|
|
|
|
|
|
by alltakendamned
2192 days ago
|
|
|
There's multiple steps involved in this, but some of the important ones are: - encrypt all the contents of your flash (e.g. with LUKS) - store the key in a crypto hardware module - Typically you'd then have a System on Chip which supports a secure boot with a fused certificate key as hardware root of trust. Each subsequent phase of the boot process needs to be attested by the previous phase to maintain this chain of trust. Have the boot process pull the key for your Flash partition and unlock the flash - Ensure your board is fully locked down, so no debug access, no boot overrides, no sideloading, .... - make sure the key can't be accessed with the same process privileges as the server running on the unit, for when someone inevitably pops it - select a SoC with protections against side channel attacks and fault injection (glitching), not some 0.3 USD microcontroller |
|
|