Securing Jaguar Boards - DynamicDevices/meta-dynamicdevices GitHub Wiki

Here we are attempting to build a set of documentation on how we try to follow best security practices to ensure the Jaguar range of boards are secured. Note that we do not state here that this is best practice but these details are provided as a living document to enable discussion, comment, and ongoing improvement to the security implementation

Secure Boot

Bootloader

TBD - U-boot bootloader accesses SE050 TPM secure element but currently no keys or eFuses are being modified

For further details see here

Encrypted Filesystem

At this time we do not have use-cases where we feel that encrypting the filesystem on boards is a requirement.

In the main this is because we do not use removable uSD cards due to reliability issues, instead supporting on board eMMC parts. As these are non-removable we have not gone to the lengths of encrypting the eMMC filesystem.

This may change in future as and when we have a customer requirement.

Shell Access

Currently by default the lmp-dynamicdevices distribution (and dependent distributions) build with SSH installed and running

IMAGE_FEATURES += "ssh-server-openssh" (see here)

The SSH server can be removed from a built by removing this IMAGE_FEATURE.

By default an image has the login and password fio / fio with sudo enabled for the fio user.

Current We use fiotest during the board OTAU (over the air update) process to set a custom password for the fio user based on the SOC UID. (This may change in future to make use of public key cryptography and the SE050 TPM)

NOTE: That as below the SSH server is not accessible by default on the local networking interface but instead is accessible via the Wireguard VPN if this has been enabled with fioctl

Network Firewalling

Our general thinking is that

  • The platform (host OS) layer should by default be completely locked down with no TCP or UDP ports open

  • The platform layer should respond to ICMP ping requests

  • There should optionally be remote access through a Wireguard VPN which can be enabled on a per-board basis

  • The platform layer should respond to ICMP ping requests over the VPN

  • At this time there is no firewalling on the VPN adaptor but only the SSH server TCP port (22) is by default open

  • Containers can use docker-compose.yml EXPOSE keyword to expose ports on the local network interface for future-proofing

The above is supported by a firewalling interfaces with a set of iptables rules which can be found here

A couple of points need to be made on the thinking behind these rules

# Accept UDP packets for port 5555 which is the Wireguard VPN
-A INPUT -p udp -m udp --sport 5555 -j ACCEPT
# Accept ICMP Ping requests from anywhere
-A INPUT -p icmp -j ACCEPT
# Accept any packets on the Wireguard VPN interface
-A INPUT -i factory-vpn0 -j ACCEPT
# Accept any packets on any Docker bridge interfaces (created when containers are brought up)
-A INPUT -i br+ -j ACCEPT
# Accept any packets relating to established (e.g. outgoing) connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Reject anything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable
# Allow output of UDP packets for port 5555 which is the Wireguard VPN. NB ALL output packets are by default allowed
-A OUTPUT -p udp -m udp --dport 5555 -j ACCEPT

Disabling firewall for development

NOTE: Don't do this on anything resembling a production system

Temporary

To temporarily disable firewalling which is setup as suggested above the more straightforward option is to delete the INPUT REJECT rule

To see how many rules you have

sudo iptables -L INPUT

Then count from top to bottom starting at 1. With the above example there are 6.

Then delete the last rule, the REJECT rule with

sudo iptables -D INPUT 6

And now connections e.g. to SSH will be accepted

The default settings will be restored on a reboot

Permanent (until configuration changed again)

To make a change that persists over a reboot you need to edit the /etc/iptables/iptables.rules configuration file

Change the REJECT line as indicate above to comment it out e.g.

-A INPUT -p udp -m udp --sport 5555 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i factory-vpn0 -j ACCEPT
-A INPUT -i br+ -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p udp -m udp --dport 5555 -j ACCEPT

Then reboot or restart iptables