How to make SD card memory immutable/read-only?

Post Reply
User avatar
br_jardle
Posts: 3
Joined: Wed Aug 18, 2021 12:12 pm
languages_spoken: BR Portuguese, English
ODROIDs: C2, C4
Has thanked: 2 times
Been thanked: 1 time
Contact:

How to make SD card memory immutable/read-only?

Post by br_jardle »

Hello!

TL;DR:
  • Considering the Ubuntu 20.04 official images for ODROID-C4, does the bootloader modify the contents of the micro SD card?
  • Is the board identification number (accessible from /sys/class/efuse/uuid) written anywhere in the micro SD card?
Context:

I'm porting software to ODROID-C4 for a company that has several ODROID-C2 units running in the field.

One thing I must get right is to make sure that the released system will not change the contents of the micro SD card at all, only a small read-write partition at the end of the SD for configuration/logs. The content of the micro SD card is checked for changes while the equipment is audited.

The idea is to use overlayroot to mount the underlying / as read-only, and mount /boot and user partitions as read-only also.
So far this is working as expected. Unfortunately I have only one ODROID-C4 unit right now and I'm not sure if I put the micro SD card in another unit will change the contents of the micro SD card, specially in the unpartitioned areas.

I remember from the ODROID-C2 official images I used, a startup routine writes the board serial number at the beginning of the SD card.
This serial number is the same we can get with cat /sys/class/efuse/usid command.

After some research I realized it's the U-Boot that saves its environment to the "U-Boot Environment" area that starts at 32KB offset of the micro SD card.

Does something similar happen to the ODROID-C4 official images?

My analysis:

Using the ODROID-C4 official Ubuntu images (particularly, the ubuntu-20.04-4.9-minimal-odroid-c4-hc4-20210128.img image), I didn't notice any changes to the SD card.
I noticed there are some UUIDs in the SD card:

Code: Select all

    000bce30: 1a75 7569 643d 3930 3938 3030 3461 2d61  .uuid=9098004a-a
    000bce40: 3164 642d 3131 6538 2d39 3864 302d 3532  1dd-11e8-98d0-52
    000bce50: 3932 3639 6662 3134 3539 ff00 0047 0021  9269fb1459...G.!
    ... 
    000e2f30: f11a 7575 6964 3d39 3039 3830 3266 322d  ..uuid=909802f2-
    000e2f40: 6131 6464 2d31 3165 382d 3938 6430 2d35  a1dd-11e8-98d0-5
    000e2f50: 3239 3236 3966 6231 3435 3911 0100 4700  29269fb1459...G.
    ... 
    000f0db0: 3000 7078 6575 7569 643d 3930 3938 3032  0.pxeuuid=909802
    000f0dc0: 6632 2d61 3164 642d 3131 6538 2d39 3864  f2-a1dd-11e8-98d
    000f0dd0: 302d 3532 3932 3639 6662 3134 3539 0072  0-529269fb1459.r
I also noticed there's another UUID in /media/boot/boot.ini file:

Code: Select all

setenv bootargs "root=UUID=e139ce78-9841-40fe-8823-96a304a09859 rootwait rw ${condev} ${amlogic} no_console_suspend fsck.repair=yes net.ifnames=0 elevator=noop hdmimode=${hdmimode} cvbsmode=576cvbs max_freq_a55=${max_freq_a55} maxcpus=${maxcpus} voutmode=${voutmode} ${cmode} disablehpd=${disablehpd} cvbscable=${cvbscable} overscan=${overscan} ${hid_quirks} monitor_onoff=${monitor_onoff} logo=osd0,loaded ${cec_enable} sdrmode=${sdrmode} enable_wol=${enable_wol}"
Which is of course the one passed to the kernel command line:

Code: Select all

odroid@odroid:~$ sudo dmesg | grep "Kernel command line"
    [    0.000000] Kernel command line: root=UUID=e139ce78-9841-40fe-8823-96a304a09859 rootwait rw console=ttyS0,115200n8  no_console_suspend fsck.repair=yes net.ifnames=0 elevator=noop hdmimode=1080p60hz cvbsmode=576cvbs max_freq_a55=1908 maxcpus=4 voutmode=hdmi  disablehpd=false cvbscable=0 overscan=100  monitor_onoff=false logo=osd0,loaded hdmitx=cec3f sdrmode=auto enable_wol=0
There's also the UUID I get with the following command:

Code: Select all

odroid@odroid:~$ cat /sys/class/efuse/uuid
276f6421-ad64-4bdb-958a-001e064822aa
Now, if I understood correctly:
  • UUIDs written in the beginning of the SD card (memory dump above) and in /media/boot/boot.ini file, are leftovers/default and immutable values that are not relevant;
  • The UUID obtained from /sys/class/efuse/uuid, which can be used as board identification/unique number, is not normally written to the SD card.

Is my analysis correct?
Thanks in advance :mrgreen:

User avatar
odroid
Site Admin
Posts: 38030
Joined: Fri Feb 22, 2013 11:14 pm
languages_spoken: English, Korean
ODROIDs: ODROID
Has thanked: 1997 times
Been thanked: 1205 times
Contact:

Re: How to make SD card memory immutable/read-only?

Post by odroid »

Everybody can change the UUID in the SD/eMMC card arbitrarily. For example, viewtopic.php?f=52&t=5054

But, the efuse content in the CPU OTP(one-time-programmable) memory has been written in our production process for unique Ethernet MAC address generation.
Therefore, you can use the efuse uuid string as a nonvolatile board ID.
/sys/class/efuse/uuid is not a part of SD card root file system. It is a sort of ram disk part which is generated by the efuse device driver in the kernel booting process on the fly.
These users thanked the author odroid for the post:
br_jardle (Thu Aug 19, 2021 10:47 am)

User avatar
br_jardle
Posts: 3
Joined: Wed Aug 18, 2021 12:12 pm
languages_spoken: BR Portuguese, English
ODROIDs: C2, C4
Has thanked: 2 times
Been thanked: 1 time
Contact:

Re: How to make SD card memory immutable/read-only?

Post by br_jardle »

odroid wrote:
Thu Aug 19, 2021 9:45 am
Everybody can change the UUID in the SD/eMMC card arbitrarily. For example, viewtopic.php?f=52&t=5054

But, the efuse content in the CPU OTP(one-time-programmable) memory has been written in our production process for unique Ethernet MAC address generation.
Therefore, you can use the efuse uuid string as a nonvolatile board ID.
/sys/class/efuse/uuid is not a part of SD card root file system. It is a sort of ram disk part which is generated by the efuse device driver in the kernel booting process on the fly.
That's what I thought :!: Thanks for confirming this info :)

User avatar
br_jardle
Posts: 3
Joined: Wed Aug 18, 2021 12:12 pm
languages_spoken: BR Portuguese, English
ODROIDs: C2, C4
Has thanked: 2 times
Been thanked: 1 time
Contact:

Re: How to make SD card memory immutable/read-only?

Post by br_jardle »

I also had to configure some other stuff to make the SD card completely immutable.
Here's a record for those who want to do it:
  • Install and configure overlayroot. You may also have to fix one of its scripts (see the following link; originally written for ODROID-C2, but also applicable to ODROID-C4: viewtopic.php?f=136&p=187934#p187934);
  • Configure whatever partitions apart from the root file system to mount as read-only in /etc/fstab;
  • Prevent fsck checks over the root filesystem by startup routines (this changes SD card contents). In order to do so, change fsck.repair=yes to fsck.repair=no in /boot/boot.ini file. I also changed rw to ro, but I'm not sure this is really necessary too.

It's easy to check if the configuration works. Just check if a hash of the SD card device never changes (for instance, by running sudo md5sum /dev/mmcblk1).
These users thanked the author br_jardle for the post:
odroid (Mon Sep 13, 2021 10:25 am)

Post Reply

Return to “General Topics”

Who is online

Users browsing this forum: No registered users and 0 guests