Usb OTG question

[rkay]

Hi, i'm new to armbian and i hope to write in the right place

 

I have a rock64 and deployed it as a remote server. Since it is in a shared place, to better protect my and my user's privacy i enabled Full Disk Encryption (CRYPTROOT_ENABLE).

Now, back to the question: is usb otg enabled by default? Can someone with physical access use an otg cable to read files from the rock64?

I would try it by myself but i don't have physical access to the board.

 

OS: Armbian 19.11.4 Bionic (5.4.28-rockchip64)

 

Thanks

[Myy]

On some RK3288 boards, using the bootloader, it's possible to mount the eMMC as a 'pendrive' through the USB port. However, it just pass the whole drive to the remote system, which then have to mount the partitions itself.

 

But maybe that's not the question.

 

You're wondering if, when the system is booted, someone can plug your Rock64 board on a laptop like an USB drive, and start reading files from the encrypted partitions ?

[rkay]

16 minutes ago, Myy said:

You're wondering if, when the system is booted, someone can plug your Rock64 board on a laptop like an USB drive, and start reading files from the encrypted partitions ?

Yes, exactly

[Myy]

What level of physical access would the attacker have ?

 

If he can load the USB Gadget Mass Storage module, g_mass_storage , then yes, he would be able to mount any file or block device throug the USB-OTG connection.

https://superuser.com/questions/1062991/linux-usb-mass-storage-emulation

 

That's not an automatic setup, though. I don't have a Rock64 board here, so I don't know if such setup has been added on standard Armbian images for Rock64 devices.

[rkay]

Thank you, now i have a clearer view of how it works

If the only way is running a command on the host, it is fine (and i can't find any obvious way in which the module automatically loads, as with udev rule and systemd)

An attacker could have access to the board for a limited time (and doing anything like reading emmc with external reader),  but complex attacks like tampering initramfs and putting the board back up waiting for me to enter the passphrase are out of the threat model.