unixabg
commented
2 years ago Greetings, If you would be willing to send script or even detailed pseudo code, I could include in the project other folder for those who wished to attempt what you describe.
Open chb88 opened 2 years ago
unixabg
commented
2 years ago Greetings, If you would be willing to send script or even detailed pseudo code, I could include in the project other folder for those who wished to attempt what you describe.
My plan is to ship Raspberry Pi 4s out to the wild, but I don't want people to easily reverse engineer the proprietary software on them.
According to https://github.com/raspberrypi/usbboot/blob/master/secure-boot-recovery/README.md Raspberry Pi 4 supports secure boot. Also there seem to be user-burnable fuses / OTP registers in the CPU: https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#otp-registers
So the plan is to: 1) setup secure boot, save public signing key in OTP registers 47-55
2) burn fuses to disallow bootloader downgrade, disable boot JTAG, disable boot loader HDMI output, set strict boot order
-> prevents anyone from booting a different system than our own or changing boot-args to gain root access, I guess? -> also prevents anyone from then reading OTP register values, as they can't boot anything to read the register and can't use JTAG?
3) burn in a decryption key in the user defined OTP register 36-43 (or use cpu serial number?) for encrypted rootFS that resides on the SD card -> prevents access to proprietary software on the encrypted volume, even if the SD card is read somewhere else
4) decryption key is different on every shipped Pi -> prevents cloning the SD card and use in another Pi
What am I missing here or why did nobody do this yet?