[Linux-aus] FOSS on Mobile Phones: Grant Report
Yifei Zhan
yifei at zhan.science
Tue Jun 18 16:01:30 AEST 2024
Now it's about a year after I received the grant from Linux Australia on FOSS
on mobile phones, this is an update on the work I've done with the funded
hardware.
A major part of the work involves getting the OP-TEE FOSS security enclave
working on the PinePhonePro and use fTPM (Firmware-backed Trusted Platform
Module) on top of it to provide a hardware-enforced way to isolate and protect
sensitive crypto operations in case of an attacker compromising the primary
Linux system.
In the end, a general PKCS#11 interface backed by the TPM is available for
user space applications to delegate crypto operations. (OP-TEE also provides a
native PKCS#11 interface, bypassing the TPM)
With fTPM made available at an early boot stage, U-Boot the bootloader can
measure the payloads (kernel, dtb, initramfs...) before continuing with the
boot process, and the measurements can then be used to unseal key materials or
be used by user space applications.
The demostrations for the following use case on EO 2024 are available from my
blog:
- Access Measurements from Linux Userland [2]
- Sign in to GitLab with fTPM-backed FIDO token [3]
- fTPM-backed SSH Identity [4]
The source code and building infrastructure are available on GitHub:
https://github.com/ZhanYF/veritymobile
Using that, it should be easy to build u-boot image you can flash to an sdcard
and reproduce the demos.
On the other hand, I also worked on virtualization-based isolation for
untrusted workload, here is a demo for web browsing inside disposable,
lightweight virtual machine:
- Disposable Web Session [5]
The source code for reproducing that is also on GitHub:
https://github.com/ZhanYF/disposable-session
Unlike the security enclave demos, you can run this one on any KVM-enabled
system supported by firecracker (amd64, aarch64).
Initially Russell and I used 2 PinePhonePros separately for different areas of
work but due to design flaws[1] of the PinePhone backplates my PPP melted its
midframe and I ended up using both PPP for my work.
My slides for EO2024 is available here:
https://segments.zhan.science/posts/everything_2024_gladstone_links/
On the side note, I'm still working on getting the LoRa backplate to work, the
goal is to integrate the PPP with LoRa backplate to an active communication
network (e.g. Mashtastic[6]) and add support for the PineDio USB LoRa adapter
so that it can be further integrated into the Linux ecosystem. However the
progress has been slowed down by some hardware problems. (e.g. the SX1262 LoRa
chip used by PineDio has message corruption problem on both TX and RX, and
backplate connection instability) At the current stage integration of the LoRa
hardware to user-facing software is fairly primitive but it can be done as
demonstrated by me during a previous Flounder meeting. [7]
Yifei,
Thanks.
[1]: https://segments.zhan.science/posts/troubles_with_the_pinephone_keyboard/
[2]: https://segments.zhan.science/talks/EO2024/
BootToSystemAccessMeasurements.mp4
[3]: https://segments.zhan.science/talks/EO2024/SigninToGitLabWithFTPM.mp4
[4]: https://segments.zhan.science/talks/EO2024/ftpmBackedSSHIdentity.mp4
[5]: https://segments.zhan.science/talks/EO2024/BrowserSession.mp4
[6]: https://meshtastic.org/
[7]: https://flounder.linux.org.au/2023/07/02/july-2023-meeting/
More information about the linux-aus
mailing list