Nikhil

Hi @xeniter Yes! I've been following this thread keenly - I've chosen burning the USB0 so that FEL mode will never be accessed after initial programming. Can you tell how were you able to do secure boot of U-BOOT ? I was able to do secure boot of SPL as per above thread. The pre toc0 SPL has 24KB size limit. 32KB SPL does not boot. Since only 24KB is available, how did u manage to do secure boot of U-Boot using RSA key verification ? I checked the BROM code has size of 64KB. This is enough to add all the libraries like openssl required for RSA verification of SPL. But that is not the case with SPL. You cannot fit openssl library inside 24KB size. The plan now is to create multiple hashes of U-BOOT which are cryptographically secure but computed using non cryptographic algorithms like - Murmurhash3, Siphash and Checksum of U-BOOT. 24KB SPL can do this. SPL then verifies if UBoot is tempered or not. The security of tempering relies that the hash of tempered UBOOT will be different. What are your thoughts on this ?

@tparys not totally true. Fuses inside the Arm chip are the key to unlock everything. It is costly effort to hack fuse content. So unless somebody spends > 100K$ + time to unlock the fuse content, your os and code is secure from theft.

@AWenthusiast You can try uploading only the SPL not Uboot-with-SPL. You can find sunxi-spl.bin in spl folder. Convert it to sunxi-spl.toc0. Then it should work. @xeniter @janng0 I am able to secure boot only the 32KB SPL. Can you tell how to secure boot U-Boot after SPL ?

Not totally true, you can secure the key store inside the chip by burning access to it (via fuses / physical burning of USB OTG), ROM code will be unreadable, Boot code will be encrypted on SD Card. What do you think ?

@tparys Regarding LUKS encryption, Wouldn't it be possible to store the encryption key in ROM which will unlock the Boot which again unlocks the RootFS ?

Hi, I am using Nano Pi Duo2 (Allwinner H3) with latest Armbian OS. My goal is to have all the OS and Data on SD Card Encrypted. It should be secure from hacks. In Developer Guide, LUKS encrypted rootfs needs a key to unlock. In our case we want the device to unlock itself so key has to be stored on the Allwinner H3 securely. Has anybody implemented it on Allwinner H3 ? Is there alternative solution to secure the data on the device.

Sure, opening it in peer to peer technical support.

Hi, I am looking to Secure Boot Allwinner H3. We use Nano Pi Duo2 with latest Armbian OS. End goal is to have all the OS / Data on the SD Card Encrypted. Can anybody help ?