> I think if we will solve my original problem - how to securely install
> some secret code and/or key on our devices, then it will be trivial to
> determine which devices are genuine and which are fake.
I know of a company that got its stuff built at two different Chinese
manufacturers, in a way that both manufacturers would have had to
collude to get the keys out. I guess that's a start.
Reply by ●August 12, 20172017-08-12
> Chris
> do you really need to ship the firmware to China ?
> ... Them do the final programming at this side of the pond.
iPhones and most other consumer devices these days are made in China and shipped straight from China to final customers. Most companies do not have even distribution nor manufacturing facilities in US anymore.
> Hans-Bernhard Bröker
> how do you know you can actually trust your local employees so much further than your overseas contractors?
Well, US based employees and contractors can be sued, arrested, etc, Chinese contractors are completely unpunishable. It is just your brain and skills versus theirs.
> Good luck explaining to "your" customers why apparently genuine devices do not work _at_all_.
I think if we will solve my original problem - how to securely install some secret code and/or key on our devices, then it will be trivial to determine which devices are genuine and which are fake.
Reply by Hans-Bernhard Bröker●July 17, 20172017-07-17
Am 17.07.2017 um 20:52 schrieb Chris:
> One queston to ask is: do you really need to ship the firmware to
> China ?
That will only get you back to the issue I described 3 weeks ago:
installing the secret yourself is not a solution either, because then
you will effectively no longer be manufacturing in China.
If you have to ship all the stuff back to home base, unwrap it, open it
up far enough to get at the internal programming interface to install
firmware, then put it all back together again, and re-package for final
delivery. The overhead in terms of both delay and money will be
considerable. You'll effectively be manufacturing at home.
And anyway: how do you know you can actually trust your local employees
so much further than your overseas contractors?
And of course a criminal at the Chinese end could still side-track to
the black market devices with the testing-only software still on them.
Good luck explaining to "your" customers why apparently genuine devices
do not work _at_all_.
Reply by Chris●July 17, 20172017-07-17
On 07/08/17 00:09, jhnlmn@gmail.com wrote:
>> I only know about it from the Qubes Anti-Evil-Maid defense
>
> I read about anti evil maid at
> https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html
> and they make it clear that if BIOS is compromised, then all this signature/hash/TPM scheme will not work.
>
> This brings us back to square one: how to prevent bootloader from being compromised?
> To summarize: so far I heard about secure boot loaders only in 2 chip families: Microsemi FPGA and Maxim Cortex MCU with Secure Boot loader.
One queston to ask is: do you really need to ship the firmware to
China ?. The reason might be so that the finished item can be tested,
but why not ship e minimal firmware, just enough to show that
the hardware works ?. Them do the final programming at this side of
the pond.
If you don't send it, they can't copy it...
Chris
Reply by ●July 7, 20172017-07-07
> I only know about it from the Qubes Anti-Evil-Maid defense
I read about anti evil maid at
https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html
and they make it clear that if BIOS is compromised, then all this signature/hash/TPM scheme will not work.
This brings us back to square one: how to prevent bootloader from being compromised?
To summarize: so far I heard about secure boot loaders only in 2 chip families: Microsemi FPGA and Maxim Cortex MCU with Secure Boot loader.
Reply by Phil Hobbs●July 5, 20172017-07-05
On 07/05/2017 05:14 PM, jhnlmn@gmail.com wrote:
>> If we're talking about a connected device, then a trusted external agent could verify the signature
>
> I can only imagine the following algo:
> 1. If there is a trusted connection (without man in the middle, etc)
> 2. You have trusted person on one end of this connection and firmware on another
> 3. Then trusted person can send a random key to the firmware
> 4. Firmware encrypts its entire flash and makes a hash and returns hash to the trusted person
> 5. Trusted person compares the hash with a hash calculated with a known good copy of firmware
> If they are equal, then you do not know that firmware was not tampered with.
> But having firmware verify its own signature, as you proposed earlier, is totally useless.
>
> But if you have a trusted person and a trusted connection, then you can simply run regular JTAG and replace entire FW.
> Again, my question was what to do if you have to install firmware on untrusted factory without a trusted connection.
>
>> Skipping the check could be made non-trivial by obfuscation techniques, I guess
>
> May be in a very large software, like Windows itself with gigabytes of code, but most firmwares are too small to hide anything.
>
>> However, if the signature would be
>> calculated by some peripheral when writing flash and could only be
>> compared, and not read out, then copying would be impossible.
>> Phil Hobbs:
>> Such as a TPM chip.
>
> Can you explain?
> I read some texts about TPM chip and cannot understand how they can work with my FW.
> For example:
> http://whatis.techtarget.com/definition/trusted-platform-module-TP
> "... protects the device against unauthorized firmware and software modification by hashing critical sections of firmware and software before they are executed. When the system attempts to connect to the network, the hashes are sent to a server that verifies that they match expected values."
> Questions: is TPM a separate chip? How can it read firmware before execution? How can it work on devices without network access?
>
I only know about it from the Qubes Anti-Evil-Maid defense, which
presents the user with a known output from an unmodified /boot file
system--it makes it possible for a human to recognize immediately when
the unencrypted volume has changed. _Somebody_ has to know what the
signature is supposed to be.
Cheers
Phil Hobbs
--
Dr Philip C D Hobbs
Principal Consultant
ElectroOptical Innovations LLC
Optics, Electro-optics, Photonics, Analog Electronics
160 North State Road #203
Briarcliff Manor NY 10510
hobbs at electrooptical dot net
http://electrooptical.net
Reply by ●July 5, 20172017-07-05
> If we're talking about a connected device, then a trusted external agent could verify the signature
I can only imagine the following algo:
1. If there is a trusted connection (without man in the middle, etc)
2. You have trusted person on one end of this connection and firmware on another
3. Then trusted person can send a random key to the firmware
4. Firmware encrypts its entire flash and makes a hash and returns hash to the trusted person
5. Trusted person compares the hash with a hash calculated with a known good copy of firmware
If they are equal, then you do not know that firmware was not tampered with.
But having firmware verify its own signature, as you proposed earlier, is totally useless.
But if you have a trusted person and a trusted connection, then you can simply run regular JTAG and replace entire FW.
Again, my question was what to do if you have to install firmware on untrusted factory without a trusted connection.
> Skipping the check could be made non-trivial by obfuscation techniques, I guess
May be in a very large software, like Windows itself with gigabytes of code, but most firmwares are too small to hide anything.
> However, if the signature would be
> calculated by some peripheral when writing flash and could only be
> compared, and not read out, then copying would be impossible.
> Phil Hobbs:
> Such as a TPM chip.
Can you explain?
I read some texts about TPM chip and cannot understand how they can work with my FW.
For example:
http://whatis.techtarget.com/definition/trusted-platform-module-TP
"... protects the device against unauthorized firmware and software modification by hashing critical sections of firmware and software before they are executed. When the system attempts to connect to the network, the hashes are sent to a server that verifies that they match expected values."
Questions: is TPM a separate chip? How can it read firmware before execution? How can it work on devices without network access?
Reply by Phil Hobbs●July 4, 20172017-07-04
On 07/04/2017 07:32 AM, Boudewijn Dijkstra wrote:
> Op Mon, 03 Jul 2017 19:16:32 +0200 schreef <jhnlmn@gmail.com>:
>>> I meant that the program would check its own signature.
>>> It can still be reverse engineered and patched to skip the checks,
>>> but this can be made arbitrarily difficult.
>>
>> Please, explain.
>> As far as I can see, if a program can be both disassembled and patched
>> (which unencrypted JTAG allows),
>> then anything is possible (and trivial), including skipping the check
>> entirely or replacing the signature.
>
> If we're talking about a connected device, then a trusted external agent
> could verify the signature. Preventing or faking this is non-trivial. But
> let's assume a non-connected device.
>
> Skipping the check could be made non-trivial by obfuscation techniques, I
> guess.
>
> Replacing the flash signature by your own is of course prohibitively
> difficult when an adequate cryptographic algorithm is used. Replacing the
> signature calculation algorithm by a function that just copies the known
> flash signature is indeed trivial. However, if the signature would be
> calculated by some peripheral when writing flash and could only be
> compared, and not read out, then copying would be impossible.
Such as a TPM chip.
Cheers
Phil Hobbs
--
Dr Philip C D Hobbs
Principal Consultant
ElectroOptical Innovations LLC
Optics, Electro-optics, Photonics, Analog Electronics
160 North State Road #203
Briarcliff Manor NY 10510
hobbs at electrooptical dot net
http://electrooptical.net
Reply by Boudewijn Dijkstra●July 4, 20172017-07-04
Op Mon, 03 Jul 2017 19:16:32 +0200 schreef <jhnlmn@gmail.com>:
>> I meant that the program would check its own signature.
>> It can still be reverse engineered and patched to skip the checks, but
>> this can be made arbitrarily difficult.
>
> Please, explain.
> As far as I can see, if a program can be both disassembled and patched
> (which unencrypted JTAG allows),
> then anything is possible (and trivial), including skipping the check
> entirely or replacing the signature.
If we're talking about a connected device, then a trusted external agent
could verify the signature. Preventing or faking this is non-trivial. But
let's assume a non-connected device.
Skipping the check could be made non-trivial by obfuscation techniques, I
guess.
Replacing the flash signature by your own is of course prohibitively
difficult when an adequate cryptographic algorithm is used. Replacing the
signature calculation algorithm by a function that just copies the known
flash signature is indeed trivial. However, if the signature would be
calculated by some peripheral when writing flash and could only be
compared, and not read out, then copying would be impossible.
--
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/
Reply by ●July 3, 20172017-07-03
> I meant that the program would check its own signature.
> It can still be reverse engineered and patched to skip the checks, but this can be made
arbitrarily difficult.
Please, explain.
As far as I can see, if a program can be both disassembled and patched (which unencrypted JTAG allows),
then anything is possible (and trivial), including skipping the check entirely or replacing the signature.