OHSNAP: Difference between revisions

From Noisebridge
Jump to navigation Jump to search
No edit summary
No edit summary
Line 27: Line 27:
# Resume searching for OpenBSD-compatible non-BGA chips that are similar to the Nuvoton (unlikely to exist on the market, as we have been searching for a while and chips like this tend to be older designs and therefore unlikely to be supported)
# Resume searching for OpenBSD-compatible non-BGA chips that are similar to the Nuvoton (unlikely to exist on the market, as we have been searching for a while and chips like this tend to be older designs and therefore unlikely to be supported)
# Migrate to a different OS which has ARM926EJ support, such as NetBSD or Linux. Both are considered less secure than OpenBSD, the latter unacceptably so.
# Migrate to a different OS which has ARM926EJ support, such as NetBSD or Linux. Both are considered less secure than OpenBSD, the latter unacceptably so.
# With [http://www.undeadly.org/cgi?action=article;sid=20210423090342 newly added] and [http://www.undeadly.org/cgi?action=article;sid=20210619161607 quickly expanding] RISC-V support in OpenBSD, we may want to consider that architecture more seriously. One key advantage of open source silicon is that we can create a custom, high-performance chip and put it in a QFP package with only the pins exposed that we would need.
# With [http://www.undeadly.org/cgi?action=article;sid=20210423090342 newly added] and [http://www.undeadly.org/cgi?action=article;sid=20210619161607 quickly expanding] RISC-V support in OpenBSD, we may want to consider that architecture more seriously. One key advantage of open source silicon is that we can create a custom, high-performance chip and put it in a QFP package with only the pins exposed that we would need. Next steps would be getting ballpark estimates of taping out our own silicon from [https://www.sifive.com local] [https://openfive.com/custom-silicon/ vendors].


<h3>June 25, 2021</h3>
<h3>June 25, 2021</h3>
Line 192: Line 192:
** [http://www.netbsd.org/docs/kernel/porting_netbsd_arm_soc.html Porting NetBSD to ARM926EJ-S] - article on adding support to NetBSD for the same ARM9 core that the Nuvoton NUC980 uses
** [http://www.netbsd.org/docs/kernel/porting_netbsd_arm_soc.html Porting NetBSD to ARM926EJ-S] - article on adding support to NetBSD for the same ARM9 core that the Nuvoton NUC980 uses
* '''Other architectures'''
* '''Other architectures'''
** OpenBSD on RISC-V: [https://github.com/MengshiLi/openbsd-riscv-notes/blob/master/Porting_OpenBSD_to_RISCV_FinalReport.pdf Porting OpenBSD to RISC-V ISA] (PDF), [https://github.com/MengshiLi/openbsd-riscv-notes GitHub repo]
** RISC-V:
*** OpenBSD on RISC-V: [https://github.com/MengshiLi/openbsd-riscv-notes/blob/master/Porting_OpenBSD_to_RISCV_FinalReport.pdf Porting OpenBSD to RISC-V ISA] (PDF), [https://github.com/MengshiLi/openbsd-riscv-notes GitHub repo]
*** [https://www.sifive.com SiFive] - custom RISC-V manufacturer in the South Bay
*** [https://openfive.com/custom-silicon/ OpenFive] - custom RISC-V manufacturer in the South Bay
** [https://millcomputing.com Mill Computing] - novel CPU design in the North Bay
** [https://millcomputing.com Mill Computing] - novel CPU design in the North Bay
* '''Communication & collaboration platforms'''
* '''Communication & collaboration platforms'''

Revision as of 04:13, 7 July 2021

Open Hardware for Secure Networks And Privacy (OHSNAP)

This is the project page for OHSNAP, an open-source platform for building secure networks with a known hardware root of trust.

Motivation

Virtually all commercially-available networking equipment is proprietary and closed-source and cannot be independently verified to be free of malware. There have been documented cases of attackers – sometimes entire nation-states – physically modifying networking equipment and networkable devices in order to exfiltrate data and/or command & control otherwise-trusted systems. This leaves the average individual with little choice but to hope that their home network consists of and is secured by devices which do not phone home or contain other backdoors. Such a situation breaks the guarantee that the user's data and devices remain their sovereign property and instead places control into the hands of manufacturers and governments.

The goal of this project is to produce a completely open design and implementation for a network router with a verifiable root of trust. By making the hardware design, manufacturing process, and firmware and software stacks fully verifiable, it allows users to inspect the entire end-to-end flow of their data and to directly control some or all of the fabrication of the device in order to establish positive provenance.

Device Summary

OHSNAP is an exploratory platform for secure hardware. The first two OHSNAP devices will be:

  • OHSNAP Router: An embedded computer running an open source firmware and OS. It will expose at least two gigabit Ethernet ports.
  • OHSNAP Server: A small, low-power, single-board computer with a single 10/100 Ethernet port.

Design Goals

  • No closed-source firmware or software allowed anywhere in the stack
  • Implementation must be independently reproducible by third parties
  • Factory-made PCBs must be physically produced in the USA
  • Components should be as supplier-diversified as possible

Status

July 2, 2021

Examination of the OpenBSD source and mailing list archives shows that support for pre-v7 ARM architectures was intentionally removed from the OS. According to this table, the NUC980's ARM926EJ core is ARMv5-based and therefore unsupported.

Adding support for ARMv5 to OpenBSD is out of scope for this project and we're not aware of any plans by the OpenBSD developers to do so either. This means that we can't use the NUC980 with OpenBSD for the OHSNAP Server and leaves us with these choices:

  1. Pause the OHSNAP Server project and continue to focus on OHSNAP Router
  2. Resume searching for OpenBSD-compatible non-BGA chips that are similar to the Nuvoton (unlikely to exist on the market, as we have been searching for a while and chips like this tend to be older designs and therefore unlikely to be supported)
  3. Migrate to a different OS which has ARM926EJ support, such as NetBSD or Linux. Both are considered less secure than OpenBSD, the latter unacceptably so.
  4. With newly added and quickly expanding RISC-V support in OpenBSD, we may want to consider that architecture more seriously. One key advantage of open source silicon is that we can create a custom, high-performance chip and put it in a QFP package with only the pins exposed that we would need. Next steps would be getting ballpark estimates of taping out our own silicon from local vendors.

June 25, 2021

  • Created v0.1 schematic for NUC980-based dev board. Will first be used with bare metal firmware.
  • Ordered samples of NUC980DR61Y and the Nuvoton Chili dev board. The latter will be used to test firmware and Linux and to begin the OpenBSD port.
  • Found article on porting NetBSD to ARM926EJ-S, the same core as in the Nuvoton chip.

June 18, 2021

We've settled on a roadmap:

  1. Create a fully homebuilt, low-performance 10/100 single Ethernet board that is capable of running OpenBSD ("Option A" from March 27, 2021). This approach will:
    1. Provide us with hands-on experience in designing, building, debugging our own hardware.
    2. Give us a testbed for experimenting with secure manufacturing practices.
    3. Require us to learn how to port OpenBSD to a new chip and board.
    4. Provide a ready-to-use reference design for other, related secure manufacturing projects at Noisebridge and beyond.
    5. Produce a physical deliverable that will create buy-in and grow our ecosystem.
  2. In parallel, we will continue to identify and engage potential vendors for high-performance designs which require securely outsourcing manufacturing.

The first low-performance design will be built around the Nuvoton NUC980DR61Y (see March 20, 2021). This will come in stages:

  1. HWPOC (Hardware Proof Of Concept): A minimal board designed to allow creating bare metal firmware to test basic design and in-house manufacturing on the Voltera PCB printer. We may attempt to boot Linux from this board, as there is kernel support for it and the design will be derived from the Nuvoton Chili dev board.
  2. SWPOC (Software Proof of Concept): Use the Nuvoton Chili board to port OpenBSD to the target chip.
  3. Proto: Boot OpenBSD from the minimal in-house board.
  4. EVT: First in-house board featuring Ethernet and all planned features. Still contains debugging connections.
  5. DVT: Finalized PCB. Begin testing low-qty mass production using pick & place machine.
  6. PVT: Final production units. Goes on to ramp build.

May 8, 2021

  • Continued exploration of threat vectors and possible mitigations.
  • More links added to resource list.
  • Setting up Tinfoil Chat as a realtime collaboration platform and exploration of secure methodologies.
  • Setting up OpenBSD on various SBCs and virtual machines to evaluate its fitness for use.

April 3, 2021

Identified three regimes for threat models, some concrete examples, and some hypothetical mitigations:

Threat Regime Example Scenario Possible Mitigations
During assembly Manufacturer tampering
  • PCB x-ray inspection
  • Translucent PCB substrate for visual inspection
  • Encase PCB in glitter epoxy
  • Tamper-evident paint
  • Apply heat-sensitive paint to PCB (detects soldering)
  • Vacuum-sealed enclosure with onetime-use pressure sensor
  • Serial numbers in ROM on ICs
  • Use common enough chip to reduce chance of silicon tampering
  • Pogo board testing
During transit to end-user Vendor/reseller tampering
Mail interdiction
Embed device in another device
At customer's install site Evil user tampering Live system intrusion detection (examples??)
Routine pogo board testing
Passive monitoring, e.g.,
  • audio/video monitoring of keypresses
  • RF leakage analysis
  • power analysis
???

March 27, 2021

Still looking for a non-BGA ARM processor that contains two Ethernet PHYs and has 0.5mm or greater lead pitch (for Voltera V-1 PCB production. We are now considering three options for design:

  • (A) Non-BGA ARM processor on a homemade mainboard [simplest but limited to non-gigabit speeds; may require SW porting]
  • (B) BGA ARM processor on a fabbed carrier board attached to a homemade mainboard [more complicated but higher performance and easier to source; may avoid SW porting]
    • E.g., NXP i.MX6SoloX
    • Unpopulated carrier board will need to be examined, probably via x-ray, after production
    • Carrier board reflow is still done by us
    • Still need to look for more ways to increase provenance
  • (C) Use an existing open source BGA-based project (e.g., Kosagi Novena) and modify it for trusted manufacturing [complexity likely between (A) and (B)]
    • Will still likely need a BGA carrier board from (B) but may reduce R&D costs of the project

Infrastructure

We’ll be setting up an IRC server in parallel to testing local deployment of the Element secure chat system.

March 20, 2021

In order to make forward progress on the hardware, we will choose OpenBSD as the initial operating system and an ARM-based architecture for the CPU. Users will be able to use their own ARM-compatible OS if they choose, including Linux and Plan9 (if software support is added).

We will first create a Software-Intent Proof of Concept (SIPoC), which will be an OpenBSD-based router running on a commercially available SBC. We may then want, as a Proof of Concept (PoC), to port the software stack to the Common Networks nodes at Noisebridge and begin deploying them across sites.

The first version of our custom hardware should be amendable to DIY manufacturing. This means no BGA parts. This severely restricts the list of CPUs/SoCs to older and lower-performance chips, limiting our capability to 100MBps initially. We'll expand this list as we discover more:

List of non-BGA ARM SoCs

March 13, 2021

  • Looking for secure communications platform for project collaboration. Element / Matrix look promising.
  • Possibly partner with CircuitLaunch for local hardware builds?

March 6, 2021

Initial meeting. Discussed range of HW/SW design choices.

Tentative Project Stages

  • SIPoC: OpenBSD router on commercial SBC
  • PoC: SW stack on Common Networks
  • Proto 1 build: Low-speed (10/100 Mbps) DIY version
  • Full build: 1 Gbps

Possible Design Choices for Future Versions

  • CPU
    • ARM/ARM64 SoC
    • RISC-V SoC
    • FPGA
    • Specifically no Intel/compatible architectures due to poor security record
  • OS / Application Code
    • OpenBSD
    • Qubes
    • Alpine Linux
    • Plan9
    • Custom FPGA code
  • Trusted manufacturers

Open Questions

  • How to offer root-of-trust guarantees to non-DIY customers

Meetings

We are currently meeting every Friday at 14:00 PT (GMT-8) on the Noisebridge Jitsi video platform.

Links to Resources