daves Posted April 11, 2016 Share Posted April 11, 2016 Is there a code-accessible globally unique ID for each CPU card? We have customers with multiple systems with differing specifications (i.e. they have paid for advanced features on one system). We want to prevent cloning of the better system. Hiding a file / MAC addresses can be cloned. Do we have to buy USB dongles (we would rather not)? Do you recommend one? (I am tempted by a UniKey STD)... Link to comment Share on other sites More sharing options...
steve.milici Posted April 11, 2016 Share Posted April 11, 2016 The best procedure would be to change the Delta Tau default password. This would prevent anyone from entering the underlying Linux file system without the password. Link to comment Share on other sites More sharing options...
daves Posted April 12, 2016 Author Share Posted April 12, 2016 I didn't think this would prevent a filesystem image clone from one PPMAC to another, or would it? Link to comment Share on other sites More sharing options...
steve.milici Posted April 12, 2016 Share Posted April 12, 2016 Yes, because it will prevent a user form logging into the Linux file system and running a "dd" command or anything for that matter - even the IDE. Note that this is the Linux logon password not the IDE's encryption password. Link to comment Share on other sites More sharing options...
daves Posted April 12, 2016 Author Share Posted April 12, 2016 Sorry Steve, I was talking about connecting a PC directly to the daughterboard USB socket which mounts it as a drive, running WinImage to backup one PPMAC to VHD and restore to another. It is the same approach you use to repair a bricked card (and maybe even when you commission a new card) or put your non-video image on a card. Also the direct USB connection bypasses the need for root login to examine the filesystem and edit files on it as a removable drive. I have pointed out this security flaw before. Link to comment Share on other sites More sharing options...
steve.milici Posted April 12, 2016 Share Posted April 12, 2016 Encrypted "dongle" code is the only option then. Link to comment Share on other sites More sharing options...
shansen Posted April 13, 2016 Share Posted April 13, 2016 daves: How about reading the hardware MAC address and hashing it to generate a unique ID, in combination with encrypting the filesystem? You will also need to create a script to delete the /.readonly/etc/udev/rules.d/70-persistent-net.rules file on powerup. If this file isn't found, the kernel will automatically read the MAC address(es) from hardware instead of from disk next time it boots. Then if they clone the filesystem to a different card it will generate different MAC addresses, which will hash to different ID numbers. Because the filesystem is encrypted they won't be able to change the MAC addresses. Link to comment Share on other sites More sharing options...
daves Posted April 14, 2016 Author Share Posted April 14, 2016 Thanks for the replies. shansen: That sounds like an interesting idea. If we had more resources I would look into it. Not sure about encrypting the filesystem (how to do it or what it might affect...) I think the risk of our customers actually bothering to "crack" our systems is very small so we are looking for a minimal effort solution. We have experience of dongles and the UniKey one seems to have linux driverless ability to get a HID or SoftID (plus other features we may find useful in future). I'm going to evaluate it. Link to comment Share on other sites More sharing options...
daves Posted April 25, 2016 Author Share Posted April 25, 2016 So, I examined firmware 2.1.0.39 and see the addition of libSecureDongle. This seems to be exactly what I was asking about! Is there going to be a DT supported dongle option? Should I hold off on investigating UniKey? I have some on order and to be honest we like the nano size they offer (can't see that on SecureDongle)... Link to comment Share on other sites More sharing options...
steve.milici Posted April 25, 2016 Share Posted April 25, 2016 This will not be supported in future firmware versions. You should go ahead and investigate other options. Link to comment Share on other sites More sharing options...
daves Posted April 26, 2016 Author Share Posted April 26, 2016 OK thanks for the info Link to comment Share on other sites More sharing options...
Recommended Posts