Secure u-boot?

I saw this article and was wondering if the u-boot is secure or can it be hacked

Thanks,

  • Jorge

Hi @ikkysleepy,

That’s not a simple yes-or-no question. What that article is specifically referring to is Secure Boot which is a mechanism to cryptographically verify that the images installed on your device have not been tampered with. It requires hardware support and the RpI just does not have that support, regardless of U-Boot or not.

If you have specific attack vectors you are looking to protect against, we may be able to provide more help.

Drew

I am just wondering if a hacker has physical access to our raspberry pi running mender, if they would be able to compromise the device and easily get the contents in the data partition or boot partition? If so, which other device has secure boot that mender can run on.

Secure Boot won’t help with the privacy of your images. It ensures that the devices won’t run modified code but it does nothing to protect against viewing of the files. It’s even easier with Raspberry Pi since it uses a removable SD Card, all the attacker has to do is remove the card and put it in their laptop so see the files from your system.

To protect against that you likely need full disk encryption. But you have to first determine how to get the passphrase to unlock the encryption entered at boot. I assume asking your device users to type in a passphrase on boot is not a viable solution. Presumably some kind of on board security chip could provide a passphrase but that requires custom hardware development.

Drew

Looks like I went down the rabbit hole. The NVIDIA Jetson board looks like they have both secure-boot and disk encryption but not sure how mender will integrate into this board. Anyways, one day we will have encryption at rest and in transit. I’ll keep digging into one of those boards and seeing how to encrypt the data in the partition. Thanks.

Excellent. Please report back with any progress or issues.

Drew