#cubox irc log of Mon 24 Oct 2016

IRC log of #cubox of Mon 24 Oct 2016. All times are in CEST < Back to index

10:03 wifi Hi. There seems to be a script which expands Hummingboard image on SD card on first run. If I'm correct where can I find it?

10:03 wifi Hummingboard image which I'm using is with Debian distro.

13:35 topi`_ jnettlet: do you know anything about ARM TrustZone and is it available in i.MX6?

13:35 jnettlet topi`_, yes it is available on i.MX6

13:35 topi`_ we're discussing about exotic customer requirements, one of them is securing the image so that outsiders cannot read it

13:35 topi`_ or boot it

13:35 topi`_ i.e. whole-disk encryption, with the AES key stored in a secure store

13:35 jnettlet you will need to implement secureboot

13:35 topi`_ that would be TrustZone, right?

13:37 jnettlet well partly.

13:42 jnettlet mostly what you are looking for is secure boot and verified boot. which are different stages of the same thing. NXP calls the initial bootloader verification "secure boot" and then u-boot calls the kernel and userspace verifcation verified boot

13:48 topi`_ yes

13:48 topi`_ isn't there some small NVRAM inside i.mx6 that can be used to store an AES128 key?

13:49 topi`_ it probably is described somewhere in i.MX6 tech user manual, but not very easy to search that document :)

13:52 jnettlet topi`_, you need to build a special hash that holds the crypto used to verify and decrypt the bootloader

13:52 jnettlet it gets programmed into the OTP fuses

14:27 topi`_ so, you can program it once and only once?

14:27 topi`_ and if you want to change it, then you'd need to order a new i.MX microsom right?

14:34 jnettlet correct

14:36 topi`_ do you know of any good tutorials or introductions to TrustZone? and which parts apply to the i.MX6

14:36 topi`_ we could potentially also use the CloudFog for some customers who do not require HDMI or other features

14:37 topi`_ maybe Marvell's SoCs have the same basic features

14:37 jnettlet yes all of our socs support secure booting

15:03 topi`_ has anybody looked at Ubuntu Snappy? it seems it's a good fit for our customers' requirements, atomic updates, etc etc

15:04 topi`_ so if an update screws everything up, you can rollback

15:04 topi`_ I didn't find the Hummingboard on the officially supported ports, but maybe that wouldn't be a big job?

15:06 jnettlet it probably wouldn't but I don't contribute code to Ubuntu since they take over copyright of any code you submit to them.

15:13 vpeter topi`_: Yes, snappy is nice approach. I did played a little with it. But not much.

15:15 jnettlet there are no distribution methods that I know of outside of Canonical's proprietary Snaps store

15:23 jnettlet Personally I think Intel's new Ostro Project has a very good start

10:03	wifi	Hi. There seems to be a script which expands Hummingboard image on SD card on first run. If I'm correct where can I find it?
10:03	wifi	Hummingboard image which I'm using is with Debian distro.
13:35	topi`_	jnettlet: do you know anything about ARM TrustZone and is it available in i.MX6?
13:35	jnettlet	topi`_, yes it is available on i.MX6
13:35	topi`_	we're discussing about exotic customer requirements, one of them is securing the image so that outsiders cannot read it
13:35	topi`_	or boot it
13:35	topi`_	i.e. whole-disk encryption, with the AES key stored in a secure store
13:35	jnettlet	you will need to implement secureboot
13:35	topi`_	that would be TrustZone, right?
13:37	jnettlet	well partly.
13:42	jnettlet	mostly what you are looking for is secure boot and verified boot. which are different stages of the same thing. NXP calls the initial bootloader verification "secure boot" and then u-boot calls the kernel and userspace verifcation verified boot
13:48	topi`_	yes
13:48	topi`_	isn't there some small NVRAM inside i.mx6 that can be used to store an AES128 key?
13:49	topi`_	it probably is described somewhere in i.MX6 tech user manual, but not very easy to search that document :)
13:52	jnettlet	topi`_, you need to build a special hash that holds the crypto used to verify and decrypt the bootloader
13:52	jnettlet	it gets programmed into the OTP fuses
14:27	topi`_	so, you can program it once and only once?
14:27	topi`_	and if you want to change it, then you'd need to order a new i.MX microsom right?
14:34	jnettlet	correct
14:36	topi`_	do you know of any good tutorials or introductions to TrustZone? and which parts apply to the i.MX6
14:36	topi`_	we could potentially also use the CloudFog for some customers who do not require HDMI or other features
14:37	topi`_	maybe Marvell's SoCs have the same basic features
14:37	jnettlet	yes all of our socs support secure booting
15:03	topi`_	has anybody looked at Ubuntu Snappy? it seems it's a good fit for our customers' requirements, atomic updates, etc etc
15:04	topi`_	so if an update screws everything up, you can rollback
15:04	topi`_	I didn't find the Hummingboard on the officially supported ports, but maybe that wouldn't be a big job?
15:06	jnettlet	it probably wouldn't but I don't contribute code to Ubuntu since they take over copyright of any code you submit to them.
15:13	vpeter	topi`_: Yes, snappy is nice approach. I did played a little with it. But not much.
15:15	jnettlet	there are no distribution methods that I know of outside of Canonical's proprietary Snaps store
15:23	jnettlet	Personally I think Intel's new Ostro Project has a very good start