[Cryptech Tech] arm

Jeroen Massar jeroen at massar.ch
Mon Jan 12 22:22:34 UTC 2015


On 2015-01-12 21:00, Rob Austein wrote:
[..]
> I halfway seriously proposed RS-232 for (2), but apparently the cool
> kids won't accept that anymore. 
[..]
> More serious question, though: what's the least bad hardware interface
> we can use across the security perimeter?  Eg, would doing our own
> UDP-like encapsulation over raw ethernet frames be better than USB?

TLDR:
#1 serial is simple (great for the small device)
#2 USB with a USB<->serial dongle
#3 Ethernet, but then only do Ethernet, not IP
- need power for the device (usb-power or external brick or PSU?)


Serial is likely the best answer actually as it is very cleanly
separated and there are no magic protocols that go over it like with USB
(in case somebody gets physical access and replugs things and you
suddenly have all kinds of magic hardware on your box). Hot-glueing USB
ports would solve it a bit. Then again, physical access and the game is
over for most scenarios.

The problem for the cool kids is that they likely use the sole serial
interface they have as a console port and thus that really leaves USB.
Though checking my current favorite X10SLM-F board it has two serial
ports (one external, one internal).

Many servers have an 'internal' USB port. Hence if the device is small
enough it can be built in to the case of a 1U server, the chassis
intrusion can then at least serve as a minimal way of tamper check.

Using a cheap Serial<->USB converter can solve the 'not enough USB
ports' but it also addresses that the device itself only needs to expose
a serial port (and not have magic USB chips on board).


Ethernet is a second best, but there you'll also need to have enough
Ethernet ports on your host. Cool thing would be attaching it to a
switch and sharing the device with hosts connected to the same VLAN.
Keeping it on Ethernet level (thus L2) would mean that an adversary
would have a hard time getting there; using a IP based protocol like UDP
would mean first of all overhead (need to have a IP stack), but also the
possibility that some numb-wit enables routing... better not go down
that path.


PCI/Thunderbolt/Lightning/Firewire and friends are definitely not an
option, these things do DMA, do not want for this setup.


Serial can be 'slow' though, which is something to look for.

Hence, I think in the end one will have the three versions I note above
in the TLDR depending on the speeds one need to achieve or what form
factor one prefers.

Serial + USB are both 'serial' interfaces which is good and simple.

For Ethernet we would just define 'every packet of EtherType X adds to
the serial stream' (and lets hope they do not come out of order ;),
possibly locking down on source MAC address.

Every device needs power and a big trend is to power things off USB,
though one does not need to use the datalines then. Of course, having a
PSU plug can be useful too.

Greets,
 Jeroen




More information about the Tech mailing list