3. CVITEK Cyber Security Precautions for SDK Secondary Development¶
3.1. Precautions for using u-boot¶
3.1.1. Serial Port¶
The u-boot serial port function in CVITEK SDK is enabled by default. In the execution process of u-boot, u-boot will wait for one second, so that the developers can interrupt the execution process of u-boot by hitting the key in the execution phase, so as to stay in the u-boot phase for debugging. If there is no keystroke in the process, the boot process of u-boot will continue after one second.
In the officially released product, you can cancel this configuration in order to achieve the purpose of not to debug through serial port at u-boot stage. The specific implementation method is as follows:
Step 1. Open build/boards/{processor_name}/{board_name}/u-boot/{board_name}_defconfig (there may be different file names depending on the name of each product, in this example it is cvitek_cv1801c_wevb_0009a_spinor_defconfig)。Modify the configuration value of “CONFIG_BOOTDELAY”to “-2”.
…
CONFIG_IDENT_STRING="cvitek_cv180x"
CONFIG_DISTRO_DEFAULTS=y
CONFIG_BOOTDELAY=-2
# CONFIG_DISPLAY_CPUINFO is not set
…
Step 2. Recompile u-boot
3.1.2. U-boot Commands¶
U-boot provides many commands for developers to develop and debug, such as md, mw, setenv, saveenv, etc. However, these commands are not necessary in official products. You can choose to keep the commands that are not related to system security and delete other commands.
For example, to delete the md/mw commands, the specific implementation is as follows:
Open /u-boot-2021.10/cmd/Makefile, Since the specific implementation code of md/mw is in mem.c, directly comment out or delete obj-$(CONFIG_CMD_MEMORY) += mem.o in the example below.
obj-$(CONFIG_LOGBUFFER) += log.o
obj-$(CONFIG_ID_EEPROM) += mac.o
obj-$(CONFIG_CMD_MD5SUM) += md5sum.o
#obj-$(CONFIG_CMD_MEMORY) += mem.o
obj-$(CONFIG_CMD_IO) += io.o
obj-$(CONFIG_CMD_MFSL) += mfsl.o
Or revise /u-boot-2021.10/cmd/Kconfig, and configure default to “n”.
config CMD_MEMORY
bool "md, mm, mw, cp, cmp, base, loop, ip_update"
default n
help
Memory commands.
md - memory display
mm - memory modify (auto-incrementing address)
mw - memory write (fill)
cp - memory copy
cmp - memory compare
base - print or set address offset
loop - initialize loop on address range
ip_update - sync ip from mem 0x400038C/900 to uboot env
Other commands deletion methods are similar to the above operations.
3.2. Security precautions when using networks in Linux¶
3.2.1. Root Account¶
In actual products, it is necessary to make security modifications to the root user. Users can choose to change the default password or disable root login via shell. The specific methods are as follows:
Change the password
Step 1. Execute the shell command “passwd” to change the password
Step 2. Copy /etc/shadow (through mount SD card or network)
Step 3. Copy the shadow file to /ramdisk/rootfs/overlay/{processor_name}/etc
Step 4. Recompile the rootfs file system (Command:
pack_rootfs),and burn rootfs.spinor back to the platformDisable root login via shell
Step 1. Modify /ramdisk/rootfs/overlay/{processor_name}/etc/passwd in the SDK package and change the script
root:x:0:0:root:/root:/bin/shto:
root:x:0:0:root:/root:/bin/falseStep 2. Recompile rootfs file system (command:
pack_rootfs), and burn the rootfs.spinor back to the platform.
3.2.2. File Permissions¶
CVITEK SDK uses SquashFS file system by default. Users are unable to perform write or delete actions on the pre-loaded file system, thereby protecting the stability of the system.
3.3. Security precautions when using network drivers in Linux¶
3.3.1. Serial Port¶
Developers can debug through the serial port in Linux. In order to avoid the risk of illegal access to the serial port and make sure that the serial port is no longer used in the product, they can close the serial port in mass production state. The specific implementation method is as follows:
Step 1. Open build/boards/{processor_name}/{board_name}/dts /{processor_name}/ {processor_name}_base.dtsi (There may be different file names depending on the product names, in this example: cv180x), modify the code of the following example,
uart0: serial@04140000 {
compatible = "snps,dw-apb-uart";
reg = <0x0 0x04140000 0x0 0x1000>;
clock-frequency = <25000000>;
reg-shift = <2>;
reg-io-width = <4>;
- status = "okay";
+ status = "disabled";
};
Step 2. Recompile linux
3.4. Safety Notifications for Application Development¶
3.4.1. Cipher Driver¶
CIPHER is a security algorithm module provided by CVITEK media processing platform. It provides symmetric encryption and decryption algorithms, including AES / DES / SM4, asymmetric encryption and decryption algorithm, RSA random number generation, and digest algorithm, including HASH and HMAC. Customers can use it to encrypt and decrypt audio and video streams, and to authenticate the legitimacy of users.
Please refer to《CVITEK CIPHER API Reference》for details.
3.5. Other Safety Notifications¶
3.5.1. Bare Burning¶
CVITEK SDK package provides SD and USB bare burning function. It is recommended to turn off the bare burning function in actual products. SD, USB bare burning function can be turned off through hardware design.
3.5.2. SD Card/USB Mount Permission¶
If the developed product has SD card or USB and other pluggable storage device interfaces, it is recommended to add the “- o noexec”parameter before mounting the file system of the storage device, so as to avoid the damage of the system caused by the operation of malicious third-party programs.
3.5.3. JTAG¶
It is suggested that JTAG interface should be removed from actual products to avoid system damage caused by malicious tampering with system configuration.
3.6. Notifications for Alios Development and Use¶
Refer to Alios open source: https://github.com/alibaba/AliOS-Things/tree/master/documentation