Context Navigation

Changes between Version 3 and Version 4 of secure_boot

Timestamp:: 04/07/2021 11:51:11 PM (3 years ago)
Author:: Tim Harvey
Comment:: added dm-crypt documentation

Legend:

: Unmodified
: Added
: Removed
: Modified

secure_boot

-              v3
+              v4
+[[PageOutline]]
 = Secure Boot
 Secure Boot refers to hardware and software that does not allow an attacker to obtain sensitive data or boot altered firmware. This can be accomplished on modern embedded System on Chip devices by creating a Chain of Trust.
 …
+[=#uboot]
 == Secure U-Boot
 For a secure U-Boot you want to disable the ability to stop autoboot and get to a U-Boot console. Additionally you do not want to use env variables that can be used by an attacker to affect the boot sequence.
 …
 * https://labs.f-secure.com/assets/BlogFiles/2020-05-u-booting-securely-wp-final.pdf
+[=#kernel]
 == Securing the Kernel, FDT, ramdisk via FIT images
 The simplest way to secure the Kernel, the FDT, and the (optional) ramdisk image used to boot a Linux based OS is to use a U-Boot FIT image to contain signed versions of these.
 …
 }}}
   * Make sure the address you are loading the FIT image to does not cause an overlap in memory with where the kernel load/entry point is. The bootm command will copy or uncompress the kernel to the load/entry point and copy the initramfs and the fdt to a location following that. You may need to alter loadaddr to somewhere in memory other than the default.
+[=#dmcrypt]
+== Secure filesystem with dm_crypt
+Linux dm-crypt is a transparent disk encryption sybsystem. It is part of the device mapper infrastructure and uses the kernel crypto API. Being implemented at the device mapper layer means it can be stacked on top of other devices or even other device mappers thus it can be used to encrypted whole disks, partitions, software RAID volumes, and logical volumes. Linux Unified Key Step (LUKS) is the format used on the device in place of a file system which provides a whole host of key options.
+Kernel requirements for dm-crypt:
+ - CONFIG_MD (RAID and LVM)
+ - CONFIG_BLK_DEV_DM (device-mapper)
+ - CONFIG_DM_CRYPT (dm-crypt)
+ - CONFIG_CRYPTO_* options for various cipher/hash you want to use, for example:
+  - CONFIG_CRYPTO_XTS
+  - CONFIG_ARM64_CRYPTO
+  - CONFIG_CRYPTO_SHA1_ARM64_CE
+  - CONFIG_CRYPTO_SHA2_ARM64_CE
+  - CONFIG_CRYPTO_SHA512_ARM64_CE
+  - CONFIG_CRYPTO_AES_ARM64_CE_CCM
+  - CONFIG_CRYPTO_AES_ARM64_CE_BLK
+  - CONFIG_CRYPTO_USER_API_HASH
+  - CONFIG_CRYPTO_USER_API_SKCIPHER
+Userspace requirements for dm-crypt:
+ - cryptsetup (Buildroot BR2_PACKAGE_CRYPTSETUP)
+For more info:
+ - https://en.wikipedia.org/wiki/Dm-crypt
+Example:
+. Create a key to use for encryption:
+{{{#!bash
+dd if=/dev/urandom of=$KEY_DIR/fs.key bs=1 count=4096
+}}}
+. Boot a Linux provisioning kernel+ramdisk such as the prebuilt images at http://dev.gateworks.com/buildroot/ (see wiki:buildroot)
+. Create encrypted device using dm-crypt
+{{{#!bash
+# get key file, ie via network
+ifconfig eth0 192.168.1.20
+cd /tmp
+wget http://server/fs.key
+# format a LUKS device
+echo "YES" | cryptsetup luksFormat /dev/mmcblk0p1 fs.key -
+}}}
+  * use 'cryptsetup benchmark' to show all cipher and hash algos available in your running kernel as well as their performance
+  * use 'cryptsetup --help' to see options; options you may wish to change are --cipher (default aes-xts-plain64), --key-size (default is 256) --hash (default is sha256) and --use-urandom (default is --use-random)
+. Open (unlock) the LUKS device
+{{{#!bash
+# open (unlock) LUKS device and map it to /dev/mapper/rootfs
+cryptsetup luksOpen /dev/mmcblk0p1 rootfs --key-file=fs.key
+}}}
+. Create your filesystem:
+{{{#!bash
+wget http://server/rootfs.tar.xz
+mkfs.ext4 -q -F -L rootfs /dev/mapper/rootfs
+mount /dev/mapper/rootfs /mnt
+tar -C /mnt -xf rootfs.tar.xz --keep-directory-symlink
+umount /dev/mapper/rootfs
+}}}
+. Close (lock) LUKS device
+{{{#!bash
+cryptsetup luksClose rootfs
+}}}
+. Create a simple initramdisk responsible for unlocking dm-crypt via buildroot:
+{{{#!bash
+cat <<EOF >output/target/init
+#!/bin/sh
+# Mount things needed by this script
+mount -n -t devtmpfs devtmpfs /dev
+mount -n -t proc proc /proc
+mount -n -t sysfs sysfs /sys
+mount -n -t tmpfs tmpfs /run
+init="/sbin/init"
+root="mmcblk0p1"
+key=/fs.key
+# Wait for device to exist
+echo "Waiting for /dev/${root}..."
+while [ ! -b "/dev/${root}" ]; do
+        sleep 1
+        echo -n .
+done
+#Open encrypted partition
+mkdir -p /run/cryptsetup
+echo "Opening /dev/$root..."
+cryptsetup luksOpen "/dev/${root}" "${root}" --key-file=$key
+#Mount the root device
+echo "Mounting /dev/mapper/${root}..."
+mkdir /newroot
+mount "/dev/mapper/${root}" /newroot
+#Switch to the new root and execute init
+echo "Switching to new root..."
+cd /newroot
+exec switch_root . "${init}" "$@"
+#This will only be run if the above line failed
+echo "Failed to switch_root"
+EOF
+chmod +x output/target/init
+}}}
+. Create a FIT image (see above) containing your kernel fdt and initramfs and boot it with boom or built it as a kernel+ramdisk