When trying to secure the files on a Raspberry Pi that’s being sent out into the field with sensitive data on it, it’s obviously nice to make sure no attacker can steal the box, and access those files. That’s where encrypting the root partition comes in. Encryption of a root partition on a system that’s supposed to be able to decrypt it on boot, while not letting an attacker access the decryption key is where the Zymkey comes in.
Unfortunately, even though the root partition is encrypted, the /boot partition is not. Using the boot partition, you can easily tell the kernel to open an interactive shell at boot by modifying the cmdline.txt file. This entirely bypasses the security provided by an encrypted root partition, and by Zymkey.
This has been asked before here: PI - Reset admin password, bypass Zymkey?
At the time, Scott looked into it, and was not able to prove this exploit was usable with whatever version of Raspbian he was using at the time. This exploit definitely works, even with the latest version of Raspbian. Here’s proof:
Is there any way to secure the boot partition to prevent this exploit?
Will the physical tamper detection prevent this somehow? (I haven’t looked into it)
Even if physical tamper detection CAN prevent this, is that the main thing we’re relying on? Or is there another (better?) way to secure the boot partition?
I was thinking of perhaps compiling a custom kernel that won’t use the cmdline.txt file, but the problem is that the kernel itself is on the boot partition. The attacker can easily replace the kernel with his own, or with just the default one that does read the cmdline.txt file.
Edit: Quickly looking into the Zymkey’s tamper detection features, it looks like the main one is the perimeter detection. We can’t use the accelerometer detection because that sounds like that only works if your device isn’t meant to be moved when deployed in the field, which ours can be.
With the perimeter detection, I imagine it would be difficult to actually tie it to the SD card to know if it’s been removed. I think that’s meant to secure the box the Pi is in from being opened. If that’s true, then someone could potentially steal one of these boxes from the field, open them (tripping perimeter detect), and figure out exactly how it’s wired. Then they could steal a second box, and knowing how it’s wired inside, open it without tripping the perimeter detect. Or am I confused about how it works?