FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

imx6, encrypted boot. Are uboot Environment variables encrypted?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

imx6, encrypted boot. Are uboot Environment variables encrypted?

‎05-24-2017 05:44 AM
1,723 Views
achestnov
Contributor I

Hi!

Does anybody have an idea, where the u-boot environment variables are stored?

Is it encrypted with u-boot? Why only U-Boot is marked as encrypted Data as shown here: https://community.nxp.com/docs/DOC-33214 

If the Board in closed mode, is it possible to read the environment variables without completely booting the Board?

I also want so save some application passwords, can anybody suggest some recommended ways to do it? Does it make sense to store it as u-boot environment variables?

Many thanks,

Labels (5)
0 Kudos
Reply
3 Replies

‎05-24-2017 07:21 AM
1,168 Views
marius_grigoras
NXP Employee
NXP Employee

Hi Alexander,

U-boot envs are not ecrypted. Having u-boot and kernel images encrypted a hacker cannot use the u-boot envs to boot-up a custom bootloader. 

Yes, you can read the raw env zone from SD card, just removing the sd-card and mounting it in a PC.

Regarding your scenario, it makes no sense to put in clear your passwords in u-boot env zone. This is not secured all all. For example in linux, even if you're a root user you cannot see the passwords, but only a hash of them. I recommend you to use another mechanism for saving up the passwords.

Thank you,

Marius 

Reply

‎05-24-2017 07:32 AM
1,168 Views
achestnov
Contributor I

Thank you for the Answer.  Which  mechanism do you recommend to store the clear text  passwords. I need it. Thank you.

0 Kudos
Reply

‎05-25-2017 01:59 AM
1,168 Views
marius_grigoras
NXP Employee
NXP Employee

The best way is to use the Linux way, which keeps a hash of your passwords and doesn't store them in clear. I think you don't want to memorize the password, but this is impossible (only if you want to use a secured usbstick for log in, which can store the hash of your password and/or the certificate - btw, never tried this on iMX boards).

I understand that you need a method to keep the passwords in clear - hopefully you understand why this is not safe :smileyhappy:

Even you encrypt your password using a symmetric or asymmetric algorithm, you should have/keep the security key used in the algorithm. Every method you use you need to memorize (in mind or in other way) a password / a key. 

In any other modern OS (Linux, macOS, Windows, QNX..etc) the user should keep in mind the password - when you type it the OS will calculate the hash and will compare it with the one saved when you created the user. This is the most common and the safest popular method used so far. Note that if the hacker will obtain root access and read the hash, can break pretty easily the password using a hash breaker - but this is not so easy (or almost impossible in a linear time) if you're using a strong password.

Thank you,

Marius

0 Kudos
Reply