• Before reporting problems with your board running Armbian, check the following:

    • 1. Check power supply, check SD card and check other people experiences

      Power supply issues are one of the three biggest issues you'll face when starting with Single Board Computers (SBCs). SD card issues, whether fake or faulty, are another and issues resulting from poor board design is the other common issues you can encounter.   Power supply issues can be tricky. You might have a noisy power supply that works with one board because it has extra filtering, but won't work with another. Or you're using that cheap phone charger because your board has a microUSB connector, and it is either erratic, or doesn't start up, or even becomes the cause of some SD card issues.    Some tips to avoid the most common causes of problems reported:   Don't power via micro USB  - unless you have optimised your setup for low power requirements. Micro USB is great for mobile phones because they are simply charging a battery. It's bad for SBCs. Yes, it does work for a lot of people, but it also causes more problems and headaches over time than it is worth, unless you know exactly what you are doing. If you have a barrel jack power connector on your SBC, use it instead! If there is an option for powering via header connections, use that option!
        Don't use mobile phone chargers. They might be convenient and cheap, but this is because they are meant for charging phones, not powering your SBC which has particular power requirements.
        When you are evaluating a power supply, make sure you run some stress tests on your system to ensure that it will not cause issues down the path.   (Micro) SD card issues can be sneaky. They might appear right at the start causing strange boot and login errors, or they might cause problems over time. It is best to run a test on any new SD card you use, to ensure that it really is what it is, and to ensure that isn't faulty. Armbian provides you a simple way to do this   --   armbianmonitor -c /path/to/device/to/test  

    • 2. Make sure to collect and provide all necessary information

      We can only help if you provide quality information for us to work with. All stable images from the download section are tested, most stable upgrades are tested and we have tens of thousands of users. Even with regular and extensive testings, bugs sometimes do slip through. This is a voluntary support service and is unrelated to board makers, and is not obligated to provide you any answers. Repeated asking the same questions because you're not happy with the answers will result in you being ignored.

      Before you post a question, use the forum search as someone else might have already had the same problem and resolved it. And make sure you've read the Armbian documentation. If you still haven't found an answer, make sure you include the following in your post:   1. Logs when you can boot the board: armbianmonitor -u (paste URL to your forum post)   2. If your board does not boot, provide a log from serial console or at least make a picture, where it stops.   3. Describe the problem the best you can and provide all necessary info that we can reproduce the problem. We are not clairvoyant or mind readers. Please describe your setup as best as possible so we know what your operating environment is like.     We will not help in cases you are not using stable official Armbian builds, you have a problem with 3rd party hardware or reported problem would not be able to reproduced.

Protect emmc Orange Pi Plus 2e
2 2

8 posts in this topic

Good morning, first of all sorry for my English, I'm not native and I use a translator.

 

 

I'm working on a project with the orange pi plus 2e and I need to protect the internal memory emmc, I installed in emmc "ARMBIAN 5.25 stable Debian GNU / Linux 8 (jessie) 3.4.113-sun8i" and I ask myself the following:
 

How can I protect the internal memory so that it is not accessible by inserting an SD card and mounting the emmc partition?


That is, I give my client the orange pi configured and no sd card inserted, starts with emmc, but if someone inserts an sd card with any image for this card can mount the internal partition and access the contents.


I've looked at encryption options but I do not really know how to encrypt emmc and start it automatically, I think this is the best option, but I've seen this post and I do not know if I could fix it with something like this: https://forum.armbian.com/index.php/topic/1702-orange-pi-plus-2e-where-is-16ghz-and-sd/?p=13163

 

 

Thanks.

Share this post


Link to post
Share on other sites

You won't be able to protect eMMC reliably enough without physically disabling / limiting access to the SD slot, FEL button and microUSB port. Encryption won't help against an experienced user since you need to store encryption keys on the same media as encrypted filesystem.

Share this post


Link to post
Share on other sites

I have a similar problem, i need to encrypt eMMC on Orange PI PC+ for preventing copying/reverse engineering of my software. I have read a bunch of docs about LUKS and keyfile-based encrypting,a but I have no idea about how to implement it in the PI. The keyfile must possibly be written in the eMMC, and the boot must be automatic at each power cycle, without user intervention. Does anyone have suggestions?

 

many thanks in advance,

Marco

Share this post


Link to post
Share on other sites

Nothing readily available. Fortunatelly for you, there was some advancement in understanding secure boot last month (discussed on IRC and described on linux-sunxi wiki), but IIRC only for running signed images as opposed to encrpyted, which means that with proper knowledge eMMC can be resoldered to different board and dumped.

 

As zador already said, saving key on same media as encrypted data is never a good idea. In this case, it would be best to save key in one time programmable memory located inside H3 (SID) and use secure boot at the same time, so only properly signed image can read decryption key. But there might be HW bug which makes bypass possible. Most knowledgeable people about this topic can be found on IRC #linux-sunxi at freenode.net. Please ask them for any definitive answers.

Share this post


Link to post
Share on other sites
1 hour ago, jernej said:

As zador already said, saving key on same media as encrypted data is never a good idea. In this case, it would be best to save key in one time programmable memory located inside H3 (SID) and use secure boot at the same time, so only properly signed image can read decryption key. But there might be HW bug which makes bypass possible. Most knowledgeable people about this topic can be found on IRC #linux-sunxi at freenode.net. Please ask them for any definitive answers.

Again, it's too early to say that it (secure mode) is ready for the end users. Programming efuses is a non-reversible operation (at least with currently available info) so it may brick the device if not done properly (i.e. if wrong hash was flashed). If I understand it correctly, current bypassing technique was tested with secure bit set but with certificate hash not programmed, so it may still be a feature and not a bug.

Share this post


Link to post
Share on other sites
5 minutes ago, zador.blood.stained said:

Again, it's too early to say that it (secure mode) is ready for the end users.

 

Yes, it is in very early stage. I will be more clear next time.

Share this post


Link to post
Share on other sites

Thank you guys, actually i'm working on luks encryption method + dracut-gmcrypt, i trying to use a key generated from mac address of pi, but actually the biggest problem is to luks a existing image system on pi...i have found this  for luks in place conversion, but i give a segmentation fault during the encryption progress and nothing works :D

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
2 2

  • Support the project

    We need your help to stay focused on the project.

    Choose the amount and currency you would like to donate in below.