Production Mode Clarifications

Hi,
i just bought a Zymkey4i for a raspberry PI 4, and i’m trying to understand potential vulnerabilities on my possible setup.
I read all the documentation and searched in this forum for answers but I would still need some clarification about production mode:

  • Considering that perimeter detect need the battery on the Zymkey to work while is not powered, and once in production mode, perimeter event cannot be deactivated, does it mean that when the battery will be discarged the Zymkey will autodestroy? There is no possibility to change the battery by following some procedure?

  • Assuming i encrypt the root file system of the SDcard with LUKS using Zymkey, i activate production mode, but not the perimeter detection, there’s the possibility to boot the raspberry from an external USB key (with same OS distribution of encrypted SDcard, but obviously not encrypted), and to use the Zymkey somehow to decrypt SD card content?

  • In the previous scenario (LUKS + production mode and NO perimeter detection), if Zymkey or SD card is removed from raspberry and used to try OS boot on different setup, but then reassembled in the same identical configuration , would the binding be broken?

  • If i rebuild the elettrical bridge in some way after cutting the tab, would the zymkey revert to develop mode or it would be unusable?

Sorry in case these questions have already been clarified and I missed the answers.

Thank you in advance.

Daniele

@dmurgia85

Thank you for you inquiry.

Battery and Perimeter detect: If you have set the perimeter detect to self-destruct and put the ZYMKEY in Production Mode, it is possible to switch out a battery while powered down. However any perimeter event would be handled immediately upon insertion of a good battery. Therefore, you would need to have some way of getting to the battery without creating a perimeter event.

Booting off USB: The first thing would be to disallow the PI to boot off of USB. That said, if someone were to gain access to the SD card or any other bootable device, it would be possible to boot up the PI and access the rootfs. That is why physical tamper detect needs to be part of the overall solution.

Moving ZYMKEY/SD card and returning to original PI: The binding would not be broken and all would work when returned to the original PI. Neither the ZYMKEY or the SD card would work on the other PI however. The LUKS volume would not decrypt.

Production Mode will permanently bind the ZYMKEY, Pi, SD card group. Once you cut the tab (blows a fuse), the binding is permanently locked. You cannot go back by short-circuiting the bridge.

Hope that helps,

Bob

Thanks so much for the responses Bob, they are very helpful.
There is only one thing that doesn’t make sense to me: if the Zymkey is already paired in production mode with the sdcard, how would be possible to use it from with OS loaded the raspberry from the USB key? Shouldn’t it be the equivalent of replacing the sdcard?

Best Regards,
Daniele

What I was referring to is that it is possible to boot off the USB and access that SD card with that particular ZYMKEY and PI. The ZYMKEY can decrypt the rootfs of that particular SD card. If you were to try and run the same rootfs image encrypted on the USB card with the same ZYMKEY in production mode, it would not decrypt the rootfs. Same as if you tried the same image on a different SD card.