Is there a way to protect whole Linux content to be read by 3rd eyes?

Fide · February 21, 2023, 8:03am

Hi,

We are using Verdin iMX8M-Plus with BSP6 for one of our products.

Whole image is written on internal eMMC and serial accesses or SSHs are disabled.
But whole eMMC chip on the module is still reachable externally.

Is there a way to protect the whole image content stored on the eMCC so that it cannot be read by 3rd persons?

Thank you.

kevin.tx · February 21, 2023, 4:04pm

Hi @Fide ,

Interessting topic.

For this I can recommend the following blog by @sergio.tx .

I think that is a good starting point. Maybe @sergio.tx can comment here as well

Best Regards
Kevin

Fide · February 21, 2023, 8:57pm

Well, to be honest I don’t need all those secure boot thing (HAB). I don’t need RSA encryption or signing my existing images.

I just want to make external eMMC content to be encrypted so that it can not be read by external parties. This is very a primitive, yet effective feature provided by almost every FPGA and MCUs.

The processor on the SoM has to support to burn a key which is not readable, let’s say 128bit symmetric AES key, that should be all. All data to eMMC should be encrypted and data from eMMC should decrypted automatically.

henrique.tx · February 22, 2023, 1:51pm

Hi @Fide !

We just got enabled some encryption kernel configs for TorizonCore, as you can see from this thread: USB storage encryption - #8 by jeremias.tx

Would it be something that helps your use case?

Best regards,

koan · February 27, 2023, 5:26pm

Hi Fide,
we at KOAN delivered ‘weak’ solutions as well as the strongest possible one (in this case using HAB).
Everything depends on how important is the protection level for you
– Marco

josep.tx · March 23, 2023, 1:44pm

Hello @Fide ,

Were you able to solve your issue? Do you need more help on our side?

Best regards,
Josep

Fide · March 29, 2023, 8:25am

Not really, I was expecting to have some clear instructions from Toradex
Do you have any plan to prepare one soon? Or shall we look for our own way?

Thank you.

josep.tx · March 30, 2023, 8:29am

Hello @Fide ,
I have asked internally about this topic. I will keep you updated here.

Best regards,
Josep

josep.tx · March 30, 2023, 12:13pm

Hello @Fide ,
At the moment we don’t have any ready-made documentation on this topic.
NXP has an application note where they explain how to use Linux’s encryption support with HW acceleration.
https://www.mouser.com/pdfDocs/AN12714.pdf

Hope that this helps

Best regards,
Josep