Hacker News new | ask | show | jobs
by drdaeman 3290 days ago
Unless you install some TPM module, RPi itself has no tamper-resistant storage and has DFU (so, basically plug it into a wrong device and it'll be able to run arbitrary code, pulling all secrets).

An FST-01 is a somewhat better choice, but Gnuk doesn't implement U2F. If someone has enough time and knowledge I don't see why it won't be possible to add it, though.
1 comments
Nexxxeh 3289 days ago
Parent-poster said tamper-resistance wasn't an issue in their usage case.

But are you sure it'll DFU over USB?

If so, for avoiding DFU, could you use some simple hardware to disable the data lines on the OTG port until the Pi had finished booting?

Could one use an i2c or spi based crypto chip for key storage?

link
drdaeman 3289 days ago
Actually, no. I think I have confused RPi with some other board.

Don't have Pi at hand to test for sure, but searching online can't find mentions of USB DFU. I think I may be mistaken.

link