Crypto Chip
Is the ATECC508A currently being used at the moment, or are you intended that for protecting code in future releases?
The crypto chip is neither part of the open source concept nor is it free for use to our customers. There is no guarantee from KUNBUS that future devices may have production closed registers or important information stored into open registers. The chip is exclusively reserved for KUNBUS and customers who will contract to use this chip for their dedicated purpose in negotiation with KUNBUS. If you plan series production of big numbers and would like to use the crypto chip, then please get in contact with sales department for a discussion on how we can work together.
Unser RevPi Motto: Don't just claim it - make it!
I personally think your approach is very reasonable. You obviously have a fair amount of commercial software to protect. The reason I ask is that I want to use QEMU with the image to speed up software development. I fully understand that most things (bridge, etc) won't work, but this is kind of irrelevant for the type of development. In short, is there currently anything in the kernel or bash shell that uses the crypto chip, or I am OK to proceed in trying QEMU?volker wrote: ↑30 Jun 2018, 21:01 The crypto chip is neither part of the open source concept nor is it free for use to our customers. There is no guarantee from KUNBUS that future devices may have production closed registers or important information stored into open registers. The chip is exclusively reserved for KUNBUS and customers who will contract to use this chip for their dedicated purpose in negotiation with KUNBUS. If you plan series production of big numbers and would like to use the crypto chip, then please get in contact with sales department for a discussion on how we can work together.
The piSerial program uses the crypto chip to read its serial number.
You could write your own piSerial which outputs fake data instead.
You could write your own piSerial which outputs fake data instead.
piSerial is just a little helper for users to show up kind of compressed version of the crypto internal serial code. Some people having too much free time even have back engineered the compression algorithm (we would have told them if they would have asked - just don't want to publish this). This serial number is used by 3rd party software manufactures instead of a MAC address (which is easy to manipulate) to generate a device specific certificate for licensing purpose.
We also use a simple algorithm to generate the unique initial password (WHICH YOU ALWAYS SHOULD EXCHANGE THE FIRST TIME YOU START YOUR DEVICE). So if you use your own image you will not need to deal with this serial number.
BUT: The "external" serial number and MAC (both printed on the case) need to be written somehow into your image. Depending on you distribution there are certain locations in your system where you need to write at least the the MAC to (once in a life of the device) in order to change the Raspi-standard MAC into the MAC from KUNBUS printed on the case. KUNBUS also uses the external serial number (which has nothing to do with the internal serial number saved in the crypto) to generate a unique server/device name (the name you see in front of the prompt in terminal mode and which is used in a network connection).
So you need to think over if you would need something similar for your image if you plan to roll out this image on many devices (you would like to have unique MAC addresses and passwords).
I hope this information helps when planning your own image.
We also use a simple algorithm to generate the unique initial password (WHICH YOU ALWAYS SHOULD EXCHANGE THE FIRST TIME YOU START YOUR DEVICE). So if you use your own image you will not need to deal with this serial number.
BUT: The "external" serial number and MAC (both printed on the case) need to be written somehow into your image. Depending on you distribution there are certain locations in your system where you need to write at least the the MAC to (once in a life of the device) in order to change the Raspi-standard MAC into the MAC from KUNBUS printed on the case. KUNBUS also uses the external serial number (which has nothing to do with the internal serial number saved in the crypto) to generate a unique server/device name (the name you see in front of the prompt in terminal mode and which is used in a network connection).
So you need to think over if you would need something similar for your image if you plan to roll out this image on many devices (you would like to have unique MAC addresses and passwords).
I hope this information helps when planning your own image.
Unser RevPi Motto: Don't just claim it - make it!