The console is an important attack vector on an embedded product. You can use the TRUSTFENCE_CONSOLE set of macros to enhance the security of the console, adapting it to your specific product requirements. Digi Embedded Yocto allows you to configure the console in one of four modes:

  • Enabled (default)

  • Enabled with passphrase

  • Enabled with GPIO

  • Disabled

By default, inheriting the TrustFence class does not disable the console.

Disable the console

To completely disable the product’s console, both in the U-Boot bootloader and the Linux user space, use the following configuration in your project’s conf/local.conf

INHERIT += "trustfence"

This is the recommended configuration, and it provides the highest level of security.

Configure passphrase-enabled console

You can also configure the console to be enabled by a secure passphrase using the following configuration in your project’s conf/local.conf. The passphrase is not stored in the device so it cannot be obtained by reverse engineering, but it could be compromised by a brute force attack.

INHERIT += "trustfence"

With the above configuration, the system will boot with a silent console. However, if the passphrase is typed immediately after U-Boot starts the console will be enabled.

This option impacts the boot time. Specifically, two timeouts are used:

  • 2 seconds per key press: This means if more than 2 seconds passes and the user did not enter any key, U-Boot aborts the password reading and keeps on booting (without enabling the console). On any key press, this timeout is reset.

  • 10 seconds for the full password: That is, after 10 seconds (even if the user is still pressing keys) U-Boot will abort the password reading and boot without console. This is done to prevent denial of service (DoS) attacks and guarantee that the target will boot even if there is a continuous stream of input data in the serial port.

Configure GPIO-enabled console

Finally, you can also configure the system to enable the console with a GPIO.

INHERIT += "trustfence"

This is the least secure configuration. Physical access to the device will compromise the console access.

TrustFence cannot be configured for both passphrase- and GPIO-enabled console. If both configuration options are present, passphrase-enabled will be used.

When the selected GPIO is low, the console remains disabled; when it is high, the console is enabled.