User avatar
jwainwright87
Posts: 56
Joined: Wed Jul 01, 2020 10:46 am
Location: Liverpool, UK

Securing Files on CM4 Module

Wed Aug 04, 2021 10:53 am

So I'm working on a carrier board that uses the CM4 module with on board eMMC storage for a product that will be commercially available in the future. I am worried about protecting the files and source code I have wrote on the module.

From reading around on the internet it is possible to reset the password on the Pi and access the onboard files.

Is there any way I can protect files stored on the CM4 from being compromised?

Thanks in advance!

aBUGSworstnightmare
Posts: 3461
Joined: Tue Jun 30, 2015 1:35 pm

Re: Securing Files on CM4 Module

Wed Aug 04, 2021 11:32 am

... afik by not sell it to the public!

Sorry, but there are multiple threats on the forum asking such questions! So no, not possible (it's still a Linux OS).

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 29330
Joined: Sat Jul 30, 2011 7:41 pm

Re: Securing Files on CM4 Module

Wed Aug 04, 2021 11:34 am

jwainwright87 wrote:
Wed Aug 04, 2021 10:53 am
So I'm working on a carrier board that uses the CM4 module with on board eMMC storage for a product that will be commercially available in the future. I am worried about protecting the files and source code I have wrote on the module.

From reading around on the internet it is possible to reset the password on the Pi and access the onboard files.

Is there any way I can protect files stored on the CM4 from being compromised?

Thanks in advance!
If you are an industrial customer (e.g. manufacturing for others or using in an industrial setting) If you contact info@raspberrypi.com we may be able to help with this.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Working in the Applications Team.

cleverca22
Posts: 4360
Joined: Sat Aug 18, 2012 2:33 pm

Re: Securing Files on CM4 Module

Wed Aug 04, 2021 11:38 am

there are a few things i can think of that would secure things

1: encrypt the emmc with luks, so if the user somehow gets msd4.elf running or just rips the chip off, they cant read it
2: there is a section of OTP reserved for end-user use, you can stuff the luks key in there, so only something executing on the soc can know the key
3: there is some secureboot stuff RPF has been adding to the CM4 and hasnt explained publicly, that can ensure the un-encrypted /boot isnt modified, so you can be sure only authorized code can run enough to see the keys in #2

User avatar
jwainwright87
Posts: 56
Joined: Wed Jul 01, 2020 10:46 am
Location: Liverpool, UK

Re: Securing Files on CM4 Module

Wed Aug 04, 2021 3:09 pm

jamesh wrote:
Wed Aug 04, 2021 11:34 am
jwainwright87 wrote:
Wed Aug 04, 2021 10:53 am
So I'm working on a carrier board that uses the CM4 module with on board eMMC storage for a product that will be commercially available in the future. I am worried about protecting the files and source code I have wrote on the module.

From reading around on the internet it is possible to reset the password on the Pi and access the onboard files.

Is there any way I can protect files stored on the CM4 from being compromised?

Thanks in advance!
If you are an industrial customer (e.g. manufacturing for others or using in an industrial setting) If you contact info@raspberrypi.com we may be able to help with this.
Thanks James I shall drop an email to that address

piwi
Posts: 50
Joined: Fri Nov 27, 2020 11:44 am

Re: Securing Files on CM4 Module

Wed Sep 01, 2021 6:00 am

jwainwright87 wrote:
Wed Aug 04, 2021 3:09 pm
jamesh wrote:
Wed Aug 04, 2021 11:34 am
jwainwright87 wrote:
Wed Aug 04, 2021 10:53 am
So I'm working on a carrier board that uses the CM4 module with on board eMMC storage for a product that will be commercially available in the future. I am worried about protecting the files and source code I have wrote on the module.

From reading around on the internet it is possible to reset the password on the Pi and access the onboard files.

Is there any way I can protect files stored on the CM4 from being compromised?

Thanks in advance!
If you are an industrial customer (e.g. manufacturing for others or using in an industrial setting) If you contact info@raspberrypi.com we may be able to help with this.
Thanks James I shall drop an email to that address
Hi folks,
I am working since few month on creating an industrial CM4 Carrier board with an external secure MCU to address feautes you mentioned plus enhanced features such as:
• secure boot + update of secure MCU
• secure key storage to protect your IP
• complete device automatic enrollment and self-provisioning with UID and protected Root of Trust,
• Realtime clock with Battery backup,
• Power Management of Raspi Compute Module 4,
• GPIO (2 digital outputs, 4 digital inputs),
• Tamper Pins
• on-the-fly encryption/decryption of payload stored on SDCard/eMMC,
• key wrapping….

Actually this complete project (HW/SW/FW/Manufacturing) is for a commerial product (Secure IIoT Gateway) however as all this is my IP I also plan to make a basic portion OpenSource. Gateway prototypes are running and next batch of 15 fully assebmled boards arrive e/o 2021.
Full ramp-up starts summer 2022

On my roadmap I have also those two topic to implement CM4 native secure boot, support for LUKS with the secure MCU but had no time yet.
I am also planning to add some kind of high level CM4 Linux Service so that other services and applications can make use of these security features. However I proceed step-by-step as the entire development runs in my spare time.
@jwainwright87, @jamesh: would be worth getting in touch to see how we can make use of what I created - drop me private message with email detilas if you want and let's get in touch :-)

aBUGSworstnightmare
Posts: 3461
Joined: Tue Jun 30, 2015 1:35 pm

Re: Securing Files on CM4 Module

Wed Sep 01, 2021 6:31 am

@Piwi: There is no PM feature on this forum!

piwi
Posts: 50
Joined: Fri Nov 27, 2020 11:44 am

Re: Securing Files on CM4 Module

Wed Sep 01, 2021 6:47 am

good hint thanks. How to exchange private email address? via forum

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 29330
Joined: Sat Jul 30, 2011 7:41 pm

Re: Securing Files on CM4 Module

Wed Sep 01, 2021 8:58 am

The standard CM4 signed boot security already provides some of those features, effectively key based secure boot up to kernel start, so, if I read it correctly, the first three on your list.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Working in the Applications Team.

piwi
Posts: 50
Joined: Fri Nov 27, 2020 11:44 am

Re: Securing Files on CM4 Module

Wed Sep 01, 2021 9:22 am

jamesh wrote:
Wed Sep 01, 2021 8:58 am
The standard CM4 signed boot security already provides some of those features, effectively key based secure boot up to kernel start, so, if I read it correctly, the first three on your list.
Basically yes, but it depends which crypto algorithzms are used to verify first/second stage bootloader and kernel of CM4.
Hash, symmetric/asymmetric? I am storing keys in a secure way on the MCU.
At the moment this feature for CM4 Secure Boot is not available but could be implemented in my secure MCU.


Typically I provision the Secure MCU bootloader with different keys which then can be used to verifiy verious boot stages / payloads.
On physical tamper attack I can log events for audit, or invoke remediation process like access save mode, deleting boot key, turn off CM4....

Lots of use-cases which can be implemented,
-Piwi

piwi
Posts: 50
Joined: Fri Nov 27, 2020 11:44 am

Re: Securing Files on CM4 Module

Wed Sep 01, 2021 9:27 am

basically I also use the internal secure RTC and other features of the secure MCU to decrease system cost when used in commerical designs.
So then you can save the external RTC, physical tamper logic and self-provisoning allows to save cost for external device provisioning in external programming centers...

cleverca22
Posts: 4360
Joined: Sat Aug 18, 2012 2:33 pm

Re: Securing Files on CM4 Module

Wed Sep 01, 2021 9:41 am

piwi wrote:
Wed Sep 01, 2021 9:22 am
jamesh wrote:
Wed Sep 01, 2021 8:58 am
The standard CM4 signed boot security already provides some of those features, effectively key based secure boot up to kernel start, so, if I read it correctly, the first three on your list.
Basically yes, but it depends which crypto algorithzms are used to verify first/second stage bootloader and kernel of CM4.
Hash, symmetric/asymmetric? I am storing keys in a secure way on the MCU.
At the moment this feature for CM4 Secure Boot is not available but could be implemented in my secure MCU.
for the BCM2711B0, the 1st-stage was secured with a symmetric algo, hmac-sha1

the BCM2711B1 added proper RSA support, and the CM4 uses BCM2711C0 which should still have RSA

ive not heard of the RSA being enabled, but RPF hasnt been very public about how the CM4 security works
they seem to prefer broadcom's style of security by obscurity, leaving hmac-sha1 as the only option for years, until somebody notices

piwi
Posts: 50
Joined: Fri Nov 27, 2020 11:44 am

Re: Securing Files on CM4 Module

Wed Sep 01, 2021 10:16 am

for the BCM2711B0, the 1st-stage was secured with a symmetric algo, hmac-sha1
I just need to have an description of how CM4 boot process works, how to put CM4 in some kind of secure mode, which boot files has to be verified, based on which data the HMAC-SHA1 digest is generated. Then I can provision a secret key into my secure area of microcontroller.
Furthermore I need to know where in Linux Boot Process I can implement software hooks so that the HMAC-SHA1 digest is checked during boot time against that one provisioned into my secure microcontroller. For that I need a UART communication between CM4 and my Secure Microcontroller.
Maybe someone can point me into the right direction.
If that is finished we can add Hardware based Crypto for LUKS to encrypt the file system with protected keys in secure area of my Microcontroller :-)

Code: Select all

the BCM2711B1 added proper RSA support, and the CM4 uses BCM2711C0 which should still have RSA
can be implemented afterwards as soon any description is public.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 29330
Joined: Sat Jul 30, 2011 7:41 pm

Re: Securing Files on CM4 Module

Wed Sep 01, 2021 1:50 pm

You will need to sign an NDA to get details of the CM4/Pi4 secure boot process, which allows user signing of all bootloader and kernel images and ensures only those that are signed correctly will allow the boot to progress.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Working in the Applications Team.

piwi
Posts: 50
Joined: Fri Nov 27, 2020 11:44 am

Re: Securing Files on CM4 Module

Wed Sep 01, 2021 2:02 pm

Jamesh, no problem.you should have my email (janusz.piwek@.....). I send something to info@raspberrypi.org.
Please forward the NDA and I sign

cleverca22
Posts: 4360
Joined: Sat Aug 18, 2012 2:33 pm

Re: Securing Files on CM4 Module

Wed Sep 01, 2021 2:20 pm

jamesh wrote:
Wed Sep 01, 2021 1:50 pm
You will need to sign an NDA to get details of the CM4/Pi4 secure boot process
ah, first time i saw that part being clearified, guess i'll just stop asking, since its clearly not going to be public

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 29330
Joined: Sat Jul 30, 2011 7:41 pm

Re: Securing Files on CM4 Module

Wed Sep 01, 2021 2:27 pm

piwi wrote:
Wed Sep 01, 2021 2:02 pm
Jamesh, no problem.you should have my email (janusz.piwek@.....). I send something to info@raspberrypi.org.
Please forward the NDA and I sign
Easier to go to our product information portal, and apply for a NDA there. https://pip.raspberrypi.org/
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Working in the Applications Team.

piwi
Posts: 50
Joined: Fri Nov 27, 2020 11:44 am

Re: Securing Files on CM4 Module

Wed Sep 01, 2021 3:51 pm

jamesh wrote:
Wed Sep 01, 2021 2:27 pm
Easier to go to our product information portal, and apply for a NDA there. https://pip.raspberrypi.org/
DONE thanks!

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 29330
Joined: Sat Jul 30, 2011 7:41 pm

Re: Securing Files on CM4 Module

Wed Sep 01, 2021 10:46 pm

OK, I'l check the database and if you are there will forward the docs.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Working in the Applications Team.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 29330
Joined: Sat Jul 30, 2011 7:41 pm

Re: Securing Files on CM4 Module

Fri Sep 03, 2021 9:00 am

I can see your request in the database but it has not yet been approved, once that is done will send the docs.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Working in the Applications Team.

Return to “Compute Module”