Locking the emmc

If I am running debian off the emmc, and give a board to someone else, is there a way of locking down access to the emmc so that my filesystem is not easily readable to them?
I’m thinking of the situation of inserting a microSD and booting off that, then mounting the emmc. At that point they have access to my private keys that are stored on the emmc.
Or is the BBB inherently unprotected regarding physical access to the board and I need to figure out a better method for key access than storing the keys locally?

Interesting questions...

As a hobbyist geared board, yes the BBB is inherently open-by-design so
if your threat model includes a physical hardware hacker, she will have
access to pretty much everything on there.

You could probably go the route of making a LUKS container for part of
the file system and then distributing the key out of band. If you are
protecting keys (small number of files, possibly one file) you could
GPG encrypt that file and then transmit the BBB. GPG has a symmetric
key option if your recipient doesn't have a GPG public key.

I had looked into using the EEPROM on the BBB to store some very small
data (a key split/share). You need to electrically clear the WP pin
though but it is locked by default. Unless of course, you are
considering the hardware hacker and physical access.

Basically, when you let the BBB leave your sight I think you'd have to
assume that worst case somebody has copied/tampered with it. But, if
you had a LUKS container/GPG encrypted file, then *that* would still be
ok as the attacker wouldn't have the key.

But... if that's the case you'd probably be better off just sending
your recipient an encrypted message (GPG/OTR/Tor Chat/etc...).

A chip, like a TPM, is supposed to measure your boot process to ensure
that it has not been modified. Then, you could unlock keys only if it
has booted correctly. I made a cape that has this (
https://www.sparkfun.com/products/12773) but you need to get a
different uboot that includes TPM support.

Of course, somebody can just change out your MLO b/c the ROM on the
AM3358 just boots that fixed address w/o any signature checking (this
version of the AM3358 that is...).

Anyway, those are some of my ramblings. I don't know if you liked any
of the answers :slight_smile:

Thanks for the ramblings!
Sounds like a PITA to secure against physical access. I’ll have to put my thinking cap on. I’m just (rightfully) paranoid about private keys.

On Fri, 15 Jan 2016 19:10:30 -0800 (PST), Jonathan Ross
<jonross@nephology.org> declaimed the following:

Thanks for the ramblings!
Sounds like a PITA to secure against physical access. I'll have to put my
thinking cap on. I'm just (rightfully) paranoid about private keys.

  If physical access to the device is possible, the only plausible
security is a processor that has a built-in security module that is (to the
outside of the chip) write-only, and the chip runs a validation of the boot
image (which has been signed by a key that has been burned into the chip
itself) to detect tampering. That validation function is built into the
chip from the start (though may use a one-time "fuse" to enable the secure
mode after the end-user has programmed the keys into the chip). Freescale
QorIQ T1040, for example.