PXI

cancel
Showing results for 
Search instead for 
Did you mean: 

NI LinuxRT (Real-Time), TPM 2.0, LUKS for Encryption for Data-at-Rest Question....

Solved!
Go to solution

Can the NI LinuxRT OS utilize the TPM 2.0 Module on a PXIe board with the LUKS Disk Encryption?  Has this been done?  Can you provide instructions on running the NI LinuxRT with LUKS using the TPM 2.0 technology onboard a TPM 2.0 PXI or PXIe?

 

Thank you!

0 Kudos
Message 1 of 5
(727 Views)

"NI Linux Real-Time is a standard distribution for embedded systems that can be used on various hardware platforms. It includes standard components like the Linux kernel with the PREEMPT_RT patch, the GRUB bootloader program and the OPKG package manager.(Page 3)"

 

Further looked into using GRUB Bootloader with a TPM in the archlinux link provided below states, "Implementing Secure Boot

There are certain conditions making for an ideal setup of Secure boot:

  1. UEFI considered mostly trusted (despite having some well known criticisms and vulnerabilities[1]) and necessarily protected by a strong password
  2. Default manufacturer/third party keys are not in use, as they have been shown to weaken the security model of Secure Boot by a great margin[2]
  3. UEFI directly loads a user-signed EFISTUB-compatible unified kernel image (no boot manager), including microcode (if applicable) and initramfs so as to maintain throughout the boot process the chain of trust established by Secure Boot and reduce the attack surface
  4. Use of full drive encryption, so that the tools and files involved in the kernel image creation and signing process cannot be accessed and tampered with by someone having physical access to the machine.
  5. Some further improvements may be obtained by using a TPM, although tooling and support makes this harder to implement.
  6. Using the GRUB bootloader requires extra steps before enabling secure boot, see GRUB#Secure Boot support for details."

 

https://www.ni.com/pdf/support/us/ni_linux_real-time_security_user_guide.pdf

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot

https://github.com/ni/linux

https://wiki.linuxfoundation.org/realtime/documentation/howto/applications/preemptrt_setup

0 Kudos
Message 3 of 5
(681 Views)

Based on the below links, NI uses the "Linux Kernel (27.04.2017)" for the OS (page 3 of the PDF below) with the PREMPT_RT patchset (27.04.2017 for Real-time solution).  

 

"NI Linux Real-Time is a standard distribution for embedded systems that can be used on various hardware platforms. It includes standard components like the Linux kernel with the PREEMPT_RT patch, the GRUB bootloader program and the OPKG package manager.(Page 3)"

 

Further looked into using GRUB Bootloader with a TPM in the archlinux link provided below states, "Implementing Secure Boot

There are certain conditions making for an ideal setup of Secure boot:

  1. UEFI considered mostly trusted (despite having some well known criticisms and vulnerabilities[1]) and necessarily protected by a strong password
  2. Default manufacturer/third party keys are not in use, as they have been shown to weaken the security model of Secure Boot by a great margin[2]
  3. UEFI directly loads a user-signed EFISTUB-compatible unified kernel image (no boot manager), including microcode (if applicable) and initramfs so as to maintain throughout the boot process the chain of trust established by Secure Boot and reduce the attack surface
  4. Use of full drive encryption, so that the tools and files involved in the kernel image creation and signing process cannot be accessed and tampered with by someone having physical access to the machine.
  5. Some further improvements may be obtained by using a TPM, although tooling and support makes this harder to implement.
  6. Using the GRUB bootloader requires extra steps before enabling secure boot, see GRUB#Secure Boot support for details."

 

----------------------------------------------------------------

 

What I am wondering is, "Will the Linux Kernel allow for GRUB Loader to perform a secure boot and access the TPM 2.0?"

 

 

 

References:

https://www.ni.com/pdf/support/us/ni_linux_real-time_security_user_guide.pdf

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot

https://github.com/ni/linux

https://wiki.linuxfoundation.org/realtime/documentation/howto/applications/preemptrt_setup

0 Kudos
Message 4 of 5
(681 Views)
Solution
Accepted by topic author rustopher

Here is what I have come to realize.  First, I do not work for NI.  I do not know NI Systems in that aspect.  I am an I.T. Security Expert.  However, I am only giving my opinion and cannot say whether the below is a solution for Linux Real Time (RT).  I am only here and sharing my opinion.  Based on all the data I have researched....

 

In theory, the Grub Loader should be able to perform secure boot if the embedded NI LinuxRT OS allows for this configuration.  I do not know if they do.

 

Also, in theory, the TPM should allow you to securely place the keys from a LUKS partition or secondary drive into the TPM using the NI LinuxRT Command-Line Terminal.

 

And based on what information has been given by NI, the NI LinuxRT OS can perform LUKS on a partition or separate drive. 

 

Best security practices would be to maintain the keys within the TPM for a LUKS encrypted drive and utilize GRUB Loader setup to perform Secure Boot.  

 

If this can be done with the NI LinuxRT OS, I am unsure, but that would likely be best security practices for encrypting a drive with the Real-Time solution provided.  

 

You will read that only GRUB Loader version 2 or GRUB2 will only work with a TPM 2.0 from other websites to perform the secure boot process.  However, archlinux.org explains in better detail of how to manipulate the basic GRUB Loader version 1 to work with Secure Boot at https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot 

0 Kudos
Message 5 of 5
(661 Views)