Sysdeploy
/
openwrt
2
0
Fork 2
Code Issues Pull Requests 2 Packages Projects Releases Wiki Activity

A small C program to read/write OTP registers for use with LUKS #67

New Issue
Closed
opened 2024-01-26 02:57:09 +00:00 by PeterSurda · 3 comments
PeterSurda commented 2024-01-26 02:57:09 +00:00
Owner
Copy Link

In raspberry pi documentation it says that OTP registers 56-63 can store a user-defined 256 bit private key. It's not really a TPM, but in combination with secure boot, access to it can be restricted. It can be used in combination with secure boot to have a non-interactive LUKS unlock, at least in theory because there doesn't appear to be tooling available to do this. The key can be extracted by using vcgencmd otp_dump. If you look at the source, you'll see how to use it (read and write the bytes) in C. It would be great if there was a small C tool to do these two things:

  • generate a pseudorandom 256 bit value and store it in the OTP (maybe require an interactive confirmation for extra protection)
  • read and dump it in a format usable for cryptsetup luksOpen
In [raspberry pi documentation](https://github.com/raspberrypi/documentation/blob/develop/documentation/asciidoc/computers/raspberry-pi/otp-bits.adoc#otp-registers-on-non-bcm2712-devices) it says that OTP registers 56-63 can store a user-defined 256 bit private key. It's not really a TPM, but in combination with secure boot, access to it can be restricted. It can be used in combination with secure boot to have a non-interactive LUKS unlock, at least in theory because there doesn't appear to be tooling available to do this. The key can be extracted by using `vcgencmd otp_dump`. If you look at the source, you'll see how to use it (read and write the bytes) in C. It would be great if there was a small C tool to do these two things: - generate a pseudorandom 256 bit value and store it in the OTP (maybe require an interactive confirmation for extra protection) - read and dump it in a format usable for `cryptsetup luksOpen`
lee.miller was assigned by PeterSurda 2024-01-26 02:57:09 +00:00
PeterSurda commented 2024-02-12 10:49:45 +00:00
Author
Owner
Copy Link

This isn't in C but maybe it's sufficient or can be adjusted: https://github.com/raspberrypi/usbboot/blob/master/tools/rpi-otp-private-key

This isn't in C but maybe it's sufficient or can be adjusted: https://github.com/raspberrypi/usbboot/blob/master/tools/rpi-otp-private-key
PeterSurda commented 2024-02-12 10:50:20 +00:00
Author
Owner
Copy Link

Actually maybe I don't need this for openWRT.

Actually maybe I don't need this for openWRT.
PeterSurda commented 2024-02-17 06:57:36 +00:00
Author
Owner
Copy Link

Not needed anymore.

Not needed anymore.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
23.05.3
kernel-test
collectd-build-debug
kmod-nvme
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
lee.miller
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Sysdeploy/openwrt#67
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?