Implement a proof-of-concept USB security key with support for encrypted data storage, U2F and FIDO2 (webauthn). I plan on using a NanoPi NEO2 board for this project, what has a few useful attributes:
- it can boot a mainline Linux kernel
- it's relatively portable (40mm x 40mm)
- it has an aarch64 CPU with support for ARMv8 Crypto Extensions
- dm-crypt performance should benefit significantly from this
The hardware doesn't provide a secure enclave or TPM, so it's likely unsuitable as a commercial security key device.
When powered, the device will boot a minimal buildroot Linux image and expose a pseudo-mass-storage USB device with a single-file static website. On first-boot the website will provide a setup wizard for the device. Subsequent boots will immediately prompt for a decryption key. Output data generated by both setup wizard and password prompt web pages will need to be propagated back to the USB device. This could be done via the pseudo-mass-storage filesystem, or possibly (if time permits and I can live with myself) via webusb.
Most of the work needed for this project will be configuration and plumbing, with the exception of the U2F and FIDO2 USB gadget implementations. https://github.com/ellerh/softfido looks attractive as a U2F/FIDO2 starting point, but it currently exposes the endpoints via USBIP, so will need to be converted to a Linux functionfs USB gadget.
Goals for this Hackweek
- generate a buildroot 2022.11.1 image for the NanoPi NEO2
- write a static website which provides dm-crypt setup and unlock for the encrypted data storage area
- work out a partitioning scheme for the OS/config/dm-crypt
- for simplicity I'd like to avoid LUKS and instead have the website produce a PBKDF2 derived key for direct use by dm-crypt
- test https://github.com/ellerh/softfido
- convert softfido from USBIP to a Linux functionfs gadget interface
- stretch: write a webusb client and server (USB endpoint) for transferring configuration / key data between host and device
- stretch: support snapshots and transparent compression for encrypted data storage
- stretch: provide some way for a user to update the buildroot OS on the USB device
This project is part of:
Hack Week 22
This project is one of its kind!