| 438 | |
| 439 | = Some Security Thoughts |
| 440 | |
| 441 | The below is simply some thoughts for implementing security / encryption on the Gateworks SBCs: |
| 442 | |
| 443 | Linux full disk encryption can be provided by the dm-crypt kernel |
| 444 | driver/module and file or file-system based encryption can be provided |
| 445 | by the fscrypt or eCryptFS projects. All of these solutions require a |
| 446 | key used to crypt/decrypt. Additionally, the kernel itself can't mount |
| 447 | a root filesystem that uses encryption so initrd's (initial ramdisk) |
| 448 | are used for this such that a ramdisk filesystem is built into the |
| 449 | kernel with enough support to do the encrypted device/file/fielsystem |
| 450 | mounting. |
| 451 | |
| 452 | As far as keys are concerned you can either use symmetric keys which |
| 453 | crypt/decrypt is the same key, or asymmetric keys where crypt/decrypt |
| 454 | keys are different (priv/pub RSA keys for example). On |
| 455 | desktop/smarphone the key used to encrypt the filesystem could be |
| 456 | derived from a user password/passphrase entered interactively (which |
| 457 | is how Android phone encryption works for example). On an embedded |
| 458 | system without user interaction the key 'should' be stored encrypted |
| 459 | in the filesystem or in secure storage (such as a TPM). This isn't a |
| 460 | requirement but then what is the point of encrypting something if a |
| 461 | hacker can exploit some security hole and end up finding the key? |
| 462 | |
| 463 | Note that i.MX SoC's have a Hardware Unique Key (HUK) per chip that |
| 464 | can be accessed only by the IMX Cryptographic and Assurance Module |
| 465 | (CAAM). This HUK can be used to encrypt a key and store it in the |
| 466 | filesystem during manufacturing. During boot CAAM would be used to |
| 467 | decrypt the key and restore the plain key that would be used to |
| 468 | decrypt the filesystem. Since the key inside CAAM is not accessible |
| 469 | the encrypted key is always protected. |
| 470 | |
| 471 | You could also use external hardware like a Secure Element or a TPM |
| 472 | device which usually provide secure storage that could be used to |
| 473 | store a master key that could be used to encrypt/decrypt a filesystem |
| 474 | encryption key. |
| 475 | |
| 476 | Another alternative is a Trusted Execution Environment (TEE) where the |
| 477 | code executed and the data accessed is isolated and protected in terms |
| 478 | of confidentiality (nobody has access to the data) and integrity |
| 479 | (nobody can change the code and its behavior). This is discussed here: |
| 480 | [wiki:venice/tee] |
| 481 | |
| 482 | Note also that if you are going to use encryption you had better be |
| 483 | using secure boot as well otherwise as mentioned a hacker could easily |
| 484 | insert their own code to invalidate any encryption that is done. |
| 485 | Encrypted boot on top of secure boot is also an option but if you are |
| 486 | using a TPM device (or IMX CAAM) the keys are protected and therefore |
| 487 | encrypted boot firmware may not really be necessary. |
| 488 | |
| 489 | These topics are extremely complex and unique to each customer. The customer can implement these or there are |
| 490 | companies that specialize in such services. |
| 491 | |
| 492 | Our top customers |
| 493 | understand security needs and are following this path with their own |
| 494 | software resources: |
| 495 | - One customer is using secure boot but did not see the need for 'encrypted boot' where their boot firmware is also encrypted. They are encrypting 'something' that they didn't disclose but we believe its at the filesystem level and they are using the CAAM for key storage via some U-Boot and Linux provided. Consider this possibly could have been done more easily by using a TEE. |
| 496 | - Another customer is contracting Canonical for Ubuntu Core support and Canonical uses disk encryption and a TEE |
| 497 | - Another customer is planning on using Secure Boot with Newport |