Sysdeploy/openwrt
2
0
Fork 2
Code Issues 5 Pull Requests 2 Packages Projects 1 Releases Wiki Activity

A small C program to read/write OTP registers for use with LUKS #67

New Issue
Closed
opened 2024-01-26 03:57:09 +01:00 by PeterSurda · 3 comments
PeterSurda commented 2024-01-26 03:57:09 +01:00
Owner
Copy Link

In raspberry pi documentation it says that OTP registers 56-63 can store a user-defined 256 bit private key. It's not really a TPM, but in combination with secure boot, access to it can be restricted. It can be used in combination with secure boot to have a non-interactive LUKS unlock, at least in theory because there doesn't appear to be tooling available to do this. The key can be extracted by using vcgencmd otp_dump. If you look at the source, you'll see how to use it (read and write the bytes) in C. It would be great if there was a small C tool to do these two things:

  • generate a pseudorandom 256 bit value and store it in the OTP (maybe require an interactive confirmation for extra protection)
  • read and dump it in a format usable for cryptsetup luksOpen
In [raspberry pi documentation](https://github.com/raspberrypi/documentation/blob/develop/documentation/asciidoc/computers/raspberry-pi/otp-bits.adoc#otp-registers-on-non-bcm2712-devices) it says that OTP registers 56-63 can store a user-defined 256 bit private key. It's not really a TPM, but in combination with secure boot, access to it can be restricted. It can be used in combination with secure boot to have a non-interactive LUKS unlock, at least in theory because there doesn't appear to be tooling available to do this. The key can be extracted by using `vcgencmd otp_dump`. If you look at the source, you'll see how to use it (read and write the bytes) in C. It would be great if there was a small C tool to do these two things: - generate a pseudorandom 256 bit value and store it in the OTP (maybe require an interactive confirmation for extra protection) - read and dump it in a format usable for `cryptsetup luksOpen`
lee.miller was assigned by PeterSurda 2024-01-26 03:57:09 +01:00
PeterSurda commented 2024-02-12 11:49:45 +01:00
Author
Owner
Copy Link

This isn't in C but maybe it's sufficient or can be adjusted: https://github.com/raspberrypi/usbboot/blob/master/tools/rpi-otp-private-key

This isn't in C but maybe it's sufficient or can be adjusted: https://github.com/raspberrypi/usbboot/blob/master/tools/rpi-otp-private-key
PeterSurda commented 2024-02-12 11:50:20 +01:00
Author
Owner
Copy Link

Actually maybe I don't need this for openWRT.

Actually maybe I don't need this for openWRT.
PeterSurda commented 2024-02-17 07:57:36 +01:00
Author
Owner
Copy Link

Not needed anymore.

Not needed anymore.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No Label
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
lee.miller
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Sysdeploy/openwrt#67
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?