Tiny Core Linux

Tiny Core Base => Raspberry Pi => Topic started by: ketank on November 14, 2021, 09:40:16 AM

Title: protect boot code
Post by: ketank on November 14, 2021, 09:40:16 AM
Hi,
I need to protect the code that I am writing.
After looking at the documentation I could find, I added the same in the config.txt

Now every time I boot, it asks for a new passphrase to encrypt.

How do I make it automatic so that while backing up I enter a password and it is automatically used when the device comes up without entering the password.

Please guide and share if there is any documentation available for the same

Title: Re: protect boot code
Post by: ketank on November 16, 2021, 05:31:11 AM
any help with this ?
Title: Re: protect boot code
Post by: bmarkus on November 16, 2021, 06:23:51 AM
Without providing details what is you goal, what protection means, do you want to bind to a single machine or protect against reverse engineering, etc. how your code is written and in which language, is it compiled or interpreted, do not expect much response.
Title: Re: protect boot code
Post by: ketank on November 16, 2021, 06:37:00 AM
Hi bmarkus,

Sorry, I was trying to understand the boot code "protect"  but what you asked is very much to the point

What I am trying to understand is that once my system is deployed in the field, anyone can take the SD card, make a copy and use it or read the code and release their own version. The question is - how do I protect the code the IP?

1. the code is written in python 3 so it is readable easily
2. I want to protect the code against copy by someone else if they remove the SD card and try to copy the contents from the same.
3. It will be very great to bind to a single machine, It will ensure that people just to not just duplicate the sd card and put it into another pi and start using it at other location
4. I know it is very easy to hack into a linux box with physical access. Can it be secured - any special way in tiny core? The standard protections will be in place.

Title: Re: protect boot code
Post by: curaga on November 16, 2021, 07:49:24 AM
You can't. Protection at that level requires secure boot, which the rpi does not have.

Without secure boot, all you do is delay the attacker. If the code is encrypted but the password is there -> they can get the password and decrypt it. Binding to a MAC address, they can read it and decrypt. Etc etc.

The protect bootcode is meant for usb sticks etc, so that other people booting it cannot read your personal files. Hence it asks for the password every boot.
Title: Re: protect boot code
Post by: ketank on November 16, 2021, 07:54:13 AM
You can't. Protection at that level requires secure boot, which the rpi does not have.

Without secure boot, all you do is delay the attacker. If the code is encrypted but the password is there -> they can get the password and decrypt it. Binding to a MAC address, they can read it and decrypt. Etc etc.

The protect bootcode is meant for usb sticks etc, so that other people booting it cannot read your personal files. Hence it asks for the password every boot.

Thank you Curage,
If that is the case, can you share some ways people are using to protect the codes on RPi?
I am sure this is a common problem?
Title: Re: protect boot code
Post by: Rich on November 16, 2021, 09:09:46 AM
Hi ketank
Let's start with the basics:
First rule of copy protection, there's no such thing as copy protection, only countermeasures. The best you can hope
for is to make it as difficult, painful, and time consuming as possible.

1. the code is written in python 3 so it is readable easily

If you control which Python interpreter is installed, you could include only  bytecode  files (.pyc). These are the files the
interpreter actually executes so they should be free of comments and names that identify variables and procedures.
Although not as low level as machine language (assembly), it is not suitable for human consumption if the intention
is to alter and/or understand the the program.

Or maybe something like  Cython  will work for you.

Quote
3. It will be very great to bind to a single machine, It will ensure that people just to not just duplicate the sd card and put it into another pi and start using it at other location
Maybe tie it to the CPU serial number or the boards MAC address?
Title: Re: protect boot code
Post by: ketank on November 16, 2021, 10:04:30 AM
Hi Rich,

Quote
First rule of copy protection, there's no such thing as copy protection, only countermeasures. The best you can hope
for is to make it as difficult, painful, and time consuming as possible.

I agree and that is what I am trying to do .

Quote
If you control which Python interpreter is installed, you could include only  bytecode  files (.pyc). These are the files the
interpreter actually executes so they should be free of comments and names that identify variables and procedures.
Although not as low level as machine language (assembly), it is not suitable for human consumption if the intention
is to alter and/or understand the the program.

I will check how this needs to be done. I have never done it.

Quote
Maybe tie it to the CPU serial number or the boards MAC address?

This is what I was thinking but the question again was .. when I validate, it will be in python and its readable to defats the purpose. May be the bytecode will help in this case.
Title: Re: protect boot code
Post by: Rich on November 16, 2021, 10:33:24 AM
Hi ketank
... I will check how this needs to be done. I have never done it. ...
It's my understanding that the first time you run your program, it and anything else that gets loaded is converted
to bytecode. That way, the next time you run the program it loads faster because the bytecode already exists.
Title: Re: protect boot code
Post by: Rich on November 16, 2021, 08:19:30 PM
Hi ketank
... This is what I was thinking but the question again was .. when I validate, it will be in python and its readable to defats the purpose. May be the bytecode will help in this case.
Are you talking about being able to see the serial number string in the executable program? You don't store the
serial number in clear text. There are many different ways you can encode the serial number so it's not visible:
1. Run it through md5sum.
2. Run it through a CRC algorithm.
3. Perform a bit rotation on each byte or across multiple bytes.
4. Exclusive-or the string with another string.

It doesn't need to be complex. It just needs to obscure the saved serial number (or MAC address).
Title: Re: protect boot code
Post by: bmarkus on November 16, 2021, 09:20:52 PM
If you want to hide your Python source code, there are multiple options. You can pack your application into a single executable binary using external tools like py2exe, cx_Freeze and many others or natively with pyinstaller.  Such single executable in fact is an archive with all necessary component to run the application without installing Python on the target machine.

For x86 there is a compiler, NUITKA which creates C source code, so you get a real executable but it is not available on ARM and I haven't seen such.

There are compilers to create JS code. If you find a solution how to protect  Java Script code, it can be a solution.

To bind to a specific serial number, you can use an SHA1 hash of the serial number or to encrypt it with a symmetric Diffie-Hellman to encrypt the serial number. You can do it with openssl.

It makes harder to get access to your code or to reverse engineering how it works, to run on other hardware. Still it is possible, all depends on how valuable your application, is it worth enough to crack it. Next level is a hardware key or online license verification. Spend some time to read literature.


Title: Re: protect boot code
Post by: ketank on November 16, 2021, 11:36:01 PM
Hi ketank
... I will check how this needs to be done. I have never done it. ...
It's my understanding that the first time you run your program, it and anything else that gets loaded is converted
to bytecode. That way, the next time you run the program it loads faster because the bytecode already exists.

So I need to generate the bytecode on the same machine and leave it there as an executable.
Title: Re: protect boot code
Post by: ketank on November 16, 2021, 11:36:57 PM
Hi ketank
... This is what I was thinking but the question again was .. when I validate, it will be in python and its readable to defats the purpose. May be the bytecode will help in this case.
Are you talking about being able to see the serial number string in the executable program? You don't store the
serial number in clear text. There are many different ways you can encode the serial number so it's not visible:
1. Run it through md5sum.
2. Run it through a CRC algorithm.
3. Perform a bit rotation on each byte or across multiple bytes.
4. Exclusive-or the string with another string.

It doesn't need to be complex. It just needs to obscure the saved serial number (or MAC address).

Agreed. I will use one of the ways above for the purpose.
Title: Re: protect boot code
Post by: ketank on November 16, 2021, 11:40:29 PM
Hi bmarkus

Thank you for the valuable info.

Unfortunately the devices will not have internet access so online validation is not possible.
 I am looking up the USB keys at this time but have not found anything yet for arm7. Will update once I find something suitable.
Title: Re: protect boot code
Post by: curaga on November 16, 2021, 11:43:02 PM
There are other platforms that do support secure boot, even ARM ones I believe. Perhaps using one of those instead of a rpi would be a solution.
Title: Re: protect boot code
Post by: PDP-8 on November 17, 2021, 03:35:05 AM
If the biggest fear is removal of the sdcard and copying by unauthorized parties, then the simplest answer at the pi's price point is to cause physical damage to it by doing so.

You can super-glue the sdcard into the holder with a few drops but not on the contact pins of course.  Attempts to remove it will usually damage the sdcard.

Drastic?  Yes.
Title: Re: protect boot code
Post by: nick65go on November 17, 2021, 03:46:44 AM
yes, I like this solution! This is the spirit on tiny, think out-of-the-box, do not follow the conventions /crowd. ;) or you will have the results (usually modest) of the commons.
Title: Re: protect boot code
Post by: gadget42 on November 17, 2021, 05:58:44 AM
nothing beats(pun intended) xkcd

https://xkcd.com/538/

and the vast majority will only require being SHOWN the wrench(truncheon)...
Title: Re: protect boot code
Post by: patrikg on November 17, 2021, 07:03:06 AM
Can you easy extract the serial number of the pi and use that to encrypt/decrypt the Linux partition with luks.
Title: Re: protect boot code
Post by: Rich on November 17, 2021, 07:06:24 AM
Hi ketank
So I need to generate the bytecode on the same machine and leave it there as an executable.
The bytecode is portable as long as the target has the same version of Python. In fact, according to the Interweb, it's
even portable between platforms (ARM, x86, x86_64, etc.).
Title: Re: protect boot code
Post by: Rich on November 17, 2021, 07:51:33 AM
Hi PDP-8
If the biggest fear is removal of the sdcard and copying by unauthorized parties, ...

 ... You can super-glue the sdcard into the holder ...
Sure, that might stop me if I want to remove the card and copy it. But what if I want to copy it while it is still installed?
What are my options then?

Could I plug in a USB drive and copy everything over to that?

Could I boot off of a USB drive so the SD card is not mounted, and then use  dd  and  nc (netcat)  to copy the drive:
Victim:
Code: [Select]
dd if=/dev/sda PIPE nc 192.168.1.30 9000Forum error: Replace the word  PIPE  with a pipe symbol.

Beneficiary (192.168.1.30):
Code: [Select]
nc -l -p 9000 | dd of=/dev/sdc
Even if still mounted, this should still work well enough to get what you want.
Title: Re: protect boot code
Post by: ketank on November 19, 2021, 12:35:19 AM
Hi ketank
So I need to generate the bytecode on the same machine and leave it there as an executable.
The bytecode is portable as long as the target has the same version of Python. In fact, according to the Interweb, it's
even portable between platforms (ARM, x86, x86_64, etc.).

This is really good.
Title: Re: protect boot code
Post by: bmarkus on November 19, 2021, 12:57:55 AM
Bytecode doesn't protect against copying and also can be decompiled. It doesn't give a protection just make distribution possibly easier.

Title: Re: protect boot code
Post by: PDP-8 on November 19, 2021, 02:35:53 PM
Heh, my superglue technique only came from a friend's RPI running in a large scale model aircraft.  The pi only had a pressure-fit slot and kept losing contact in the aircraft.

At the end of the day, words like protecting your IP may indicate that *any* form of gnu/linux may not be the best vehicle for this project, whereas something BSD'ish would.

So Ketank, with us lacking details, instead of copying your card and all it's IP, what if I simply ask you to provide me with your source code and you refuse?  Depending on what you are actually doing, that could land you in hot water to some degree.  Hence the recommendation to use BSD for this task since it appears not to be aimed at data privacy, but more of a commercial outlook to stymie possible competitors.

In other words, all our attempts to solve this problem may be for naught if at the end of the day it violates the gnu license.  But I get it - if you provide more details on what you are doing, competitors might figure it out!  Heh, the catch 22. :)