (except a new SOC). Therefore there is no possibility of password locking an SDCard on current hardware.
Then I have to wait for Pi-4 :) Is there section for suggestions which is read by RPi developers?

About FDE - I know it and use TrueCrypt on some workplaces. But the idea with SD password is not for maximum level of security. I am not sure whether the flash chips in SD card are encrypted or can be read if removed. But SD password is good level of protection, simple for implementation and with 0 overload of CPU. For example, you can create a locked SD card with Raspbian, GPG and secret keys - something like "GPG secure room".

User avatar
davidcoton
Posts: 4538
Joined: Mon Sep 01, 2014 2:37 pm
Location: Cambridge, UK

Re: SD card password

Sun Aug 28, 2016 10:01 pm

i486 wrote:Is there section for suggestions which is read by RPi developers?
I guess some of them will already have read this thread. Most of the "suggestions" threads here rapidly deteriorate into Pink Unicorn requests. There are several problems:

1) Pi 4 spec is probably written and being developed -- it is probably already too late to add features.
2) How many Pi users actually need or even want SDCard password protection? Does that justify the development cost?
3) The RPF is a not-for-profit organisation with educational aims. Does SDCard encryption further their aims?

I would not like to second guess whether SDCard encryption or Pink Unicorns are more likely on the Pi4.
Signature retired

i486
Posts: 172
Joined: Sun Aug 28, 2016 3:41 pm
Location: BG

Re: SD card password

Sun Aug 28, 2016 10:15 pm

davidcoton wrote:2) How many Pi users actually need or even want SDCard password protection? Does that justify the development cost?
Implementation is very simple - don't think that development cost is something significant (for that feature). As I mentioned above, old Nokia (non-smart phones) support SD password lock. On the other hand, many people could start using the feature if they know that it exists.

User avatar
DougieLawson
Posts: 37109
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: SD card password

Sun Aug 28, 2016 10:24 pm

You're requesting a feature that isn't needed by 99.999% of users. If you want to protect your RPi lock it in a tamperproof cage. Personally, I like the ability to reboot from anywhere in the World and not have to be standing next to my RPi to enter some pointless security password.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
davidcoton
Posts: 4538
Joined: Mon Sep 01, 2014 2:37 pm
Location: Cambridge, UK

Re: SD card password

Sun Aug 28, 2016 11:34 pm

i486 wrote:Implementation is very simple
Unless I've missed something, implementation is NOT simple when the code has to be included in ROM on the SOC.
Signature retired

i486
Posts: 172
Joined: Sun Aug 28, 2016 3:41 pm
Location: BG

Re: SD card password

Mon Aug 29, 2016 7:41 am

davidcoton wrote:Unless I've missed something, implementation is NOT simple when the code has to be included in ROM on the SOC.
It is impossible to add this in Pi1-3 but in future Pi4 what is the problem with the ROM - insufficient space?

User avatar
johnb_summers
Posts: 285
Joined: Thu Aug 04, 2016 7:48 pm
Location: Bushey UK

Re: SD card password

Mon Aug 29, 2016 7:51 am

Ill ask the question, why do you want to lock the card? use a cheap 8gb card and it will lock itself after a few read/writes, the SD card is unreliable, locking it will just leave you one day thinking someone has changed your password when it does lock itself, maybe it would be best to put your data on a USB stick then when the Pi is off you can keep the USB stick in your pocket.
MyPi Developer
http://mypiworld.com/
http://mypi.tech/

https://www.youtube.com/watch?v=US2nyRgg-SY&nohtml5=False

User avatar
davidcoton
Posts: 4538
Joined: Mon Sep 01, 2014 2:37 pm
Location: Cambridge, UK

Re: SD card password

Mon Aug 29, 2016 9:25 am

i486 wrote:
davidcoton wrote:Unless I've missed something, implementation is NOT simple when the code has to be included in ROM on the SOC.
It is impossible to add this in Pi1-3 but in future Pi4 what is the problem with the ROM - insufficient space?
The problem is that the debug cycle is much longer and harder than just writing code to a disk. Great if you get it right first time, painful if something needs changing.
Signature retired

User avatar
DougieLawson
Posts: 37109
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: SD card password

Mon Aug 29, 2016 9:56 am

davidcoton wrote: The problem is that the debug cycle is much longer and harder than just writing code to a disk. Great if you get it right first time, painful if something needs changing.
We can tell that from the amount of time between the early designs of the RPi3 and the release of their beta that allows booting from USB mass storage devices (MSDs). That bootcode is still not 100% right.

There's also nowhere to store a private key, there's no user writable NVRAM storage (unlike on a BIOS or UEFI system).
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
CarlRJ
Posts: 599
Joined: Thu Feb 20, 2014 4:00 am
Location: San Diego, California

Re: SD card password

Mon Aug 29, 2016 6:49 pm

DougieLawson wrote:There's also nowhere to store a private key, there's no user writable NVRAM storage (unlike on a BIOS or UEFI system).
Yep, and if it was simply a "thou shall not pass" style BIOS-based boot password, without any filesystem encryption involved, there is nothing keeping the bad guy from simply taking the MicroSD card and putting it in any other computer to read the contents.

Searching google for "sd card password" shows a bunch of articles explaining how to get around a lost SD card password - this invariably involves finding a file on the card called "mmcstore" and reading the unprotected plaintext password out of it. Thus, this is merely nuisance level security - if the phone sees that file upon card insertion, it demands the user enter the matching password. This is worse than no security, as the best it can do is to mislead users into thinking the data "protected" by the password has some level of privacy attached when it actually has none. This is precisely the case when the OP mentions "old Nokia (non-smart phones) support SD password lock" - sure, they support the misleading appearance of security, which can be circumvented by anyone smart enough to stick the card into a computer and read a text file.

The only way you can make a normal SD card itself be actually protected by a password is to keep the data on the card encrypted, and how to do this on the current Pi hardware has already been explained above.

It is presumably within the realm of possibility, since SD cards are actually tiny computers these days, to have a card that kept its contents unencrypted, but refused to return any data, after power-on, until a prearranged password had been "written" to a specific "block" on the card (which would intercept the request and match the data against its internal password), but this would involve a very specially manufactured SD card with the password code added it the card's internals. Such a card could be used on a Pi with little modification to the Pi itself (to supply the initial password, close to the OP's original request), but it still would provide a false sense of security to anyone misled into storing secrets on it, as any serious bad guys - government or otherwise - who wanted access would simply crack the card open and read its flash chips directly.

i486
Posts: 172
Joined: Sun Aug 28, 2016 3:41 pm
Location: BG

Re: SD card password

Mon Aug 29, 2016 7:58 pm

CarlRJ wrote:Searching google for "sd card password" shows a bunch of articles explaining how to get around a lost SD card password - this invariably involves finding a file on the card called "mmcstore" and reading the unprotected plaintext password out of it.
I see you don't have any idea for the SD card lock/unlock feature and have made quick google search. The results that you have found are for Android or smartphone extras or something of this kind. The card has MCU and when locked with password, the MCU will not give access to any data on card - you cannot see any files like "mmcstore" because you don't have access to the file system on card. Find "SD Card Physical Layer Simplified Specification" and read section 4.3.7, then try again to comment. Old copy of this spec can be found here (Go to page 34):

http://users.ece.utexas.edu/~valvano/EE ... r_Spec.pdf

NVRAM or other location to store password is not necessary. When RPi try to boot from SD card, it reads card status and sees that the card is locked. Question is shown on screen like "SD card is locked, enter password:". The user enters password which is used as parameter for CMD42 (from the above spec). If the password is correct (compared to password stored in MCU inside the card), the MCU in card unlocks it temporarily until power off and the boot process continues. Without password, the entire user area on the card cannot be read. The password cannot be recovered - the only solution is to reset the password and clear all data on card.

PS: SD card means "Secure digital" and here the word "secure" is not used because it is modern. You can read at least this short explanation to know the basic features: https://en.wikipedia.org/wiki/Secure_Digital

User avatar
rpdom
Posts: 16112
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: SD card password

Mon Aug 29, 2016 8:07 pm

i486 wrote:When RPi try to boot from SD card, it reads card status and sees that the card is locked. Question is shown on screen like "SD card is locked, enter password:".
Problem here is that until Pi has loaded code from the card it does not even understand the concept of "screen", or "keyboard" or anything. So no possibility of displaying a question or reading an answer.

User avatar
DavidS
Posts: 4334
Joined: Thu Dec 15, 2011 6:39 am
Location: USA
Contact: Website

Re: SD card password

Mon Aug 29, 2016 8:21 pm

If your data is that sensitive keep the sensitive stuff on a USB Thumb Flash drive. Then remove the Flash drive when ever you walk away from the RPi, keeping the sensitive information in your pocket, or in a cavity under the insole of your shoe, or some such.

Not that hard. Keeping someone from accessing it from a network connection, when it is in the RPi, becomes the more difficult part (and encrypting or locking the card from booting will not prevent this when the filesystem is mounted and accessable), though with RISC OS, or Raspbian it is easy enough to configure things to prevent any form of remote access.
Last edited by DavidS on Mon Aug 29, 2016 8:23 pm, edited 1 time in total.
RPi = The best ARM based RISC OS computer around
More than 95% of posts made from RISC OS on RPi 1B/1B+ computers. Most of the rest from RISC OS on RPi 2B/3B/3B+ computers

i486
Posts: 172
Joined: Sun Aug 28, 2016 3:41 pm
Location: BG

Re: SD card password

Mon Aug 29, 2016 8:22 pm

rpdom wrote:Problem here is that until Pi has loaded code from the card it does not even understand the concept of "screen", or "keyboard" or anything. So no possibility of displaying a question or reading an answer.
This is a real problem and probably the reason for the missing feature.

User avatar
rpdom
Posts: 16112
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: SD card password

Mon Aug 29, 2016 8:25 pm

i486 wrote:
rpdom wrote:Problem here is that until Pi has loaded code from the card it does not even understand the concept of "screen", or "keyboard" or anything. So no possibility of displaying a question or reading an answer.
This is a real problem and probably the reason for the missing feature.
I don't see it as a "feature" that would be needed for 99.999999% of people.

MarkR
Posts: 154
Joined: Fri Jan 25, 2013 1:55 pm

Re: SD card password

Mon Aug 29, 2016 9:36 pm

I am sure that it is do-able:

* Have the Raspbian root filesystem encrypted with a key derived from a password the user enters.
* The Pi firmware, kernel and initramfs image will need to be stored unencrypted.
* In the initial ramfs, something will prompt the user for passwords and/or keys.
* Those keys are used to decrypt the rootfs at runtime.
* Keys are stored only in ram and lost on poweroff, so the password needs to be entered again
* If swap is desired, it should also be stored encrypted

This is not a major change to the boot process. Other Debian distributions already support encrypted root fs, I'm sure.

It won't protect against "evil maid". But few things do.

A slightly more advanced implementation, will use a (arm-based) bootloader to decrypt the Linux kernel and initramfs too. But that doesn't really improve much (the firmware and bootloader still need to be unencrypted)

User avatar
DougieLawson
Posts: 37109
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: SD card password

Tue Aug 30, 2016 6:47 am

What protects your initial RAM fs? I can pull the card and take as long as I want to crack lots of copies of it.

You have to lock the RPi in a cage so I can't steal the physical file system. You have to keep it off the 'net or I can attack the decrypted filesystem when it runs.

Real security needs private keys stored in tamper resistant modules. Not stuff stored on an inherently insecure SDCard in an inherently insecure RPi.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

i486
Posts: 172
Joined: Sun Aug 28, 2016 3:41 pm
Location: BG

Re: SD card password

Tue Aug 30, 2016 7:04 am

rpdom wrote:I don't see it as a "feature" that would be needed for 99.999999% of people.
This is your opinion. You cannot know what think and need 99.999999% of RPi users. For some reason 100% of SD cards support password lock.

However it seems impossible for implementation unless Pi4+ has integrated BIOS and don't need to read it from boot device.

User avatar
DougieLawson
Posts: 37109
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: SD card password

Tue Aug 30, 2016 7:20 am

Those of us on here for a long time have a very good view of what's needed, what's desired and what forms a pink pony and a unicorn desire for a feature on the next RPi.

Your suggestion is clearly not needed by any RPi users other than you. Welcome to the one in ten million club, enjoy your membership while it lasts.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
johnb_summers
Posts: 285
Joined: Thu Aug 04, 2016 7:48 pm
Location: Bushey UK

Re: SD card password

Tue Aug 30, 2016 7:32 am

DougieLawson wrote:Those of us on here for a long time have a very good view of what's needed, what's desired and what forms a pink pony and a unicorn desire for a feature on the next RPi.

Your suggestion is clearly not needed by any RPi users other than you. Welcome to the one in ten million club, enjoy your membership while it lasts.
LOL, very good, not a great day is it, I told him that the card will lock itself if he uses a cheap card, I think he sees the card like a phone card and needing a password to protect it, I don't know I have never had one with a card, I cant stand them, I have watched phones turn all my kids into zombies, but I like the pink pony and a unicorn, my granddaughter would love that.
MyPi Developer
http://mypiworld.com/
http://mypi.tech/

https://www.youtube.com/watch?v=US2nyRgg-SY&nohtml5=False

Return to “General discussion”