The console is an important attack vector on an embedded product. You can use the TRUSTFENCE_CONSOLE set of macros to enhance the security of the console, adapting it to your specific product requirements. Digi Embedded Yocto allows you to configure the console in one of four modes:

  • Enabled (default)

  • Enabled with passphrase

  • Enabled with GPIO

  • Disabled

By default, inheriting the TrustFence class does not disable the console.

Disable the console

To completely disable the product’s console, both in the U-Boot bootloader and the Linux user space, use the following configuration in your project’s conf/local.conf:

conf/local.conf
INHERIT += "trustfence"
TRUSTFENCE_CONSOLE_DISABLE = "1"

This is the recommended configuration, and it provides the highest level of security.

Configure passphrase-enabled console

You can also configure the console to be enabled by a secure passphrase using the following configuration in your project’s conf/local.conf. The passphrase is not stored in the device so it cannot be obtained by reverse engineering, but it could be compromised by a brute force attack.

conf/local.conf
INHERIT += "trustfence"
TRUSTFENCE_CONSOLE_DISABLE = "1"
TRUSTFENCE_CONSOLE_PASSPHRASE_ENABLE = "my_secure_password"

With the above configuration, the system will boot with a silent console. However, if the passphrase is typed immediately after U-Boot starts the console will be enabled.

This option impacts the boot time. Specifically, two timeouts are used:

  • 2 seconds per key press: This means if more than 2 seconds passes and the user did not enter any key, U-Boot aborts the password reading and keeps on booting (without enabling the console). On any key press, this timeout is reset.

  • 10 seconds for the full password: That is, after 10 seconds (even if the user is still pressing keys) U-Boot will abort the password reading and boot without console. This is done to prevent denial of service (DoS) attacks and guarantee that the target will boot even if there is a continuous stream of input data in the serial port.

Configure GPIO-enabled console

Finally, you can also configure the system to enable the console with a GPIO.

conf/local.conf
INHERIT += "trustfence"
TRUSTFENCE_CONSOLE_DISABLE = "1"
TRUSTFENCE_CONSOLE_GPIO_ENABLE = "1"

This is the least secure configuration. Physical access to the device will compromise the console access.

TrustFence cannot be configured for both passphrase- and GPIO-enabled console. If both configuration options are present, passphrase-enabled will be used.

Define TRUSTFENCE_CONSOLE_GPIO_ENABLE_NAME macro with the GPIO that should be used to enable the console. When the selected GPIO is low, the console remains disabled; when it is high, the console is enabled. Define TRUSTFENCE_CONSOLE_GPIO_ENABLE_ACTIVE_LOW to set the console enable active level low.

If no GPIO pin is specified, the system will use the default settings of the DVK:

GPIO connector pin GPIO Active

USER1 button

GPIO3_7

Low