rkay Posted April 1, 2020 Share Posted April 1, 2020 Hi, i'm new to armbian and i hope to write in the right place I have a rock64 and deployed it as a remote server. Since it is in a shared place, to better protect my and my user's privacy i enabled Full Disk Encryption (CRYPTROOT_ENABLE). Now, back to the question: is usb otg enabled by default? Can someone with physical access use an otg cable to read files from the rock64? I would try it by myself but i don't have physical access to the board. OS: Armbian 19.11.4 Bionic (5.4.28-rockchip64) Thanks Link to comment Share on other sites More sharing options...
Myy Posted April 1, 2020 Share Posted April 1, 2020 On some RK3288 boards, using the bootloader, it's possible to mount the eMMC as a 'pendrive' through the USB port. However, it just pass the whole drive to the remote system, which then have to mount the partitions itself. But maybe that's not the question. You're wondering if, when the system is booted, someone can plug your Rock64 board on a laptop like an USB drive, and start reading files from the encrypted partitions ? Link to comment Share on other sites More sharing options...
rkay Posted April 1, 2020 Author Share Posted April 1, 2020 16 minutes ago, Myy said: You're wondering if, when the system is booted, someone can plug your Rock64 board on a laptop like an USB drive, and start reading files from the encrypted partitions ? Yes, exactly Link to comment Share on other sites More sharing options...
Myy Posted April 1, 2020 Share Posted April 1, 2020 What level of physical access would the attacker have ? If he can load the USB Gadget Mass Storage module, g_mass_storage , then yes, he would be able to mount any file or block device throug the USB-OTG connection. https://superuser.com/questions/1062991/linux-usb-mass-storage-emulation That's not an automatic setup, though. I don't have a Rock64 board here, so I don't know if such setup has been added on standard Armbian images for Rock64 devices. Link to comment Share on other sites More sharing options...
rkay Posted April 1, 2020 Author Share Posted April 1, 2020 Thank you, now i have a clearer view of how it works If the only way is running a command on the host, it is fine (and i can't find any obvious way in which the module automatically loads, as with udev rule and systemd) An attacker could have access to the board for a limited time (and doing anything like reading emmc with external reader), but complex attacks like tampering initramfs and putting the board back up waiting for me to enter the passphrase are out of the threat model. Link to comment Share on other sites More sharing options...
Recommended Posts