protect boot code

[ketank]

Hi,
I need to protect the code that I am writing.
After looking at the documentation I could find, I added the same in the config.txt

Now every time I boot, it asks for a new passphrase to encrypt.

How do I make it automatic so that while backing up I enter a password and it is automatically used when the device comes up without entering the password.

Please guide and share if there is any documentation available for the same

[ketank]

any help with this ?

[bmarkus]

Without providing details what is you goal, what protection means, do you want to bind to a single machine or protect against reverse engineering, etc. how your code is written and in which language, is it compiled or interpreted, do not expect much response.

[ketank]

Hi bmarkus,

Sorry, I was trying to understand the boot code "protect"  but what you asked is very much to the point

What I am trying to understand is that once my system is deployed in the field, anyone can take the SD card, make a copy and use it or read the code and release their own version. The question is - how do I protect the code the IP?

1. the code is written in python 3 so it is readable easily
2. I want to protect the code against copy by someone else if they remove the SD card and try to copy the contents from the same.
3. It will be very great to bind to a single machine, It will ensure that people just to not just duplicate the sd card and put it into another pi and start using it at other location
4. I know it is very easy to hack into a linux box with physical access. Can it be secured - any special way in tiny core? The standard protections will be in place.

[curaga]

You can't. Protection at that level requires secure boot, which the rpi does not have.

Without secure boot, all you do is delay the attacker. If the code is encrypted but the password is there -> they can get the password and decrypt it. Binding to a MAC address, they can read it and decrypt. Etc etc.

The protect bootcode is meant for usb sticks etc, so that other people booting it cannot read your personal files. Hence it asks for the password every boot.

[ketank]

You can't. Protection at that level requires secure boot, which the rpi does not have.

Without secure boot, all you do is delay the attacker. If the code is encrypted but the password is there -> they can get the password and decrypt it. Binding to a MAC address, they can read it and decrypt. Etc etc.

The protect bootcode is meant for usb sticks etc, so that other people booting it cannot read your personal files. Hence it asks for the password every boot.

Thank you Curage,
If that is the case, can you share some ways people are using to protect the codes on RPi?
I am sure this is a common problem?

[Rich]

Hi ketank
Let's start with the basics:

First rule of copy protection, there's no such thing as copy protection, only countermeasures. The best you can hope
for is to make it as difficult, painful, and time consuming as possible.

1. the code is written in python 3 so it is readable easily

If you control which Python interpreter is installed, you could include only  bytecode  files (.pyc). These are the files the
interpreter actually executes so they should be free of comments and names that identify variables and procedures.
Although not as low level as machine language (assembly), it is not suitable for human consumption if the intention
is to alter and/or understand the the program.

Or maybe something like  Cython  will work for you.

3. It will be very great to bind to a single machine, It will ensure that people just to not just duplicate the sd card and put it into another pi and start using it at other location

Maybe tie it to the CPU serial number or the boards MAC address?

[ketank]

Hi Rich,

First rule of copy protection, there's no such thing as copy protection, only countermeasures. The best you can hope
for is to make it as difficult, painful, and time consuming as possible.

I agree and that is what I am trying to do .

If you control which Python interpreter is installed, you could include only  bytecode  files (.pyc). These are the files the
interpreter actually executes so they should be free of comments and names that identify variables and procedures.
Although not as low level as machine language (assembly), it is not suitable for human consumption if the intention
is to alter and/or understand the the program.

I will check how this needs to be done. I have never done it.

Maybe tie it to the CPU serial number or the boards MAC address?

This is what I was thinking but the question again was .. when I validate, it will be in python and its readable to defats the purpose. May be the bytecode will help in this case.

[Rich]

Hi ketank

... I will check how this needs to be done. I have never done it. ...

It's my understanding that the first time you run your program, it and anything else that gets loaded is converted
to bytecode. That way, the next time you run the program it loads faster because the bytecode already exists.

[Rich]

Hi ketank

... This is what I was thinking but the question again was .. when I validate, it will be in python and its readable to defats the purpose. May be the bytecode will help in this case.

Are you talking about being able to see the serial number string in the executable program? You don't store the
serial number in clear text. There are many different ways you can encode the serial number so it's not visible:
1. Run it through md5sum.
2. Run it through a CRC algorithm.
3. Perform a bit rotation on each byte or across multiple bytes.
4. Exclusive-or the string with another string.

It doesn't need to be complex. It just needs to obscure the saved serial number (or MAC address).

[bmarkus]

If you want to hide your Python source code, there are multiple options. You can pack your application into a single executable binary using external tools like py2exe, cx_Freeze and many others or natively with pyinstaller.  Such single executable in fact is an archive with all necessary component to run the application without installing Python on the target machine.

For x86 there is a compiler, NUITKA which creates C source code, so you get a real executable but it is not available on ARM and I haven't seen such.

There are compilers to create JS code. If you find a solution how to protect  Java Script code, it can be a solution.

To bind to a specific serial number, you can use an SHA1 hash of the serial number or to encrypt it with a symmetric Diffie-Hellman to encrypt the serial number. You can do it with openssl.

It makes harder to get access to your code or to reverse engineering how it works, to run on other hardware. Still it is possible, all depends on how valuable your application, is it worth enough to crack it. Next level is a hardware key or online license verification. Spend some time to read literature.

[ketank]

Hi ketank

... I will check how this needs to be done. I have never done it. ...

It's my understanding that the first time you run your program, it and anything else that gets loaded is converted
to bytecode. That way, the next time you run the program it loads faster because the bytecode already exists.

So I need to generate the bytecode on the same machine and leave it there as an executable.

[ketank]

Hi ketank

... This is what I was thinking but the question again was .. when I validate, it will be in python and its readable to defats the purpose. May be the bytecode will help in this case.

Are you talking about being able to see the serial number string in the executable program? You don't store the
serial number in clear text. There are many different ways you can encode the serial number so it's not visible:
1. Run it through md5sum.
2. Run it through a CRC algorithm.
3. Perform a bit rotation on each byte or across multiple bytes.
4. Exclusive-or the string with another string.

It doesn't need to be complex. It just needs to obscure the saved serial number (or MAC address).

Agreed. I will use one of the ways above for the purpose.

[ketank]

Hi bmarkus

Thank you for the valuable info.

Unfortunately the devices will not have internet access so online validation is not possible.
 I am looking up the USB keys at this time but have not found anything yet for arm7. Will update once I find something suitable.

[curaga]

There are other platforms that do support secure boot, even ARM ones I believe. Perhaps using one of those instead of a rpi would be a solution.