标签: Security

By Toradex 胡珊逢 简介 Arm 处理器的 Secure Boot 安全启动功能能够有效防止在设备上运行非授权的或者恶意窜改的固件。Secure Boot 系统在启动时会使用烧录的处理器上的密钥验证 Bootloader，Bootloader 会验证 kernel FIT 镜像，而 kernel 继续验证 rootfs 的有效性。这一逐个验证的流程成为 Chain of Trust。用户如果使用传统方法使用启动功能需用需要依次实现上述的每个环节。借助 meta-toradex-security layer，只要几行简单的配置即可实现。 生成密钥 安全启动依赖于匹配的密钥对来验证软件。要启用安全启动，您需要将公钥烧录到设备的 OTP 存储器中。该密钥必须与用于签名已验证固件的私钥相匹配。 TI 设备使用三组密钥对实现安全启动： MEK（Manufacture Encryption Key）：由 TI 提供并永久烧录至 SoC 中，用于验证 TI 签名软件且不可更改。 SMPK（Secondary Manufacture Public Key）：由用户创建并烧录到设备中，用于验证用户生成的引导加载程序的签名。 BMPK（Backup Manufacture Public Key）：可选的用户生成备份密钥。若 SMPK 丢失或遭泄露，系统可重新配置为使用 BMPK 来验证引导加载程序的签名。 SMPK 和 BMPK 用于签名引导加载程序，因此该密钥的生成和管理必须谨慎处理，并做和完善的备份。 在写该文章时生成密钥需要使用 OpenSSL 1.1.1 版本，除非 TI 在后续新版本软件中注明，否则请使用 openssl version 命令查看当前系统的 OpenSSL 版本。如果本版不匹配，可以使用下面命令在 Linux 系统安装。 $ wget https: / /ftp.debian.org/debian /pool/main /o/openssl / openssl_1.1.1w-0+deb11u1_amd64.deb $ wget http: / /ftp.debian.org/debian /pool/main /o/openssl / libssl 1.1_1.1 . 1w - 0 +deb11u1_amd64.deb $ sudo apt install ./libssl1.1_1.1.1w-0+deb11u1_amd64.deb ./openssl_1.1.1w-0+deb11u1_amd64.deb 设置环境变量。由于后续的 TI MCU SDK 和 OPT Keywriter 的编译也需要使用到这些密钥，请勿更新这些变量的参数。 $ export KEYS_DIR=~/keys/ti$ export SMPK_NAME=custMpk$ export BMPK_NAME=backMpk 创建密钥生成的路径。 $ mkdir -p " ${KEYS_DIR} " cd " ${KEYS_DIR} " 生成 RSA-4096 的 SMPK 密钥对 SSL 证书。 $ openssl genrsa - F4 -out ${ SMPK_NAME }.key 4096 $ cp ${SMPK_NAME} .key ${SMPK_NAME} .pem $ openssl req -batch -new -x509 -key ${ SMPK_NAME }.key -out ${ SMPK_NAME }.crt 生成 RSA-4096 的 BMPK 密钥对 SSL 证书。 $ openssl genrsa - F4 -out ${ BMPK_NAME }.key 4096 $ cp ${BMPK_NAME} .key ${BMPK_NAME} .pem $ openssl req -batch -new -x509 -key ${ BMPK_NAME }.key -out ${ BMPK_NAME }.crt 生成 ti-degenerate-key。 $ openssl genrsa -F4 - out ti-degenerate-key.pem 4096 生成 AES-256 加密密钥。 $ openssl rand - out aes256.key 32 $ openssl rand - out bmek.key 32 $ openssl rand - out smek.key 32 删除密钥和证书的可写权限。 $ chmod a-w * Yocot Project 配置 和之前的文章一样，首先需要搭建 Yocto Project 编译环境 。这里我们将以基于 TI AM62 SoC 的 Verdin AM62 模块为例进行介绍。在 local.conf 的结尾添加下面两行配置即可。 INHERIT += "tdx-signed" TDX_K3_SECBOOT_TARGET_HSSE_DEVICE = "1" 在编译镜像时，用于签名启动引导程序的密钥默认从 Ycoto 编译目录的 ${TOPDIR}/keys/ti 位置寻找。可以在 Yocto 的 build 目录下创建 keys/ti 目录，将上面在 ~/keys/ti 中生成的所有文件都复制过来。在 build 目录下会有以下文件夹。 tree -L 1. | -- buildhistory|-- cache|-- conf|-- deploy|-- keys|-- tmp`-- tmp-k3r5 INHERIT 可以使用 tdx- signed 和 tdxref- signed 两个参数。 tdxref-signed：生成的镜像将启用 Bootloader 签名验证、U-Boot 安全加固、FIT 镜像签名验证、Rootfs 签名验证所有功能。 tdx-signed：除"Rootfs 签名校验"外，其余功能全部启用。若无需通过 dm-verity 保护根文件系统，此类模式可能比 tdxref-signed 更适用。 用于 FIT 镜像签名的密钥位于 ${TOPDIR}/keys/ti/fit 目录下。同样建议妥善管理这些密钥。 tree keys -L 1 keys| -- fit`-- ti TDX_K3_SECBOOT_TARGET_HSSE_DEVICE 设置为 0 时，编译的镜像能够在没有 fuse 的 AM62 模块上运行。这通常用于前期开发测试阶段。当设置为 1 时，生成的镜像只能运行在 fused AM62 模块上。生产环节批量烧录系统时，则使用该镜像。为了后续演示整个流程，这里编译镜像时设置为 1。 然后使用 bitbake 命令编译镜像即可。整个过程就这么简单， bitbake tdx-reference-minimal- image 编译 OTP Keywriter AM62 SoC 借助 OTP Keywriter 固件将用于安全启动期间使用的密钥烧录到处理器的寄存器。这些寄存器是一次性烧录，且不可撤销，请谨慎操作。 编译 OTP keywriter 需要安装下面软件，其中 OTP Keywriter 需要向 TI 申请，通常数个工作日可以通过。具体下载地址参考 该网页 。主要注意的是，在写该文章时编译 OTP keywriter 需要使用 MCU Plus SDK v9 版本，v10 版本编译的 OTP keywriter 还无法在 AM62 上运行。安装时请使用默认安装路径，否则可能导致编译失败。 MCU Plus SDK Code Composer Studio SysConfig OTP Keywriter 进入 OTP keywriter 编译目录 $ cd ~/ti/mcu_plus_sdk_am62x_09_01_00_43/source/security/ sbl_keywriter/am62x-sk/r5fss0-0_nortos 下载并打上下面补丁。 $ wget https: / /docs.toradex.cn/private /116128-verdin-am62v1.2-vpp.patch$ git apply 116128-verdin-am62v1.2-vpp.patch 进入 ti-arm-clang 目录即可编译。成功后可以看到 tiboot3.bin 文件。 $ cd ~/ti/mcu_plus_sdk_am62x_09_01_00_43/source/security/ sbl_keywriter/am62x-sk/r5fss0-0_nortos/ti-arm-clang $ make -sj clean PROFILE=debug $ make -sj PROFILE=debug 运行 OTP Keywriter Verdin AM62 模块上可以通过恢复模式或者从 eMMC 上加载 bootloader 并运行 OTP Keywriter 烧录密钥寄存器。恢复模式需要将 Verdin AM62 通过 USB OTG 接口连接到电脑，并在电脑上运行相关指令。Bootloader 也可以通过 Toradex Easy Installer 写入到 eMMC 上启动分区，模块上电启动后从 eMMC 加载 bootloader。前者适合开发期间使用，后者由于无需 PC，更适合于批量烧写流程。 从恢复模式加载 bootloader 在 PC 上安装 dfu-util。 $ sudo apt install dfu-util 然后运行： $ sudo dfu-util -c 1 -i 0 -a bootloader -D tiboot3. bin 运行成功后 Verdin AM62 将从 HS-FS 变为 HS-SE 模式，即启用安全启动功能。在下一次启动时将会加载前面生成的签名镜像。 从 eMMC 加载 bootloader Verdin AM62 的 eMMC 具有两个启动分区，mmcblk0boot0 和 mmcblk0boot1。包含 OTP Keywriter 的 tiboot3.bin bootloader 首先会被烧录在 mmcblk0boot0。常规启动的 bootloader tiboot3-am62x-hs-verdin.bin 会被烧录到 mmcblk0boot1 分区，其包含在 Yocto Project 生成的镜像中。首次启动时加载 mmcblk0boot0 上的 bootloader 运行 OTP Keywriter 完成密钥寄存器烧录。同时配置 eMMC EXTCSD register ，将 设置 mmcblk0boot1 为默认启动分区。这样在下一次启动时，即可加载 mmcblk0boot1 上常规 bootloader，随后加载 U-boot。 MCU SDK 中已经有 MMC 的驱动，因此，只需要在 OTP Keywritter 代码中调用 MMCSD_enableBootPartition () 即可。在之前的 OTP Keywritter 中打上下面补丁并重新编译。 $ wget https: / /docs.toradex.cn/ 117166 -verdin-am62-fuse-switch-bootpart2.patch $ git apply 117166 -verdin-am62-fuse- switch -bootpart 2. patch 修改 Yocto Project 生成的签名镜像中的 image.json 文件，将原来的 "name" : "mmcblk0boot0" 改为 "name" : "mmcblk0boot1" , 。 { "name" : "mmcblk0boot1" , "erase" : true , "content" : { "filesystem_type" : "raw" , "rawfiles" : } } , 烧录完成后，Verdin AM62 第一次启动时将从 HS-FS 变为 HS-SE 模式，即启用安全启动功能。在下一次启动时将会从 mmcblk0boot1 加载前面生成的签名镜像。在 Linux 系统启动后，可以删除 mmcblk0boot0 上的 bootloader 文件。 总结 借助 meta-toradex-security，用户能够轻松地使用模块的安全启动功能。更多来自 meta-toradex-security 实用功能，我们将在后续文章介绍，敬请关注。

We are definitely living in interesting times. Over the years I've read a lot of science fiction stories that depicted various flavors of the future, many of which involved the concept of cyber security and nefarious strangers trying to access one's data.     Generally speaking, this sort of thing really didn’t affect most of us until relatively recently in the scheme of things. How things have changed. Now it seems that we hear about data breaches on an almost daily basis, many of which can put their victims at risk of identity theft.   In 2013, for example, we discovered that hackers had managed to steal the credit and debit card information (including names, addresses, and phone numbers) associated with more than 70 million customers. My wife (Gina the Gorgeous) was hit by this one. She received a call from a company in North Carolina asking if we had really ordered a super-large screen TV on her credit card. Of course we hadn’t. The main thing that had alerted them was the fact that the delivery address was to another state. Based on this, Gina ended up swapping out all of her credit and debit cards, which is a frustrating and time-consuming exercise.   Meanwhile, in 2014, I was informed that hackers had managed to access tens of millions of records from my health insurance company. I'm still waiting for the axe to fall from that one (we can only hope that I'm insured against axe-related incidents).   The reason for my rambling on about this here is that, whilst driving to work this morning, I heard a report on the National Public Radio (NPR) that hackers have just posted the data they stole from a company called Ashley Madison.   The report said that the ~10 gigabyte data dump was posted to the Dark Web using an Onion Address which is accessible only via a Tor Browser . Fortunately, I recently read Surviving The Zombie Apocalypse: Safer Computing Tips for Small Business Managers and Everyday People by Max Nomad (no relation), so I can now parse statements containing terms like "Dark Web," "Onion Address," and "Tor Browser" without thinking (which is, of course, my usual modus operandi ).   Thus, I was feeling pretty pleased with myself for my technical acumen, but I soon started to feel like I'd been living under a rock, because my knee-jerk first impression was that Ashley Madison was some sort of home furnishing store. You can only imagine my surprise when I bounced over to the AshleyMadison.com website to discover that their reason for being is to promote infidelity by facilitating husbands and wives having affairs. (According to their website, they've been featured on Hannity, Howard Stern, TIME, BusinessWeek, Sports Illustrated, Maxim, and USA Today, which just goes to show how little I know about what's going on in the world.)   Apparently, the data released by the hackers includes the names, addresses, and phone numbers associated with the users of the site. Also, I hear that ~15,000 of these records have .mil or .gov email addresses (just how stupid do you have to be to use this site?). I think it's fair to assume that a lot of people are not enjoying a "stress-free day" at this moment in time.   The real problem is that we still don’t seem to take security seriously. In the case of my health insurance company, for example, we came to discover that they had taken such minimalist precautions as to make one shake one's head in disbelief.   And things are only going to get worse, which means that the designers of today's electronic, computer, and embedded systems have to consider security at every point in the system -- from the leaf nodes at the edge of the Internet of Things (IoT) to the mega servers in the cloud -- because each system is only as secure as its weakest link.     "But where can we learn about this stuff?" you cry. Well, there are the Black Hat Conventions that put you face to face with people on the cutting edge of network security, and there are the Embedded Systems Conference (ESC) events that boast sessions covering the latest in embedded system security.

In 2012, three young software engineers in Switzerland developed their own secure mobile messaging app called Threema, with the clear goal to give users a tool to prevent their personal data to be stored, mined and possibly abused by big corporations and government agencies.   With the mounting interest in privacy rights and tales of data misuse in the news, the app attracted 3 million users to date, most of them over the last few months. Available for less than two euros, Threema became the most popular secure instant messenger in Germany and topped the download charts in German speaking countries for months according to Roman Flepp, Threema's Head of Marketing.   There are already many encryption services around, some more expensive, others open source and free to distribute, such as Tox - https://tox.im/ , OpenPeer - http://openpeer.org or Pretty Easy Privacy - http://pep-project.org now running a crowdfunding campaign on Indiegogo just to name a few.   So what could explain the popularity of this particular application today, ease of use for one?   “Ease of use is probably just one factor. Another important one is the possibility to use Threema anonymously” wrote us Flepp in an email exchange.   “Unlike other secure messengers, we do not use a mobile phone number (which can be easily traced to a real person) as a "primary key" to identify users but a randomly assigned 8 digit ID. This makes the «centralized hackable platform» much less of a problem than with traditional concepts”, he continued.   “Even if the server platform was hacked there's not much there to see since we do not store any meta data. Our architecture shifts most of the tasks normally done on a server, such as maintaining lists of group members, to the clients (i.e. the app itself). The role of the server is basically reduced to that of a buffer to temporarily hold the encrypted messages until the chat partners is back online.”   “The fact that we are an independent company without external funding and that our servers are located in Switzerland, where data protection laws are still pretty strict, might have added further to our popularity”, concluded Flepp. What sort of impact do you think the mass adoption of secure communication could have on society? We asked.    “More and more people now think twice before giving away private data. This growing awareness is a good thing. Using secure communication channels such as Threema is the best we can do at the moment. In the end it's going to be an arms race between surveillance authorities and citizens”. “People have a right to privacy. We give the society a tool to protect itself. At the end of the day each of us decides for its own. – It’s hard to say which impact the mass adoption of secure communication could have on society. We think it is definitely the better way to use secure communication than to contribute to data mining and to be exposed to the risk of arbitrary or possibly even abusive surveillance. A society built on mass surveillance and general distrust is probably not a place anyone would like to live in, anyway.” See Threema’s promotional video clip   So does Flepp see a shift among Internet companies making business on end-user data mining? “We don’t know how other companies make money in order to pay their bills. But you will probably agree, that there is a reason why many services in the internet and app industry are free. There's no such thing as free lunch. The question everyone should ask is: How do these companies make money?   In the long run, we think that there will be a comeback of the conservative approach such as Threema's: You pay a few bucks for a service so we can pay our bills with your money and not your private data.   The Threema app is available worldwide, an English language version has just been launched.   - Julien Happich

The industry is quite obsessed with security these days, particularly as it transitions from traditional, standalone devices to the design of connected, networked systems that are “always on.”   But sometimes it's the people on the inside, not the outside, who unwittingly present the biggest security threat.   I am a Certified Ethical Hacker, which basically means I get paid by companies to hack into their networks. My company, Digital Locksmiths, was hired by a manufacturing firm in 2011 to attempt to expose any security weaknesses that might be lurking in the ether.   A company’s external infrastructure -- including web servers, domain name servers, email servers, VPN access points, perimeter firewalls, and any other applications publicly accessible from the Internet -- is typically considered the primary target of security attacks. So that’s where we start.   Our methods include cracking passwords and eavesdropping as well as using keystroke loggers, sniffers, denial-of-service, and remote controls. In this case, I tried attacking the firewall systems with every trick in our digital lock picker’s toolkit, but to no avail: The network was locked tight, so to speak.   So I told myself, “Screw it. I’m going in.”   You see, companies with an impenetrable wall against external attacks are often surprisingly open to insider threats. Hackers are able to expose these vulnerabilities by exploiting one simple fact: Most people will respond in a highly predictable way to a particular situation.   First, I did a little recon on Google Earth and Street View to familiarize myself with the physical perimeter of the company’s building and grounds. Since the character I was playing that day was “me,” the walking stereotype of a friendly, guy-next-door, I put on my usual garb: a pair of good jeans and a button-down shirt.   I hopped into my truck and drove over to the facility. Doing my best to look sheepish, I walked into the front lobby and approached the receptionist: “This is really embarrassing, and I don’t usually ask for this type of favor, but I wonder if I could use your washroom? I knew I’d regret ordering that super-sized drink!”   She smiled -- always a good sign -- and buzzed me in. Once I was inside the men’s room and confirmed it was unoccupied, I quickly yanked two USB keys out of my pocket and dropped one on top of the metal toilet paper holder in each stall. I gave myself a thumbs-up in the mirror, strolled back to the lobby, and flashed the receptionist a big smile as I walked out the door.   I drove back to my office and sat down in front of my computer to wait. I knew that as soon as someone plugged one of my USBs into a computer, a program on the flash drive would auto-run and execute a remote connection to my computer.   This would give me instant access and the ability to "pass the hash." Note that I’m not talking about the good ol’ college days here; what I'm doing is taking the encrypted credentials for the computer’s owner and passing them to the company’s own server, mimicking a real and normal login.   In a short time, my computer sprang to life: With the ability now to log into the company’s network, I was poised to unleash all kinds of mayhem -- from extracting user names and passwords to opening and interacting with files on the compromised system, to taking screenshots of current activity on a user’s desktop.   Needless to say, company management was horrified to learn how easily I had hacked into their system, simply by exploiting the fact that people tend to react the same way in certain situations.   My "Big Gulp" ruse was a success because, by and large, people are inclined to be helpful. And it’s true -- curiosity does kill the cat. Nine times out of ten a person who finds a random USB stick will wonder what’s on the thing and plug it in to find out.   In fact, my backup plan should my men’s-room story have failed was to toss it in the parking lot in a prominent locale.   This episode underscores the fact that security involves more than just protection of a company's network firewall. Internal threats are real -- and they aren’t all necessarily the work of a disgruntled employee.   Employees need to understand that security threats can be triggered in numerous ways and trained on how to protect against possible security threats that may be masquerading as something perfectly innocuous -- like the guy next door. A simple policy like mandating only one type of USB device for internal use might have prevented me from gaining accessing to the network in this case.   Companies also need to recognize when they have a problem -- and the sooner they know, the better their chances of minimizing the harm done. The good news is that most enterprises have an enormous amount of data scattered throughout firewall, application, router, and log sources that is useful for determining what sorts of things are going on within their networks. The bad news is that all too few know how to aggregate and put that data to use.   Security professionals need to put in place the technologies and processes that afford them access to security logs along with some type of log management to extract the information required to keep the infrastructure secure.   Better yet, they can employ a Security Information Event Manager (SIEM) for grabbing and correlating data, as well as a process to integrate security data with identity and access information. That way, in our hacking incident, a number of alerts would have been fired off to security managers long before any proprietary data was accessed.   While it’s true that security threats have become more menacing, remember that security defenses also have become more powerful.   Terry Cutler is a Certified Ethical Hacker and co-founder of Digital Locksmiths Inc., an IT security and data defense firm based in Montreal. He serves as the company's Chief Technology Officer. He specializes in the anticipation, recognition, and prevention of security breaches.   This article originally appeared on IFSEC Global .

Read on to know the various threat levels used by different countries. A friend in England just sent me this funny email... This purports to have been created by John Cleese of Monty Python fame. It certainly sounds like something he might have written, but with the way things zip around the Internet it's hard to be sure sometimes. But be that as it may, this certainly made me smile, which has to be a good way to start a Monday morning: ALERTS TO TERROR THREATS IN 2011 EUROPE By John Cleese The English are feeling the pinch in relation to recent terrorist threats and have therefore raised their security level from "Miffed" to "Peeved." Soon, though, security levels may be raised yet again to "Irritated" or even "A Bit Cross." The English have not been "A Bit Cross" since the blitz in 1940 when tea supplies nearly ran out. Terrorists have been re-categorized from "Tiresome" to "A Bloody Nuisance." The last time the British issued a "Bloody Nuisance" warning level was in 1588, when threatened by the Spanish Armada. The Scots have raised their threat level from "Pissed Off" to "Let's Get the Bastards." They don't have any other levels. This is the reason they have been used on the front line of the British army for the last 300 years. The French government announced yesterday that it has raised its terror alert level from "Run" to "Hide." The only two higher levels in France are "Collaborate" and "Surrender." The rise was precipitated by a recent fire that destroyed France's white flag factory, effectively paralyzing the country's military capability. Italy has increased the alert level from "Shout Loudly and Excitedly" to "Elaborate Military Posturing." Two more levels remain: "Ineffective Combat Operations" and "Change Sides." The Germans have increased their alert state from "Disdainful Arrogance" to "Dress in Uniform and Sing Marching Songs." They also have two higher levels: "Invade a Neighbor" and "Lose." Belgians, on the other hand, are all on holiday as usual; the only threat they are worried about is NATO pulling out of Brussels. The Spanish are all excited to see their new submarines ready to deploy. These beautifully designed subs have glass bottoms so the new Spanish navy can get a really good look at the old Spanish navy. Australia, meanwhile, has raised its security level from "No worries" to "She'll be alright, Mate." Two more escalation levels remain: "Crikey! I think we'll need to cancel the barbie this weekend!" and "The barbie is canceled." So far, no situation has ever warranted use of the final escalation level. John Cleese – British writer, actor and tall person