Changes between Version 3 and Version 4 of secure_boot


Ignore:
Timestamp:
04/07/2021 11:51:11 PM (20 months ago)
Author:
Tim Harvey
Comment:

added dm-crypt documentation

Legend:

Unmodified
Added
Removed
Modified
  • secure_boot

    v3 v4  
     1[[PageOutline]]
     2
    13= Secure Boot
    24Secure Boot refers to hardware and software that does not allow an attacker to obtain sensitive data or boot altered firmware. This can be accomplished on modern embedded System on Chip devices by creating a Chain of Trust.
     
    2022
    2123
     24[=#uboot]
    2225== Secure U-Boot
    2326For a secure U-Boot you want to disable the ability to stop autoboot and get to a U-Boot console. Additionally you do not want to use env variables that can be used by an attacker to affect the boot sequence.
     
    7578* https://labs.f-secure.com/assets/BlogFiles/2020-05-u-booting-securely-wp-final.pdf
    7679
     80
     81[=#kernel]
    7782== Securing the Kernel, FDT, ramdisk via FIT images
    7883The simplest way to secure the Kernel, the FDT, and the (optional) ramdisk image used to boot a Linux based OS is to use a U-Boot FIT image to contain signed versions of these.
     
    234239}}}
    235240  * Make sure the address you are loading the FIT image to does not cause an overlap in memory with where the kernel load/entry point is. The bootm command will copy or uncompress the kernel to the load/entry point and copy the initramfs and the fdt to a location following that. You may need to alter loadaddr to somewhere in memory other than the default.
     241
     242
     243[=#dmcrypt]
     244== Secure filesystem with dm_crypt
     245Linux dm-crypt is a transparent disk encryption sybsystem. It is part of the device mapper infrastructure and uses the kernel crypto API. Being implemented at the device mapper layer means it can be stacked on top of other devices or even other device mappers thus it can be used to encrypted whole disks, partitions, software RAID volumes, and logical volumes. Linux Unified Key Step (LUKS) is the format used on the device in place of a file system which provides a whole host of key options.
     246
     247Kernel requirements for dm-crypt:
     248 - CONFIG_MD (RAID and LVM)
     249 - CONFIG_BLK_DEV_DM (device-mapper)
     250 - CONFIG_DM_CRYPT (dm-crypt)
     251 - CONFIG_CRYPTO_* options for various cipher/hash you want to use, for example:
     252  - CONFIG_CRYPTO_XTS
     253  - CONFIG_ARM64_CRYPTO
     254  - CONFIG_CRYPTO_SHA1_ARM64_CE
     255  - CONFIG_CRYPTO_SHA2_ARM64_CE
     256  - CONFIG_CRYPTO_SHA512_ARM64_CE
     257  - CONFIG_CRYPTO_AES_ARM64_CE_CCM
     258  - CONFIG_CRYPTO_AES_ARM64_CE_BLK
     259  - CONFIG_CRYPTO_USER_API_HASH
     260  - CONFIG_CRYPTO_USER_API_SKCIPHER
     261
     262Userspace requirements for dm-crypt:
     263 - cryptsetup (Buildroot BR2_PACKAGE_CRYPTSETUP)
     264
     265For more info:
     266 - https://en.wikipedia.org/wiki/Dm-crypt
     267
     268Example:
     269 1. Create a key to use for encryption:
     270{{{#!bash
     271dd if=/dev/urandom of=$KEY_DIR/fs.key bs=1 count=4096
     272}}}
     273 1. Boot a Linux provisioning kernel+ramdisk such as the prebuilt images at http://dev.gateworks.com/buildroot/ (see wiki:buildroot)
     274 1. Create encrypted device using dm-crypt
     275{{{#!bash
     276# get key file, ie via network
     277ifconfig eth0 192.168.1.20
     278cd /tmp
     279wget http://server/fs.key
     280# format a LUKS device
     281echo "YES" | cryptsetup luksFormat /dev/mmcblk0p1 fs.key -
     282}}}
     283  * use 'cryptsetup benchmark' to show all cipher and hash algos available in your running kernel as well as their performance
     284  * use 'cryptsetup --help' to see options; options you may wish to change are --cipher (default aes-xts-plain64), --key-size (default is 256) --hash (default is sha256) and --use-urandom (default is --use-random)
     285 1. Open (unlock) the LUKS device
     286{{{#!bash
     287# open (unlock) LUKS device and map it to /dev/mapper/rootfs
     288cryptsetup luksOpen /dev/mmcblk0p1 rootfs --key-file=fs.key
     289}}}
     290 1. Create your filesystem:
     291{{{#!bash
     292wget http://server/rootfs.tar.xz
     293mkfs.ext4 -q -F -L rootfs /dev/mapper/rootfs
     294mount /dev/mapper/rootfs /mnt
     295tar -C /mnt -xf rootfs.tar.xz --keep-directory-symlink
     296umount /dev/mapper/rootfs
     297}}}
     298 1. Close (lock) LUKS device
     299{{{#!bash
     300cryptsetup luksClose rootfs
     301}}}
     302 1. Create a simple initramdisk responsible for unlocking dm-crypt via buildroot:
     303{{{#!bash
     304cat <<EOF >output/target/init
     305#!/bin/sh
     306
     307# Mount things needed by this script
     308mount -n -t devtmpfs devtmpfs /dev
     309mount -n -t proc proc /proc
     310mount -n -t sysfs sysfs /sys
     311mount -n -t tmpfs tmpfs /run
     312
     313init="/sbin/init"
     314root="mmcblk0p1"
     315key=/fs.key
     316
     317# Wait for device to exist
     318echo "Waiting for /dev/${root}..."
     319while [ ! -b "/dev/${root}" ]; do
     320        sleep 1
     321        echo -n .
     322done
     323
     324#Open encrypted partition
     325mkdir -p /run/cryptsetup
     326echo "Opening /dev/$root..."
     327cryptsetup luksOpen "/dev/${root}" "${root}" --key-file=$key
     328
     329#Mount the root device
     330echo "Mounting /dev/mapper/${root}..."
     331mkdir /newroot
     332mount "/dev/mapper/${root}" /newroot
     333
     334#Switch to the new root and execute init
     335echo "Switching to new root..."
     336cd /newroot
     337exec switch_root . "${init}" "$@"
     338
     339#This will only be run if the above line failed
     340echo "Failed to switch_root"
     341EOF
     342chmod +x output/target/init
     343}}}
     344 1. Create a FIT image (see above) containing your kernel fdt and initramfs and boot it with boom or built it as a kernel+ramdisk