[Cryptech Tech] Roadmap & remarks about the opportunity of.developing a secure TOR router on the Novena platform.

Leif Johansson leifj at sunet.se
Tue Jul 29 19:47:12 UTC 2014



> 29 jul 2014 kl. 18:31 skrev "★ STMAN ★" <stman at riseup.net>:
> 
> Hello Linus,
> 
> As you requested me, here are my comments and remarks about a Roadmap and « What would happen if we wanted to develop a secure TOR Router on the Novena as is » :
> 
> Indeed there are other facts that you must know about the Novena and the problems that would rise to build a secure TOR EndPoint (With 1 dedicated Ethernet port), or a secure TOR router / firewall (With 2 dedicated Ethernet Ports):
> 
> In order to use it as a prototyping/development platform, I am now convinced it is not the best choice to have :
> 
> - Novena’s implementation of the Xilinx LX45 FPGA is not equipped with EPROM/FLASH : It only has SDRAM : Implementing a processor with it means that, not only the Bitfile of the FPGA must be transferred through the I2C Bus with the risk or Bitfile corruption by an NSA Malware, but also, implementing a « common processor » or « SoC » with it would force the designer to add some supplementary VDHL code in order to have the bootstrap, programs, and OS binaries to be also transferred from the Non-Secure FreeScale Quad core processor to the FPGA’s SDRAM memory using the I2C Bus again, before being able to « boot the FPGA’s made processor » : This is mandatory as long as there is no ROM/EPROM/FLASH socket that could store all these binaries.

I believe we'll have to address several of these concerns for our hsm design too - notably the need for secure msk & flash/fpga boot.


> - This « I2C » based VHDL «  binary into SDRAM » loader code doesn’t exist yet. Somebody would have to do it. 
> - The FPGA is not connected to any Ethernet PHY driver, this means that no Ethernet Controller can be emulated in the FPGA : It forces the developper to either transmit his Ethernet frames through the I2C Bus again, or throughout the dedicated Bus connecting the FreeScale SoC to the FPGA, in order to use the FreeScale SoC Ethernet Controller. The problem is that doing such trick means that a spyware monitoring all the data going through the FreeScale SoC Integrated Ethernet Controller could also monitor/store/alter the Ethernet paquet generated by the processor emulated by the FPGA.
> - If one really want to have a native independent and secure Ethernet Controller implemented into the FPGA, he would have to make an extra daughterboard connected to the expansion connector port of the FPGA : But this means adding some self made hardware with a PHY controller.
> - The expansion connector available in the novena doesn’t respect any industry standards in this « field » . Some IEEE standards DO exist for such expansion connector for FPGA and could allow a designer to use a standard Ethernet PHY daughter board made for these FPGA’s standard expansion connectors, but it is impossible with the Novena as long as its expansion connector is a « Novena proprietary connector ».
> - And then a last point : Xilinx Spartan 6 FPGA serie comes in two version for each FPGA : The LX and the LXT : Novena is using the LX version, whereas it would be useful to use the LXT version because they integrate several useful built on chip high speed GTP (GigaBit Serial Transmission Ports) implementing standards like SATA, PCI Express, and Gigabit Ethernet. Unfortunatly, the model chosen for the Novena is an LX45 and not an LX45T.
> - Then : LX45 has 45k CLB (Configurable Logic Blocs), but I think it would be necessary to have bigger FPGA (I would say minimum LX75 for example) with at least 75k CLB in order to be able to implement a full SoC equivalent to a « Raspberry Pi » SoC into the FPGA (FYI the Maximum being LX150 with 150k CLB).
> 
> 
> For all these reasons, using Novena as a platform for experimenting the development of Secure TOR Routers / End Points is not an easy task, and some important security concerns related to the injection of the Bitfile AND the binary code that the « FPGA emulated processor/SoC will run through the I2C Bus remain a very important problem : It is obvious that if the NSA or any other agency is aware we are working on such things that they will develop some spyware/tools to interfere with the BitFile / Binary code transmission through the I2C Bus.
> 
> And to me, they would not only develop such spyware/malware for our TOR Router implementation on the Novena, but for ANY design that could be implemented on it.
> 
> My conclusion is that unless some few design changes are made to the Novena, it’s not going to be an easy task to develop/experiment secure TOR routers with it, and keep in mind that according to me and to other TOR developers, the security issues with the I2C Bus is a real concern for such secure Application.
> 
> 
> I am looking forward to hearing from you,
> 
> Kind regards,
> 
> Stman.
> 
> 
> _______________________________________________
> Tech mailing list
> Tech at cryptech.is
> https://lists.cryptech.is/listinfo/tech


More information about the Tech mailing list