RoninDusette
Posts: 10
Joined: Tue Mar 10, 2020 1:04 am

Destroy pi sd card... On purpose if removed

Sat Mar 21, 2020 10:41 am

Hello. I'm working on a project and I need to send some PoC devices out. But I don't want cats digging into the sd card. It's a stand alone solution that they will communicate with via a client think of it as a pi web server, that only the client I built can access it. Now, I know they can obviously take out the sd card, but is there a way of encrypting the data on there so it can only be read and booted from via that particular pi? Essentially that card is only good in that pi for this use case, and only accessible by the user (with great restraint), and myself (a 'god view' which would only be the main cloud platform it's connecting to). I've worked with encrypted drives and Linux a but the one thing they all have in common is that they require a password to decrypt upon boot, which basically throws any of my IP protection out the window. Lol.

I'm not even at that point but in the next couple of months I have a few people I want to play around with it to get some feedback, and though I trust them, a couple are intrepid.... Almost to a fault. If it wasn't for the length I've known them and their prowess, they wouldn't even see it until I could secure it properly.

Any suggestions?

bjtheone
Posts: 525
Joined: Mon May 20, 2019 11:28 pm
Location: The Frozen North (AKA Canada)

Re: Destroy pi sd card... On purpose if removed

Sat Mar 21, 2020 6:33 pm

Don't give it to said "cats".

Unless you epoxy it in, the SD card is removable. It is not a fabulous platform to to protect if folks have physical access. You could supply in in a protected enclosure.

User avatar
DougieLawson
Posts: 38456
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Destroy pi sd card... On purpose if removed

Sat Mar 21, 2020 6:39 pm

RoninDusette wrote:
Sat Mar 21, 2020 10:41 am
Hello. I'm working on a project and I need to send some PoC devices out. But I don't want cats digging into the sd card. It's a stand alone solution that they will communicate with via a client think of it as a pi web server, that only the client I built can access it. Now, I know they can obviously take out the sd card, but is there a way of encrypting the data on there so it can only be read and booted from via that particular pi? Essentially that card is only good in that pi for this use case, and only accessible by the user (with great restraint), and myself (a 'god view' which would only be the main cloud platform it's connecting to). I've worked with encrypted drives and Linux a but the one thing they all have in common is that they require a password to decrypt upon boot, which basically throws any of my IP protection out the window. Lol.

I'm not even at that point but in the next couple of months I have a few people I want to play around with it to get some feedback, and though I trust them, a couple are intrepid.... Almost to a fault. If it wasn't for the length I've known them and their prowess, they wouldn't even see it until I could secure it properly.

Any suggestions?
What you're asking for is NOT POSSIBLE.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

I'll do your homework for you for a suitable fee.

Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.

fruitoftheloom
Posts: 22576
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: Destroy pi sd card... On purpose if removed

Sat Mar 21, 2020 6:51 pm

RoninDusette wrote:
Sat Mar 21, 2020 10:41 am
Hello. I'm working on a project and I need to send some PoC devices out. But I don't want cats digging into the sd card. It's a stand alone solution that they will communicate with via a client think of it as a pi web server, that only the client I built can access it. Now, I know they can obviously take out the sd card, but is there a way of encrypting the data on there so it can only be read and booted from via that particular pi? Essentially that card is only good in that pi for this use case, and only accessible by the user (with great restraint), and myself (a 'god view' which would only be the main cloud platform it's connecting to). I've worked with encrypted drives and Linux a but the one thing they all have in common is that they require a password to decrypt upon boot, which basically throws any of my IP protection out the window. Lol.

I'm not even at that point but in the next couple of months I have a few people I want to play around with it to get some feedback, and though I trust them, a couple are intrepid.... Almost to a fault. If it wasn't for the length I've known them and their prowess, they wouldn't even see it until I could secure it properly.

Any suggestions?

Have you considered the Compute Module which has eMMC storage ??
Rather than negativity think outside the box !

Asus ChromeBox 3 Celeron is my other computer.

RoninDusette
Posts: 10
Joined: Tue Mar 10, 2020 1:04 am

Re: Destroy pi sd card... On purpose if removed

Sat Mar 21, 2020 7:05 pm

DougieLawson wrote:
Sat Mar 21, 2020 6:39 pm
RoninDusette wrote:
Sat Mar 21, 2020 10:41 am
Hello. I'm working on a project and I need to send some PoC devices out. But I don't want cats digging into the sd card. It's a stand alone solution that they will communicate with via a client think of it as a pi web server, that only the client I built can access it. Now, I know they can obviously take out the sd card, but is there a way of encrypting the data on there so it can only be read and booted from via that particular pi? Essentially that card is only good in that pi for this use case, and only accessible by the user (with great restraint), and myself (a 'god view' which would only be the main cloud platform it's connecting to). I've worked with encrypted drives and Linux a but the one thing they all have in common is that they require a password to decrypt upon boot, which basically throws any of my IP protection out the window. Lol.

I'm not even at that point but in the next couple of months I have a few people I want to play around with it to get some feedback, and though I trust them, a couple are intrepid.... Almost to a fault. If it wasn't for the length I've known them and their prowess, they wouldn't even see it until I could secure it properly.

Any suggestions?
What you're asking for is NOT POSSIBLE.
Wrong. Nothing is impossible. Pfff. naysayer.

RoninDusette
Posts: 10
Joined: Tue Mar 10, 2020 1:04 am

Re: Destroy pi sd card... On purpose if removed

Sat Mar 21, 2020 7:07 pm

fruitoftheloom wrote:
Sat Mar 21, 2020 6:51 pm
RoninDusette wrote:
Sat Mar 21, 2020 10:41 am
Hello. I'm working on a project and I need to send some PoC devices out. But I don't want cats digging into the sd card. It's a stand alone solution that they will communicate with via a client think of it as a pi web server, that only the client I built can access it. Now, I know they can obviously take out the sd card, but is there a way of encrypting the data on there so it can only be read and booted from via that particular pi? Essentially that card is only good in that pi for this use case, and only accessible by the user (with great restraint), and myself (a 'god view' which would only be the main cloud platform it's connecting to). I've worked with encrypted drives and Linux a but the one thing they all have in common is that they require a password to decrypt upon boot, which basically throws any of my IP protection out the window. Lol.

I'm not even at that point but in the next couple of months I have a few people I want to play around with it to get some feedback, and though I trust them, a couple are intrepid.... Almost to a fault. If it wasn't for the length I've known them and their prowess, they wouldn't even see it until I could secure it properly.

Any suggestions?

Have you considered the Compute Module which has eMMC storage ??
I actually haven't. I will take a look. Essentially am looking for things that I may not have thought of. I work in security and engineering for a living, and I am looking for ways that even myself wouldn't have thought of to protect my IP as best as possible. Really, if someone is driven and diligent, it will get cracked no matter what. i am just looking to make it a huge pain in the arse. Lol. One thing I know I am going to do is make the device non-serviceable. Essentially setting it up to straight up physically break if opened. Still want to take care of the tech side of it too, though

trejan
Posts: 1563
Joined: Tue Jul 02, 2019 2:28 pm

Re: Destroy pi sd card... On purpose if removed

Sat Mar 21, 2020 7:21 pm

fruitoftheloom wrote:
Sat Mar 21, 2020 6:51 pm
Have you considered the Compute Module which has eMMC storage ??
That won't protect it. You can force the CM to use the USB device boot mode. Using rpiboot would then present the onboard eMMC as a small removeable drive.

trejan
Posts: 1563
Joined: Tue Jul 02, 2019 2:28 pm

Re: Destroy pi sd card... On purpose if removed

Sat Mar 21, 2020 7:35 pm

As you already know, if somebody is very determined then they'll get into it. The Pi boards don't have any anti-tamper protection so you're limited in what you can do.

Pot the card + socket + surrounding area in epoxy. Make it very unlikely for the card to be removed without damaging the card and the Pi. You can put your decryption key into the customer OTP registers in the SoC. They would need to extract the card and also still have a working Pi to be able to dump the OTP registers to recover the key.

User avatar
Greg Erskine
Posts: 136
Joined: Sat Sep 15, 2012 4:20 am

Re: Destroy pi sd card... On purpose if removed

Sat Mar 21, 2020 8:55 pm

First rule of security: Do not discuss your security strategy on a public forum. :lol:
* Raspberry Pi is a trademark of the Raspberry Pi Foundation

deepo
Posts: 541
Joined: Sun Dec 30, 2018 8:36 pm
Location: Denmark

Re: Destroy pi sd card... On purpose if removed

Sat Mar 21, 2020 9:01 pm

Greg Erskine wrote:
Sat Mar 21, 2020 8:55 pm
First rule of security: Do not discuss your security strategy on a public forum. :lol:
You are correct, but the knowledge required to secure something like this has to come from somewhere.

OP: If you ship an executable then maybe you could read a serial number or similar from somewhere and only allow your executable to run if it can read a known serial number.

/Mogens
Last edited by deepo on Sat Mar 21, 2020 9:22 pm, edited 1 time in total.

User avatar
DougieLawson
Posts: 38456
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Destroy pi sd card... On purpose if removed

Sat Mar 21, 2020 9:05 pm

RoninDusette wrote:
Sat Mar 21, 2020 7:05 pm
DougieLawson wrote:
Sat Mar 21, 2020 6:39 pm
What you're asking for is NOT POSSIBLE.
Wrong. Nothing is impossible. Pfff. naysayer.
This question has been asked a hundred times on here. Every single response is "No, not possible".

If you unscrew the case of your laptop or desktop I can steal your hard disk, what you're asking is same thing. You may be able to stop me with disk encryption on your laptop. Laptops and desktops usually have better security as it's possible to store a disk encryption key in the bios (and protect the bios with a password). Raspberries don't have any user accesible non-volatile storage.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

I'll do your homework for you for a suitable fee.

Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.

User avatar
dickon
Posts: 1168
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, just outside Reading

Re: Destroy pi sd card... On purpose if removed

Sat Mar 21, 2020 9:46 pm

Not exactly foolproof, particularly if users have access to the Pi's commandline or the like, but you could encrypt the filesystem via one of the usual methods and use the serial number as (part of) the key. It won't be all that secure, but might suffice for your needs, depending on how your technical your moggies are.

ejolson
Posts: 4861
Joined: Tue Mar 18, 2014 11:47 am

Re: Destroy pi sd card... On purpose if removed

Sat Mar 21, 2020 9:57 pm

Greg Erskine wrote:
Sat Mar 21, 2020 8:55 pm
First rule of security: Do not discuss your security strategy on a public forum. :lol:
If the security is so weak that explaining the idea behind it in a public forum could make a difference, that is all the more reason to discuss it so the bad idea can be thrown out.

From the other side of the security isle, there are many cats who refuse to run a program for which they don't have both the source code and a verifiable binary.

From this point of view the only form of protection for what is euphemistically called intellectual property would be the court, existing copyright and patent laws and a good attorney. If you wish to proceed along these lines, I would suggest having the test cats sign a non-disclosure agreement before testing.

Ernst
Posts: 1325
Joined: Sat Feb 04, 2017 9:39 am
Location: Germany

Re: Destroy pi sd card... On purpose if removed

Sat Mar 21, 2020 10:08 pm

ejolson wrote:
Sat Mar 21, 2020 9:57 pm
From this point of view the only form of protection for what is euphemistically called intellectual property would be the court, existing copyright and patent laws and a good attorney.
In this particular case I would add a proper, legal, NDA (Nondisclosure Agreement).
The road to insanity is paved with static ip addresses

ejolson
Posts: 4861
Joined: Tue Mar 18, 2014 11:47 am

Re: Destroy pi sd card... On purpose if removed

Sat Mar 21, 2020 10:11 pm

Ernst wrote:
Sat Mar 21, 2020 10:08 pm
ejolson wrote:
Sat Mar 21, 2020 9:57 pm
From this point of view the only form of protection for what is euphemistically called intellectual property would be the court, existing copyright and patent laws and a good attorney.
In this particular case I would add a proper, legal, NDA (Nondisclosure Agreement).
Looks like we cross posted. I added the same idea to my post just as you did!

W. H. Heydt
Posts: 11982
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Destroy pi sd card... On purpose if removed

Sun Mar 22, 2020 1:47 am

Ernst wrote:
Sat Mar 21, 2020 10:08 pm
ejolson wrote:
Sat Mar 21, 2020 9:57 pm
From this point of view the only form of protection for what is euphemistically called intellectual property would be the court, existing copyright and patent laws and a good attorney.
In this particular case I would add a proper, legal, NDA (Nondisclosure Agreement).
Enforcability of NDAs also depends on how good your attorney is in writing it, plus what laws there are locally.

bjtheone
Posts: 525
Joined: Mon May 20, 2019 11:28 pm
Location: The Frozen North (AKA Canada)

Re: Destroy pi sd card... On purpose if removed

Mon Mar 23, 2020 1:18 pm

W. H. Heydt wrote:
Sun Mar 22, 2020 1:47 am
Ernst wrote:
Sat Mar 21, 2020 10:08 pm
ejolson wrote:
Sat Mar 21, 2020 9:57 pm
From this point of view the only form of protection for what is euphemistically called intellectual property would be the court, existing copyright and patent laws and a good attorney.
In this particular case I would add a proper, legal, NDA (Nondisclosure Agreement).
Enforcability of NDAs also depends on how good your attorney is in writing it, plus what laws there are locally.
Enforceability of contracts is pretty much dependant on how much money you are willing to spend to enforce them. Large corporations use this to their advantage all the time. You don't have to win, you just have to be willing/able to outspend the other party.

cleverca22
Posts: 391
Joined: Sat Aug 18, 2012 2:33 pm

Re: Destroy pi sd card... On purpose if removed

Mon Mar 23, 2020 1:38 pm

something that would need some support from the rpi foundation (the open firmware likely cant meet your needs yet)

for the rpi 1-3 line, its capable of checking a signature on `bootcode.bin` but that is disabled by default (i dont know if the key is burnt into OTP yet)

in theory, you could burn a custom signing key into the OTP, and then only a bootcode.bin you approve of can boot on the pi, blocking the user from ever seeing the serial#

but to maintain control, that bootcode.bin must only run a properly signed start.elf, so you would have to ask the foundation to add this feature

and then to keep control, start.elf must check signatures on the linux kernel and related stuff, so somebody cant just modify the boot partition to gain root

then at some point, the signed code would begin decrypting based on serial#, and you can stop checking signatures (the disk crypto will enforce the rest)


in the end:
  • this relies on a custom signing key (may require ordering an un-burned rpi from the foundation)
  • the foundation adding support for bootcode.bin to check start.elf signatures
  • the foundation adding start.elf support for checking signatures on other files in /boot/
that would be enough to ensure only authorized code can boot, which protects the serial# and other OTP fields (there are several that are free for user use), which are then used to decrypt the sensitive stuff

PiGraham
Posts: 3876
Joined: Fri Jun 07, 2013 12:37 pm
Location: Waterlooville

Re: Destroy pi sd card... On purpose if removed

Mon Mar 23, 2020 2:02 pm

Fixing the SD card in with epoxy seems a reasonable strategy.

You could pair the SD card with a unique secure module. It doesn't stop someone stealing the SD card but you could make it so your code doesn't run without the secure module. That stops basic copying. Anyone could get a TPM module but it wouldn't match yours.
Use the encryption keys on the TPM to encrypt/decrypt your executable and/or data.

You can get a Trusted Platform Module (TPM) as a Pi HAT.
https://www.reichelt.com/gb/en/gb/de/ra ... 53834.html

I'm not sure how you would use that but this article may help
https://resources.infosecinstitute.com/ ... -tpm/#gref

trejan
Posts: 1563
Joined: Tue Jul 02, 2019 2:28 pm

Re: Destroy pi sd card... On purpose if removed

Mon Mar 23, 2020 2:31 pm

cleverca22 wrote:
Mon Mar 23, 2020 1:38 pm
in the end:
  • this relies on a custom signing key (may require ordering an un-burned rpi from the foundation)
  • the foundation adding support for bootcode.bin to check start.elf signatures
  • the foundation adding start.elf support for checking signatures on other files in /boot/
I asked about this before and was told it isn't available + not on the roadmap as a future feature. I assume if you pay a very large sum to the Element14 customisation service and order a huge number then they might be convinced otherwise though.

cleverca22
Posts: 391
Joined: Sat Aug 18, 2012 2:33 pm

Re: Destroy pi sd card... On purpose if removed

Mon Mar 23, 2020 3:49 pm

trejan wrote:
Mon Mar 23, 2020 2:31 pm
cleverca22 wrote:
Mon Mar 23, 2020 1:38 pm
in the end:
  • this relies on a custom signing key (may require ordering an un-burned rpi from the foundation)
  • the foundation adding support for bootcode.bin to check start.elf signatures
  • the foundation adding start.elf support for checking signatures on other files in /boot/
I asked about this before and was told it isn't available + not on the roadmap as a future feature. I assume if you pay a very large sum to the Element14 customisation service and order a huge number then they might be convinced otherwise though.
the open source firmware can get the 2nd and 3rd point for "free" (only cost is developer time), but you loose all graphic output then (thats not currently supported on the open firmware)

for the 1st point, you would need to convince whoever is fabbing the RPI board, to not program the signing key in the OTP memory, so you have the ability to put your own key onto it (and double-check if its blank or not first, before bothering them)

LTolledo
Posts: 3049
Joined: Sat Mar 17, 2018 7:29 am
Location: Anime Heartland

Re: Destroy pi sd card... On purpose if removed

Mon Mar 23, 2020 8:58 pm

one idea (not yet tried though)

remove the microSD slot (the metal cover)
attach the microSD to the RPi via cyanoacylate adhesive or other super strong adhesives.

on forced removal, will mutilate and physically destroy the microSD card...

need to test this first before deploying....
"Don't come to me with 'issues' for I don't know how to deal with those
Come to me with 'problems' and I'll help you find solutions"

Some people be like:
"Help me! Am drowning! But dont you dare touch me nor come near me!"

PiGraham
Posts: 3876
Joined: Fri Jun 07, 2013 12:37 pm
Location: Waterlooville

Re: Destroy pi sd card... On purpose if removed

Mon Mar 23, 2020 8:59 pm

cleverca22 wrote:
Mon Mar 23, 2020 3:49 pm

for the 1st point, you would need to convince whoever is fabbing the RPI board, to not program the signing key in the OTP memory, so you have the ability to put your own key onto it (and double-check if its blank or not first, before bothering them)
If this was available what stops someone else getting such a RPi and putting the same key into it?

W. H. Heydt
Posts: 11982
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Destroy pi sd card... On purpose if removed

Tue Mar 24, 2020 1:39 am

LTolledo wrote:
Mon Mar 23, 2020 8:58 pm
one idea (not yet tried though)

remove the microSD slot (the metal cover)
attach the microSD to the RPi via cyanoacylate adhesive or other super strong adhesives.

on forced removal, will mutilate and physically destroy the microSD card...

need to test this first before deploying....
This comes down to the usual problem. How much time (or effort) is someone willing to put into defeating the security? Even if there aren't solvents for cyanoacrylate, adhesive, the board could be ground away, freeing the card. Remember the claim that the FBI paid an Israeli company $1 million to break the security of an iPhone 5.

What is really the best approach is try to make getting at the protected material more expensive than the value of said material. Even then, the enthusiast amateur may not see the cost/benefit analysis the same way you do.

cleverca22
Posts: 391
Joined: Sat Aug 18, 2012 2:33 pm

Re: Destroy pi sd card... On purpose if removed

Tue Mar 24, 2020 2:37 am

PiGraham wrote:
Mon Mar 23, 2020 8:59 pm
cleverca22 wrote:
Mon Mar 23, 2020 3:49 pm

for the 1st point, you would need to convince whoever is fabbing the RPI board, to not program the signing key in the OTP memory, so you have the ability to put your own key onto it (and double-check if its blank or not first, before bothering them)
If this was available what stops someone else getting such a RPi and putting the same key into it?
if you put a custom signing key into the OTP, then only firmware you approve of (which you signed) can boot on the pi

if you restrict things properly (like a real secureboot setup), then no un-authorized code will ever run on that board, and you can be sure the other OTP values can never be read

and there is already some spare OTP fields for the user to use, which could hold the encryption keys for the main rootfs

Return to “Advanced users”