Exploring Universal Flash Storage (UFS) Write Protection on the HiKey960

This post explores the potential of a do-it-yourself root of trust on the HiKey960 using UFS hardware write protections. The 960 version has an onboard Universal Flash Storage (UFS) devices, the future of MMC, and much faster! UFS as a standard has existed since 2011, but seems only since 2017 they were generally obtainable. Support in Linux has experienced very-recent updates (4.15+).

The unfortunate news is I have not found a way to implement an open-source/do-it-yourself Root of Trust on the HiKey960. I will explain why during this post, but this post will focus more on UFS write-protection.

Read More

DIY Root of Trust using ARM Trusted Firmware on the 96Boards Hikey

DIY Root of Trust using ARM Trusted Firmware on the 96Boards Hikey

This is a series of notes designed to be a walkthrough on how to configure the HiKey Kirin 620 to boot securely with ARM Trusted Firmware's Trusted Board Boot. This does not use any proprietary settings or vendor-specific details about the SoC. Instead, the secure boot path relies on the SoC's BOOT_SEL configured to boot solely from the eMMC. With this configuration there should be no way to interrupt or bypass the root of trust via runtime changes.

Pay special attention to the should as this is not speaking from authority but rather from suspicion and research.

The Root of Trust (ROT) begins in the BL2 programmed to the eMMC's boot0 partition. The bootrom must execute the HiKey's l-loader.bin and ARM-Trusted-Firmware's (ATF) bl2.bin written to this alternate boot partition. The eMMC's extended CSD register 173 (BOOT_WP) is written to permanent write-protect this content. This is a 1-time program operation that has the potential to brick the device.

Read More

Hands on Introduction to ARM Firmware using the 96Boards HiKey

Hands on Introduction to ARM Firmware using the 96Boards HiKey

This ARM Cortex-A53, 8-core, 2GB DDR3, board is amazing! I'm an entry-level ARM security enthusiast and this board feels like the perfect starting place for TrustZone and a secure/verified boot research.

Hikey supports the ARM Trusted Firmware and OP-TEE reference specifications so we can *clone* from Github, compile, and flash rather effortlessly. We can write the secure 'ROM', secure world operating system, and the non-trusted firmware executing in the normal world.

Read More