Well this scenario basically needs full secure boot
Yes, that would be the best option. Have you considering to crowd-fund such development work? I think there is a large demand for secure boot.
to setup the allowed boot devices in the BIOS and protect the BIOS of the device
Thanks, I appreciate any idea, even ideas that are not secure, but just makes it harder to break the system. However protecting the BIOS does not prevent anyone from just mounting the disk in a different PC and everything is then open.
To protect persistent data I was considering something like:
store all persistent data in one or more encrypted files.
use TPM to store the encryption/decryption key
In the docker application container: access the TPM to get the encryption/decryption key.
But is this approach possible and what would it be worth?
I understand that the code that retrieves the encryption/decryption key could be tampered with.
But maybe it’s worth something, if it is obscure enough?
The plan to protect the data as you described is also not secure. Someone just needs to add a program that is executed to access the TPM and get the necessary infos to decrypt the data file, or decrypt it on the device directly. As I said for the above attack scenario you need full secure boot support.
We do have some plans to add support for trust anchors in the operating system, but I can’t give you much more details or an ETA currently. I’ll attach our internal issue on this topic to this thread, so that we can update it, when we have news.
The plan to protect the data as you described is also not secure.
I am fully aware of this. Security by obfuscation. But at least the attacker needs to analyze the way the decryption is done and must demonstrate clearly bad intentions. As opposed to the default Balena disk installation, where too much is plain text readable as soon as the disk is mounted somewhere.
We do have some plans to add support for trust anchors in the operating system
This is a MUST-HAVE for so many applications! I am not sure I would have chosen Balena 2 years ago, if I had realized the current limitation. Please, reconsider putting this on the (near future) roadmap, find or crowdfund the resources.
Just wanted to report back that it’s working great! We’re using TPM attestation with Azure IoT Hub and it’s working like a champ. Thanks again for adding this.
Hey all! Checking back in on progress here? I’m deciding on platforms right now and leaning away from Balena for this specific reason. Love this platform, but need to ensure hardware root of trust.