Re: General Question: Device specific value store

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Morné Lamprecht" <morne@linux.com>
To: yocto@yoctoproject.org
Subject: Re: General Question: Device specific value store
Date: Wed, 26 Jun 2019 12:03:34 +0200	[thread overview]
Message-ID: <20190626100334.GA9460@archworkstation> (raw)
In-Reply-To: <CAOmL4Ujwqu1pVe5zEGntJjYTNgw7__LPi_mdgn7-xU93dwF62A@mail.gmail.com>

On Tue, Jun 25, 2019 at 09:25:13AM -0400, Larry Brown wrote:
>>> I wonder, if there are best practices, how to protect the data from getting 
>>> corrupted (intentionally by an attacker or by accident through ... flash 
>>> corruption or whatever).

Ideally your hardware should have some sort of hw-based secure key storage, and 
use that to support some sort of secure boot scheme. You can then implement a 
chain of trust, allowing you to securely verify a hash signature of the data 
during bootup, to ensure that it hadn't been tampered with or gotten corrupted.

Atmel / Microchip, for example, offers a range of Crypto Authentication ICs that 
could be added to your hardware to support this, if you hardware didn't have 
built in support for something like this. Their offering also included tools to 
securely inject the data into the secure ICs during manufacturing, or 
alternatively, you could write your own tool to interface with their API.

		- Morné

next prev parent reply	other threads:[~2019-06-26 10:03 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-17 15:25 General Question: Device specific value store Matthias Schoepfer
2019-06-24  7:08 ` Morné Lamprecht
2019-06-25  8:52   ` Matthias Schoepfer
2019-06-25 10:08     ` Gabriele Zampieri
2019-06-25 13:25       ` Larry Brown
2019-06-26 10:03         ` Morné Lamprecht [this message]
2019-06-26 10:21           ` Andrea Adami

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190626100334.GA9460@archworkstation \
    --to=morne@linux.com \
    --cc=yocto@yoctoproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.