 So hi, I'm Patrick and for now I'm still in the community platform engineering team. As of coming Monday I won't be and I'll be working on its IoT security so yeah a lot of this is what we're currently planning to do so we'll see whether like how much of it goes right so there should have been a word fedora before it because IoT has a lot of meanings for a lot of people are people who have smart thermostats there are people who like see it as a I I want to play media on my TV and there's people who do things like controlling oil and gas platforms I mean that might not be the same kind of use case for fedora it we're usually meaning leaning towards the larger scope of the spectrum I think that we try not to focus on like your random five-dollar gadgets that happens to have a Wi-Fi connection but more serious things so one of the things that is always amusing with security and computers is but why would I need to worry about someone touching my server it's in a data center and yeah how can someone get access to it why is this drop bug which lets me bypass security by hitting enter 50 times a terrible issue I mean nobody will get access to my server there's a lock on my cage yeah and I'll try doing it for an oil rig or a light pole where someone can just walk up and just grab the machine out of it that there's kind of a different attack vector that usually hasn't been looked at a lot in the past so that's what we're currently trying to like how are we going to deal with some of that because if we ever want to get bigger customers to use this stuff in production we probably want a reasonable answer to be to what you how you secure that stuff so for boot time this is a like the system we're currently attending to use it you want to make sure that what your system boots is like the thing you intend to boot and not someone grab your device and snuck in their own SD card and oops now we've got a compromised system on our network that might not be appreciated in a industrial environment so we're planning to use secure boot there some people might know about it basically verify all of the parts of the boot process as it's being booted and in addition measure it which means that you take a checksum of what is being booted so when a remote when you want to try to connect to something you can prove what is running on the platform and have the servers actually trust that you are not a compromised device now of course there's also some data that you might want to put on there where you want it to be unavailable if someone instead of push it puts their own SD card in your device grabs your SD card out and plugs it into your laptop so I don't know how many people have heard of Clevis it's a way to tie in different ceiling mechanisms to a disk or to provide disk encryption passphrase automatically to Lux on boot it's because sorry it's say yeah right yeah pretty much that's a reasonable summary because for some reason having to enter a password on every device you have on every boot tends not to be appreciated very well it tends to be a bunch of manual labor that people might not prefer yeah but if it's the device yeah which is your best case scenario stuck out in a desert somewhere attached to an oil pump right and the sticky nose and and and someone having to drive out and plug in a keyboard and monitor yep it's either where you steal the storage or device the whole attack is like it is entirely possible for someone to get physical accident this encryption is usually is because there's company confidential data that you need to store on there with algorithms and stuff that you want to compute on the nodes you really don't want those to lead to an attacker because there's actual property tied up in the algorithms yes this is mostly for people we also want to make sure that once the platform is actually running attacks don't we have some way to port a lot of vulnerabilities for example oh we are running a DTP client now there's a vulnerability in the DTP serve or the DTP client which allows remote code execution which would be significantly thwarted with as Linux because suddenly you can't escape because while in a data center you can just say oh there's this to severe vulnerability let's just roll out the patches to all systems over the next I don't know hour if you have about 56 kilobytes or kilobits of data that patching all the time it might take a bit for the patches to actually sync out to all of your nodes you still want them to be somewhat secure and not be remotely exploited immediately as part of that is also IMA I had to write it down because I always forget what it stands for is a Linux kernel feature which actually is now back enabled in fedora raw height it was enabled a while ago and then things blew up basically it's a way where you can say either this is the file content I expect and don't load them if anything changes so if you get a file that someone manages to change on the disk you can figure it out and not load it and that also ties into measurement because I may can also measure the files that are being read which can then be used in a later stage so the operating system integrity for both making sure we you always have the same image deployed and you know which image is booting we're using our chemistry some of you might know it from atomic or coro s fedora coro s not the original one so then the connect time because you now have a platform running and yeah a platform on itself I mean I can put a computer on here but it's not going to be of any use until I can actually connect to it supposedly you do need connections but how are we going to prevent someone from stealing the device extracting keys from it and then oh I can now connect to the VPN of the owner of this device and roam around in their network because that is not really the intended purpose of things and I can tell you that this has happened in other deployments probably not intended to be repeated so we intend to store the actual encryption key or dead authentication keys in a TPM where you basically cannot extract the private key material out of it in order to connect without that specific platform in a known good way so only if that system has booted and has correctly verified its entire boot a process can you get access to keys to connect to the network and as part of that also all the measurement previously we can use that to prove the remote server that we are in fact the correct machine with the correct platform software and yeah now we can actually connect to a network however you still want to run an application so we now have a platform where we can what we know that was running on a platform is secure the platform or the device can connect security to remote network but does that mean you trust everything in a in most systems this is basically the stack of the what you trust in a system where each color means a different provider of the data or of the application or code you first have the CPU which you need to trust which runs management engine for example fuse intel which is already scaring itself then there's the EFI from Lenovo in my case do I trust them to write secure code I don't yeah like you need to trust all all kind of different firmware and then you also want to run an application so these days most of the time you actually run things inside a virtual machine now you've got a hypervisor to trust inside that you have another bootloader and another kernel in there and container engine for example Docker because everything is containers these days and then you finally get to your user space like your Lipsy and other applications and middleware and then finally you can run your own algorithm on it xkcd made a perfect summary of this yes all layers you can basically assume our yeah so this one got time perfectly for the project we were working on we were like they just publish this for us so some of you might have heard of an arcs one of the other core people is sitting right there Peter Jones and he will probably bash me if I say anything wrong so that's kind of scary yeah that's fine so the intention with an arcs is that we basically say you get down to your trust CPU and firmware because you need to run your application somewhere and yeah yeah you gotta trust something and then you skip all the layers in between with what you need to verify because we run middleware or basically you have a application platform and on top of that you just run your application I don't have any further slides now so the intention here is basically most modern CPUs architectures have a what's called a trusted trusted execution environment which is a specific mode of the CPU where even the host operating system cannot see or touch any of the code you are running for example there's Intel SGX or AMD SEV sorry distractions so there's Intel SGX AMD SEV both of them are a way to run an application on your CPU where all of your host operating system is not able to actually see it so the intention here is to be able to run an application as a we shove it inside SGX or AMD SEV and you don't have to trust any intermediate layers and you just get a connection via a secure protocol and whatever you run in there is invisible to the host operating system so whatever malware you have and running in there will have no clue what is going on or be unable to temper with it so that is how we are hoping to get some trustworthiness of your results and the platform you run things on so yeah we we assume no physical security and then and try to ensure integrity from there on for the platform connection and then later the actual applications are there any further questions right so our chemistry is when you deploy a tree you deploy a particular commit that commit is signed by the distributor Fedora for example and it contains the checksum of every single file that is shipped as part of that tree so while you're pulling the image down and also later at runtime you can verify that everything that you downloaded and or put on disk is exactly as it was shipped at any point in time and in addition that the root file system is also mounted greed only so it is also very hard to actually modify it and then also to detect it is then also possible to detect if it has been modified this one or oh yes Here you have both the printed part and the key, correct TPM in the same system that is being installed on the way. However the TPM itself, the core feature of a TPM is that it's really hard to get or basically, practically impossible to get its key material out of it. And you can tell the TPM that it will only release its keys, so be able to decrypt it this, sorry? It won't release its keys. No, but it will only use its keys to decrypt the root file system if everything up to there is booted with correct material. So if you were to pull out the kernel and try to put in an attacker kernel which locks the passphrase or something, the TPM doesn't have the correct measurements and then it won't decrypt the disk encryption key. There's another that's, again, just not decrypt like it's stored on the board device. So if you just fill the whole device and you go and plug it in somewhere else and you don't change anything on that device, it will still boot up. The encryption that says it will boot up? No. You know, that's fine, it's like another empty decrypted device. Well, no. Yeah, so... You have to go back and steal a second one because you just took the drive out of the first one. Yeah, like if you take the drive out... Yeah, but you can't do that because it won't. And you can't get on that. So, yeah. If you use the TPM to decrypt the second one, so it won't be able to decrypt the second one. But you can power it up somewhere else and you can access the device, say, via a kernel compromise or something else, to get access to a running device that has a thing decrypted. Okay. It is, like as I said, it's hung in. You can set it up in such a way that with your IMA infrastructure that if something is then changed on the device, you can have a data that loads it away and secure wipes and various other things. Let's back up and ask this the other way. What's the threat model you're wondering about? Sure. What's the threat model? The one that you started with. My threat model is if somebody steals the device. That's not threat model. That's a scenario. It's not threat model. The question is what you're trying to prevent them from doing with it. So, if someone, like, if someone steals the device and they hook it up to their own power and network, it will just build. But that doesn't bite them anything because they don't... The system is still, like, standard locked down. Like, you don't have a terminal because you don't have a root password. You just have a heater. Yeah. Well, I mean, it still runs. It still takes answers and elaborations away. So, the only result there is that if you steal the device and you plug it into your home, the only result is that the person who owns the device doesn't have to empower the electricity bill anymore because you just run it for them with their software. And, like, that's one of the things we thought about using E9-4. Right. It's one of the client models. The main thing is if you actually want to read what's on the disk, like, you would need the exact same disk and the exact same device with the exact same boot loader and the exact same kernel, which supposedly we... I mean, in the hands of the TPM. We've secured that. Like, the TPM ensures that you boot the same boot loader and the same kernel. In which case, yeah, we're hoping that the kernel isn't totally compromised. You basically have a login screen that you can try and log into. Yeah. Like, possibly the network you can try to... There's a tax service there. So, just leave the tax service there. So, if you refuse to own the device, is this perfect? Yeah. The device, like, you just get to boot the electricity bill. But there have been conversations that we've had with some people about, well, what if you add GPS to this equation and the GPS shows up someone else? Yeah, no, no. I was just, again, I was just confused because... Right. Before you were saying, my SNI, I told you that somebody's stealing this. Yeah, the... What do you want to protect in this case? Right. So, the idea there is that we want to protect against other people protecting either key materials so they can connect to other devices or algorithms out of the device. The physical device ourselves, we assume, is going to be stolen. Yeah. So, you've locked down the machine. They're not a good buy. Yeah. And so, you can't put the device out of USB to get access to that. And then, you know, and then things like the VPN credentials to connect is to say the data network where it's pushing the data to, is also stored in the VPN. So, they're not the problem. So, like, you may end up in a scenario where all the stuff that is actually stored on that disk, even though it is encrypted, is of no use to you anymore. So, if you're running a Raspberry Pi 4, you basically have a problem with it. And if you're just learning about the data on the device, you might write it to say a watchdog plot that describes the disk if it doesn't check in on the right network often enough. But that's the... But that's the best thing. So, is this... Is this... It boots off of a removable storage, but it's got flash on board and it uses the... This is... It could be removed. It doesn't matter. It doesn't matter what the storage is. So, this really gives us a map of... Here are the devices here. Here's how you put them together in terms of the crypto. What do you need it? This kind of signature plus this kind of signature is policy for how is it going to be authenticated? How is it going to be decorative? Sure. So, it's stackable, blah, blah. Got you. Different person, which is... Is the update story of these IT stuff out to school for this part? It is totally in scope for Fedora IoT. It was mostly out of scope for the security part because a lot of that is playing what we currently have for RPE Westfree, which pulls down the Deltas and then verifies it there. I tried to focus more on how do we ensure like that our intellectual property isn't stolen and that people don't get access to our data. But we will focus on it just in a different context. Any other questions? Thanks for your attention.