What security holes am I missing here?

I was wonder how secure this configuration would be and what security vulnerabilities I need to be aware of.

I was going to change:
Uboot Env - disable the UART port during boot,
Uboot Env - Set the boot timer to -2 to go instantly and prevent interrupt,
Fuse the bits to prevent boot mode pin and to force emmc boot.

Even if they had physical access to this device, the only way they could get to the data is if they had a user login right? There shouldn’t be a way to break into the u-boot and put the device into a mountable state, right?

Greetings @mmoles,

It sounds like your primary concern is confidentiality of the sensitive data on the device correct?

If that is the case then, while this is all fine and good precautions you should also consider encryption of some kind. That way even if in some event an attacker was able to extract data from the system it would be unreadable/inaccessible. While I do think it’s important to prevent an attacker from getting the data in the first place. You should also plan for the event where an attacker is able to get the data.

Other than that is your system connected to the outside world in anyway? For example ethernet/wifi/bluetooth etc.

Physically what hardware interfaces are accessible?

Best Regards,
Jeremias

Correct, data is the only thing I am worried about. Data has keys to databases and systems, so keeping that protected is important. We thought about encryption, but I figure it will be an issue with the Torizon OTA (going to look into this now). I wanted to avoid creating a build process to minimize our long term support component for this project and instead utilize the Torizon base images they provide.

As for connections, SSH with Key trough ethernet or wifi will be the only way.

As for Hardware, this is on a Ixora carrier board, so USBs, HDMI, GPIO pins, UARTs, and whatever ribbon cables are on there.

Oh okay the reluctance towards encryption makes more sense now. Encryption does have to be more carefully implemented if compatibility with our OTA is to be maintained. If you were to do encryption than on what level or to what extent would you want the file system to be encrypted?

As for the other details I just suggest to disable any interface that isn’t going to be used by your system, or restrict it as much as you can if it is going to be used. The less your attack surface, the less you have to consider in your overall security design.

Best Regards,
Jeremias