lvc21f 305:ledge rp as a development environment for
TRANSCRIPT
LVC21F-305: LEDGE RP as a development environment for secure boot
Maxim Uvarov <[email protected]>,Senior Software Engineer, Linaro.
What is LEDGE RP?Linaro’s LEDGE RP is considered to be a reference platform for supporting industry standards for Linux operating system. Primary purpose is to build an operating system for IoT and EDGE devices adhering to specifications like UEFI, EBBR, PSA, ACPI and etc.
LEDGE RP
U-Boot version XXX Kernel version YYYOP-TEE version ZZZ Apps Apps Apps
Why do we do LEDGE RP?- Dev Playground for Open Source development environment.- Vertical distro for full source code control using OpenEmbedded (firmware,
kernel, application, trusted application, virtual machine and etc.).- CI tests for developed features.- Follow up specification for secure boot and embedded systems:
● Unified Extensible Firmware Interface (UEFI) Specification● ARM SystemReady IR● Arm Base System Architecture (BSA) specification● Embedded Base Boot Requirements (EBBR)● Arm Base Boot Requirements● Device Tree specification● Platform Security Architecture (PSA)
Things we are working on are..- U-Boot loader UEFI support- QEMU- ARM Trusted Firmware-A- OP-TEE- Linux kernel- Security (fTPM, Selinux, IMA, Parsec etc)- Rootfs encryption with TPM
Workflow
Ledge kernel Upstream
Update LEDGE RP
Try to always upstream and use mainline versions of applications.
ImagesLedge-iot - the image for IoT devices. Package list and features are aligned to Fedora IoT.
Ledge-gateway - image to support Edge gateways includes network tools, linuxptp, Openavnu, and open62541 examples.
Both images has containers and os-tree update support.
OP-TEE
UEFI secure boot U-Boot
Variables
Dbx Certificate
Db Certificate
KEK
PKbootaa64.efi
auth
Secure Storage
Firmware U-Boot
Rootfs encryption with Clevis
/dev/tpm0
SWTPM
fTPM (OP-TEE)
Discrete TPM
initramfs ROOTFS
as an example of on LEDGE feature...
Stack
dm-crypt
Initramfs
TPM_TIS (/dev/tpm0)
Rootfs mount scripts
crypt-setup tpm2_tools
Clevis
Kernel
User
Linux Unified Key Setup (LUKS) disk encryptionLUKS is specification [1] for disk encryption which has reference implementation in linux (dm-crypt and cryptsetup).
cryptsetup -y -v luksFormat /dev/vdb3
cryptsetup -v luksOpen /dev/vdb1 mydisk
mkfs.ext4 /dev/mapper/mydisk
[1] http://ftp.ntu.edu.tw/linux/utils/cryptsetup/LUKS_docs/ LUKS1 Spec[2] https://habd.as/post/external-backup-drive-encryption/assets/luks2_doc_wip.pdf LUKS2 Spec
DISK
DATA
LUKS header
Key slot
Key slot
Key slot
Trusted Platform Module (TPM)- Hardware block on the system, separate from the disk to store passphrase or key.
Protection from attack of disk removal from the system into which it was installed.Create and persist a sealing object and use it to seal a random byte sequence as the disk key:
tpm2_createprimary -Q --hierarchy=o --key-context=prim.ctx
dd if=/dev/urandom bs=1 count=32 status=none | tpm2_create --hash-algorithm=sha256 --public=seal.pub --private=seal.priv --sealing-input=- --parent-context=prim.ctx
tpm2_load -Q --parent-context=prim.ctx --public=seal.pub --private=seal.priv --name=seal.name --key-context=seal.ctx
tpm2_evictcontrol --hierarchy=o --object-context=seal.ctx 0x81010002
LUKS + TPMInstall new key:tpm2_unseal -Q --object-context=0x81010002 | sudo cryptsetup --key-file=disk.key luksChangeKey /dev/vdb3
Unseal and mount:tpm2_unseal -Q --object-context=0x81010002 | sudo cryptsetup --key-file=- luksOpen /dev/vdb3 rootfs
sudo mount /dev/mapper/rootfs /mnt
More details about LUKS, TPM passphrase, and authorized policies are under this link.
ClevisClevis is a pluggable framework for automated decryption. It can be used to provide automated decryption of data or even automated unlocking of LUKS volumes.Supports:
- Tang- TPM2- Shamir Secret Sharing (SSS)
Is a tool to simplify LUKS/TPM encryption.
https://github.com/latchset/clevis
ClevisJust 3 commands:
1. cryptsetup --type luks --cipher aes-xts-plain --hash sha256 --use-random --uuid=${ROOT_UUID} luksFormat /dev/vdb3
2. clevis luks bind -d ${ROOT_BLK} tpm2 '{"pcr_ids":"0,1,2,3,4,5,6,7"}' -s 13. clevis luks pass -d ${ROOT_BLK} -s 1| cryptsetup luksOpen --key-file -
/dev/vdb3 rootfs
Initramfs script as reference for encryption:https://github.com/Linaro/meta-ledge/blob/hardknott/meta-ledge-bsp/recipes-ledge/images/files/init.cryptfs
Write LUKS header to block deviceclevis luks bind -d /dev/vdb3 tpm2 '{"pcr_ids":"0,1,2,3,4,5,6,7"}'cryptsetup luksDump /dev/vdb3 Key Slot 0: ENABLED
Iterations: 199500Salt: c8 90 3c 53 da 49 9a 7b ab e5 04 d4 bd dc 59 1c e8 50 99 53 d7 d0 3c f6 19 ad 5d 24 c3 4d ca 82Key material offset: 8AF stripes: 4000Key Slot 1: DISABLEDKey Slot 3: ENABLEDIterations: 210726Salt: 2d 76 4e 27 e0 c2 ff f7 1e 48 a2 c2 6d c8 4d 34 08 ac 1a 97 20 84 19 1d 0f a1 df 4d 0f 8f d4 9aKey material offset: 1520AF stripes: 4000
LUKS header information for /dev/vdb3Version: 1Cipher name: aesCipher mode: xts-plainHash spec: sha256Payload offset: 4096MK bits: 512MK digest: 19 4e 5f 95 6f 44 27 54 d4 a3 ec 29 78 85 b1 89 b1 4c f8 c9MK salt: 64 e1 cb e6 e8 3a cb e0 14 d0 7d 0d 04 9e 89 23 45 ca f2 0e c1 ae b3 d4 cc 89 43 63 b8 68 e4 98MK iterations: 12603UUID: 6091b3a4-ce08-3020-93a6-f755a22ef03
1
2
Decryptionclevis luks pass -d /dev/vdb3 -s 3 | cryptsetup luksOpen --key-file - /dev/vdb3 rootfs
ledge-qemuarm64:/home/ledge# lsblkNAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTmtdblock0 31:0 0 64M 0 diskzram0 251:0 0 1.9G 0 disk [SWAP]vda 253:0 0 4M 0 diskvdb 253:16 0 1.9G 0 disk|-vdb1 253:17 0 128M 0 part|-vdb2 253:18 0 839.1M 0 part /`-vdb3 253:19 0 1G 0 part / `-rootfs 252:0 0 1022M 0 crypt Decrypted rootfs
How to get involved?https://www.linaro.org/contact/ Ledge build:
https://github.com/Linaro/ledge-oe-manifest
Ledge docs:https://github.com/Linaro/ledge-doc
meta-ledge:https://github.com/Linaro/meta-ledge
CI:https://ci.linaro.org/job/ledge-oe-release/Dev CI:https://ci.linaro.org/job/ledge-oe/
Thank youAccelerating deployment in the Arm Ecosystem
LVC21F-305: LEDGE RP as a development environment for secure boot