SUSE Hack Week: USB security key running embedded Linux

Project Description

Implement a proof-of-concept USB security key with support for encrypted data storage, U2F and FIDO2 (webauthn). I plan on using a NanoPi NEO2 board for this project, what has a few useful attributes:

it can boot a mainline Linux kernel
it's relatively portable (40mm x 40mm)
it has an aarch64 CPU with support for ARMv8 Crypto Extensions
- dm-crypt performance should benefit significantly from this

The hardware doesn't provide a secure enclave or TPM, so it's likely unsuitable as a commercial security key device.

When powered, the device will boot a minimal buildroot Linux image and expose a pseudo-mass-storage USB device with a single-file static website. On first-boot the website will provide a setup wizard for the device. Subsequent boots will immediately prompt for a decryption key. Output data generated by both setup wizard and password prompt web pages will need to be propagated back to the USB device. This could be done via the pseudo-mass-storage filesystem, or possibly (if time permits and I can live with myself) via webusb.

Most of the work needed for this project will be configuration and plumbing, with the exception of the U2F and FIDO2 USB gadget implementations. https://github.com/ellerh/softfido looks attractive as a U2F/FIDO2 starting point, but it currently exposes the endpoints via USBIP, so will need to be converted to a Linux functionfs USB gadget.

Goals for this Hackweek

generate a buildroot 2022.11.1 image for the NanoPi NEO2
write a static website which provides dm-crypt setup and unlock for the encrypted data storage area
- work out a partitioning scheme for the OS/config/dm-crypt
- for simplicity I'd like to avoid LUKS and instead have the website produce a PBKDF2 derived key for direct use by dm-crypt
test https://github.com/ellerh/softfido
convert softfido from USBIP to a Linux functionfs gadget interface
stretch: write a webusb client and server (USB endpoint) for transferring configuration / key data between host and device
stretch: support snapshots and transparent compression for encrypted data storage
stretch: provide some way for a user to update the buildroot OS on the USB device

Resources

Looking for hackers with the skills:

usb dm-crypt arm u2f

This project is part of:

Hack Week 22

Activity

almost 2 years ago: pvorel liked this project.

almost 2 years ago: iivanov liked this project.

almost 2 years ago: robert.richardson liked this project.

almost 2 years ago: mkoutny liked this project.

almost 2 years ago: dmdiss added keyword "usb" to this project.

almost 2 years ago: dmdiss added keyword "dm-crypt" to this project.

almost 2 years ago: dmdiss added keyword "arm" to this project.

almost 2 years ago: dmdiss added keyword "u2f" to this project.

almost 2 years ago: dmdiss started this project.

almost 2 years ago: dmdiss originated this project.

Comments

almost 2 years ago by dmdiss | Reply

I pushed the (still very much WIP) results of this project to: https://github.com/ddiss/lioness

It was a lot of fun and served as a good learning experience, particularly with regard to Buildroot embedded development. I didn't get far with softfido, but managed to code a chunk of the config handling / parsing logic in rust. I'm particularly happy with the USB device<->host configuration message passing logic using an emulated mass-storage device. Rather than detecting eject events to ensure safe access to the exposed storage, the USB device monitors the fat filesystem contents for lioness.txt configuration presence. The static website provides a SHA256 digest, allowing for config file integrity verification despite concurrent host/device access.

over 1 year ago by dmdiss | Reply

I presented about this project at the 2023 SUSE Labs conference and had a chance to get a few more things working: compression and snapshots, as well as a simplified unlock.html for post-firstboot.

Similar Projects

This project is one of its kind!