Adding u-boot into the chain in attempt to verify the RPi bootloader would be of limited use because if the RPi bootloader was compromised it the malicious code could just lie about the hashes to the TPM.
Measured boot can be somewhat fragile, because it's not always obvious which memory regions need to be included in the hash especially if there are different boot configurations e.g. A/B booting.
It sounds like RPi secure-boot provides what you need i.e. a mechanism to ensure that only software signed by you will be booted.
If a TPM provides an external key-store then that can be accessed from initramfs to unlock other data. However, with any TPM you need to make sure that data is not sent in the clear over non-secure channel (e.g. SPI), some old TPMs assume physical security. Typically, you would want to provision a key for the TPM in the 2712 customer OTP which is read by the initramfs to establish a channel to the TPM.
Regarding attacks where the attacker has physical access to the device
* BCM2711/ BCM2712 bootrom does have hardware power glitch protection
* SDRAM is not scrambled
* PCIe devices can read/write virtually all memory.
The above are possible but time consuming and possibly expensive to do on a per device basis, and are mitigated by not having shared secrets across a fleet of devices. If the devices is network connected then try to make the keys for encrypted data ephemeral and specific to an action or session rather than having a single device private key for all operations.
Measured boot can be somewhat fragile, because it's not always obvious which memory regions need to be included in the hash especially if there are different boot configurations e.g. A/B booting.
It sounds like RPi secure-boot provides what you need i.e. a mechanism to ensure that only software signed by you will be booted.
If a TPM provides an external key-store then that can be accessed from initramfs to unlock other data. However, with any TPM you need to make sure that data is not sent in the clear over non-secure channel (e.g. SPI), some old TPMs assume physical security. Typically, you would want to provision a key for the TPM in the 2712 customer OTP which is read by the initramfs to establish a channel to the TPM.
Regarding attacks where the attacker has physical access to the device
* BCM2711/ BCM2712 bootrom does have hardware power glitch protection
* SDRAM is not scrambled
* PCIe devices can read/write virtually all memory.
The above are possible but time consuming and possibly expensive to do on a per device basis, and are mitigated by not having shared secrets across a fleet of devices. If the devices is network connected then try to make the keys for encrypted data ephemeral and specific to an action or session rather than having a single device private key for all operations.
Statistics: Posted by timg236 — Wed Jul 24, 2024 8:20 am
