User Manual

Swissbit Secure Boot SDK

for Raspberry Pi

Version: 2.0
Copyright 2020 by Swissbit AG
This document as well as the information or material contained is copyrighted. Any use not explicitly permitted by
copyright law requires prior consent of Swissbit AG. This applies to any reproduction, revision, translation, storage
on microfilm as well as its import and processing in electronic systems, in particular.
The information or material contained in this document is property of Swissbit AG and any recipient of this document
shall not disclose or divulge, directly or indirectly, this document or the information or material contained herein
without the prior written consent of Swissbit AG.
All copyrights, trademarks, patents and other rights in connection herewith are expressly reserved to Swissbit AG
and no license is created hereby.
Subject to technical changes.
All brand or product names mentioned are trademarks or registered trademarks of their respective holders.

Page 2 of 21
Table of Contents
TABLE OF CONTENTS ................................................................................................................. 3
1.1 GLOSSARY & SDK CONTENTS....................................................................................................... 4
Glossary ....................................................................................................................................................... 4
Contents of the SDK ................................................................................................................................... 5
U-Boot Binary Files ................................................................................................................................... 5
Applications for Managing DP-Devices .................................................................................................. 5
2. SWISSBIT SECURE BOOT SOLUTION FOR PROTECTING THE SYSTEM INTEGRITY OF A RASPBERRY PI BOOT MEDIA .... 5
3. QUICKSTART GUIDE ............................................................................................................ 6
STEP 1: CHECK PREREQUISITES ......................................................................................................... 6
STEP 2: GET SWISSBIT SECURE BOOT SOLUTION FOR RASPBERRY PI..................................................................... 6
STEP 3: CONFIGURE THE SWISSBIT MICRO SD CARD BY CHOOSING YOUR SECURITY POLICY (CF. CHAPTER 0) .............................. 6
STEP 4: INSTALL U-BOOT (CF. CHAPTER 5)............................................................................................ 6
STEP 5: ACTIVATE DP CARD DATA PROTECTION (CF. CHAPTER 6) ....................................................................... 6
STEP 6: SECURELY BOOT THE RASPBERRY PI (CF. CHAPTER 0) .......................................................................... 6
4. SWISSBIT MICRO SD CARD CONFIGURATION ................................................................................. 7
4.1 INSERT MICROSD CARD INTO YOUR WINDOWS-BASED SYSTEM ...................................................................... 7
4.2 RUN SWISSBIT DEVICE MANAGER ................................................................................................. 7
4.3 SET SECURITY FLAGS .............................................................................................................. 7
4.4 PREPARE A SECURITY POLICY ...................................................................................................... 7
4.5 SET A SECURITY POLICY ........................................................................................................... 8
Set a “PIN” policy ..................................................................................................................................... 8
Set a “USB” policy .................................................................................................................................... 9
Set a NET policy ...................................................................................................................................... 11
4.6 INSTALL THE RASPBERRY PI OPERATING SYSTEM.................................................................................. 13
4.7 SET A PROTECTION PROFILE....................................................................................................... 13
5. U-BOOT INSTALLATION ....................................................................................................... 14
6. ACTIVATION OF CARD DATA PROTECTION .................................................................................... 15
7. BOOTING THE RASPBERRY PI WITH ACTIVATED SECURITY ................................................................. 17
8. APPENDIX ..................................................................................................................... 20
8.1 DEACTIVATING DP CARD DATA PROTECTION ....................................................................................... 20
8.2 REFERENCE MATERIAL ........................................................................................................... 20
Swissbit .................................................................................................................................................... 20
U-Boot ..................................................................................................................................................... 20
Raspberry Pi ............................................................................................................................................ 20
9. DOCUMENT HISTORY .......................................................................................................... 21

Page 3 of 21
1.1 Glossary & SDK Contents

Glossary

Abbreviation Description

API Application Programming Interface

DP Data Protection

SDK Software Development Kit

GUI Graphical User Interface

CLI Command Line Interface

SO Security Officer

SHA Secure Hash Algorithm

PIN Personal Identification Number

Note: In this document PIN is synonym for
password as any binary value can be
defined. In practice the password will most
probably be a ASCII PIN
NVRAM Non-Volatile Random Access Memory

ⓘ Information / hints are denoted with this icon: ⓘ

Page 4 of 21
 Contents of the SDK

The Swissbit Secure Boot for Raspberry Pi solution provides an SDK with U-Boot binaries and configuration files
for Raspberry 2 and 3 boards, and managing applications tools to configure a Swissbit DP products. Prebuilt U-
Boot binaries are available for Raspberry Pi 2 and 3 boards, configuration tools for Microsoft Windows (Windows
7 and higher). This chapter describes where to find the particular components.
The Swissbit Secure Boot SDK is packed in the file Swissbit_SecureBoot_SDK_RPi.zip. After unpacking in a directory,
the SDK has the following directory structure:

├── Apps Management tools for Swissbit DP devices

│ └── SDcard Device manager location of (micro)SD-card DP card
│ └── Windows Windows specific QT binary
│ └── USB Device manager for location for USB DP stick
│ └── Windows Windows specific QT binary
├── Doc Location of this document
├── Raspberry
│ └── RPI2 U-Boot binaries for RPI 2
│ └── RPI3B+ U-Boot binaries for RPI 3 B Plus

U-Boot Binary Files

The U-Boot Binary can be found in the respective folders for the Raspberry Pi.

RPI 2
U-Boot binary: <sdkroot>\Raspberry\ RPI2\u-bootRPI2.bin
Binary U-Boot boot script: <sdkroot>\Raspberry\ RPI2\boot.scr.uimg

RPI 3 B Plus
U-Boot binary: <sdkroot>\Raspberry\ RPI3B+\u-bootRPI3.bin
Binary U-Boot boot script: <sdkroot>\Raspberry\ RPI3B+\boot.scr.uimg
U-Boot DTB file <sdkroot>\Raspberry\ RPI3B+\bcm2837-rpi-3-b-plus.dtb

Applications for Managing DP-Devices

Swissbit Security DP devices can be configured using the Device Manager applications for (micro)SD and USB,
located <sdkroot>\Apps\SDcard and <sdkroot>\Apps\USB, respectively.

2. Swissbit Secure Boot Solution for Protecting the System Integrity

of a Raspberry PI Boot Media
A Raspberry Pi board boots from an SD (RPI 1) or micro SD (RPI 2 and 3) card inserted into the board. A default
Raspbian installation installs the kernel on the boot partition and the root files system on a separate second
partition. If standard storage cards are used, typically all data and files in both partitions can be read, modified
and deleted by anybody.
The Swissbit Data Protection (DP) micro SD card PS-45u DP Raspberry Edition allows restricting access to data on
the card by various configurable policies. The boot image can be set read-only to prevent from unauthorized
modification. Authorization is performed in the Swissbit customized pre-boot phase to unlock access for a user
or further boot.

Following security policy methods are available:

- PIN policy: PIN input by the user

Page 5 of 21
 - USB policy: an authorization dongle is plugged into the Raspberry Pi (requiring a Swissbit USB PU-50n
DP “Raspberry Edition”)
- NET policy: authorization through a network server
In the herein described setup, all files and data in the boot partition are read only and cannot be modified. The
root file system of the Operating System can only be read after authentication. Thus, an authentication failure
during boot will prevent the kernel from reading the OS root file system resulting in a boot failure.
Please check www.swissbit.com/secure-boot-rpi ( Downloads) for the latest version of the Secure Boot SDK and
documentation.

3. Quickstart Guide
The Swissbit Secure Boot Solution for Raspberry Pi allows encryption and access protection of data stored on the
card. The DP card safeguards a data policy that is enforced with minimum interaction of the host system Raspberry
Pi.
Swissbit provides a Secure Boot SDK to integrate a Swissbit Data Protection (DP) micro SD card into a U-Boot boot
environment.

Step 1: Check Prerequisites

In order to use Swissbit Secure Boot Solution for Raspberry Pi you first need:
- A Raspberry PI 2 or 3 B Plus and its peripherals
- A Windows-based computer for configuring the Swissbit DP products

Step 2: Get Swissbit Secure Boot Solution for Raspberry Pi

The Swissbit Secure Boot Solution for Raspberry Pi consists of:
- A Swissbit Secure microSD card PS-45u DP “Raspberry Edition”
- The Swissbit Secure Boot SDK for Raspberry Pi
In case you choose to pursue an USB policy (see chapter 4.5.2 ),
- An additional Swissbit Secure USB stick PU-50n DP „Raspberry Edition“ is needed
In case you pursue a NET policy (see chapter 4.5.3 ),
- An additional Raspberry Pi board is required AND an additional regular microSD card with min. 8GB
capacity (e.g. Swissbit S-45u)
You can get the Swissbit Secure Boot Solution for Raspberry Pi from our Distribution partners. Please
visit https://www.swissbit.com/en/support/where-to-buy/

Step 3: Configure the Swissbit micro SD Card by choosing your security policy (cf.
Chapter 0)
Authorization is performed in the Swissbit customized pre-boot phase to unlock access for further
boot.
Swissbit offers the following security policy methods:
1. PIN policy (cf. chapter 4.5.1 ): PIN input by the user
2. USB policy (cf. chapter 4.5.2 ): an authorization dongle is plugged into the Raspberry Pi (requiring a
separate Swissbit DP device: PU-50n DP „Raspberry Edition“ )
3. NET policy (cf. chapter 4.5.3 ): authorization through a network server (requiring an additional
Raspberry Pi board running the NET policy server)

Step 4: Install U-Boot (cf. Chapter 5)

Step 5: Activate DP Card Data Protection (cf. Chapter 6)

Step 6: Securely boot the Raspberry Pi (cf. Chapter 0)

Page 6 of 21
4. Swissbit micro SD Card Configuration
4.1 Insert microSD card into your Windows-based system
You can use an adapter to insert the Swissbit microSD card into your Windows-based system, e.g. PC or Notebook.

4.2 Run Swissbit Device Manager

The Swissbit Device Manager can be found at <sdkroot>\Apps\SDcard\Windows\bin\cardManager.exe. It can be
started from that location or optionally be installed permanently using the install script at
<sdkroot>\Apps\Windows\install.bat.
NOTE: The Swissbit Device Manager tool only works with Swissbit DP memory cards. If such a card is inserted and
the Device Manager still reports “No secure device found”, please make sure that the card is formatted (e.g.
FAT32) and got assigned a drive letter (e.g. F:) by Windows. Furthermore, the card must be writeable – the write
protect switch of micro-SD/SD adapters must be inactive.

4.3 Set Security Flags

Set the security flags with following steps:
1. Start the Swissbit Device Manager
2. Go to menu “Manage > Security Settings” and choose these settings:
- Support Fast Wipe: not checked
- Reset Requires SO PIN: checked
- Multiple Partition Protection: checked
- Secure PIN Entry: checked
- Login Status Survives Soft Reset: checked
Multiple Partition Protection has to be checked for the OS integrity (Raspberry) use case.

Fig. 1 Security Settings

3. Click “Set” to confirm your choices.

4. Close the Swissbit Device Manager
5. Remove the Swissbit micro SD card from your computer and insert it in again.

4.4 Prepare a Security Policy

Swissbit Secure Boot for Raspberry Pi requires setting a security policy used by U-Boot.
Policies are written to the first block of the random access NVRAM. Therefore, the policy must contain at least one
block and have correct access rights.

Page 7 of 21
Prepare a security policy with following steps:
1. Start the Swissbit Device Manager
2. Go to menu “NVRAM > Configure”
3. Select for booth “Size” fields the value “1” and check the column for Read and Write access rights
as shown below in Fig. 2.
4. Click “Configure” to confirm your choices.

Fig. 2 Configuring the NVRAM

4.5 Set a Security Policy

There are three policies available:
- PIN policy: PIN input by the user
- USB policy: an authorization dongle is plugged into the Raspberry Pi (requiring a Swissbit USB PU-50n
DP „Raspberry Edition“)
- NET policy: authorization through a network server (requiring an additional Raspberry Pi running the
NET policy server)

Set a “PIN” policy

PIN policy means the user has to enter a PIN to unlock the card for further boot process.

Page 8 of 21
 Set the PIN policy with the following steps:
1. Start the Swissbit Device Manager
2. Go to menu “NVRAM > Read/Write Random Access Memory”
3. Enter “0” as the value for the block and click on “Select”
4. Write “PIN” into the text field
5. Click “Commit”
6. Click “Quit” to leave dialog

3 4

Fig. 3 Setting a PIN policy

Set a “USB” policy

USB policy means that there is an additional Swissbit Secure USB stick PU-50n DP „Raspberry Edition“ with CCID
capabilities inserted in a USB slot of the Raspberry Pi board that is booted. This CCID device holds the unlock PIN
in an encrypted format and provides it at boot time to the U-Boot authentication function.

Set the USB policy in the Swissbit microSD card with the following steps:
1. Start the Swissbit Device Manager
2. Go to menu “NVRAM > Read/Write Random Access Memory”
3. Enter “0” as the value for the block and click on “Select”
4. Write “USB” into the text field

Page 9 of 21
 5. Click “Commit”
6. Click “Quit” to leave dialog

3 4

Fig. 4 Setting a USB policy

Set the USB policy in the authentication dongle (= additional Swissbit USB stick PU-50n DP „Raspberry Edition“)
with the following steps:
1. Unplug the microSD card
2. Insert the additional Swissbit USB stick PU-50n Raspberry Pi Edition
3. Start the Swissbit Device Manager for USB at <sdkroot>\Apps\USB\Windows\bin\cardManager.exe
4. Go to menu “Manage > Set Authenticity Secret”
5. Enter a PIN as an Authenticity Secret, re-type the Authenticity Secret
6. Click on “Set Authenticity Secret”
Note: Please remember the entered PIN (= Authenticity Secret) as you need to set the same value as the
Authenticity Secret later on in the microSD card DP Activation Dialog.

Page 10 of 21
 1

Fig. 5 Configuring the additional USB device as an authentication dongle when using an USB policy

Set a NET policy

NET policy means that during the boot process, U-Boot will retrieve authentication information from an
authentication server in the network. The corresponding document “Swissbit NetPolicyServer User Manual”
describes how to set up an authentication server on a second Rapsberry Pi

In General:
The NET policy has this format: NET#<ipaddr>#<port>.
<ipaddr>: the IPv4 address or the name of the authentication server (Net policy server).
<port>: the UDP port on which the Net policy server is listening. Default port is 12375.
Thus a properly formatted NET policy string would look like this:
Example: NET#192.168.178.75#12375
 indicating an authentication server with the IP address 192.168.178.75 listening on port 12375.

Set the NET policy in the Swissbit microSD card with following steps:
1. Start the Swissbit Device Manager
2. Go to menu “NVRAM > Read/Write Random Access Memory”
3. Enter “0” as the value for the block and click on “Select”
4. Write the “NET#<ipaddr>#<port>” string into the text field (example shown below in Fig. 6)
5. Click “Commit”
6. Click “Quit” to leave dialog

Page 11 of 21
 1

3 4

Fig. 6 Setting a NET policy

Page 12 of 21
Next, it is required to get the Unique ID of the Swissbit microSD card for for the later configuration of the NET
policy server:
1. Start the Swissbit Device Manager
2. Go to menu “Information > Device Status” or press “CTRL-S”
3. Write down the UniqueID of the Swissbit microSD card (or copy it to clipboard and save it digitally)

Fig. 7 Get the Unique ID of the Swissbit microSD card

4.6 Install the Raspberry Pi Operating System

Install the Raspberry Pi Operating System onto the Swissbit micro SD card with the following steps:
1. Download the latest Raspbian OS image from:
https://www.raspberrypi.org/downloads/raspbian/

2. Follow the installation procedure using e.g. the balenaEtcher tool:

https://www.raspberrypi.org/documentation/installation/installing-images/windows.md

3. After you installed the Operating System onto the microSD card verify you can boot your Raspberry PI
from this card and apply all OS updates.

4.7 Set a Protection Profile

Set a Protection Profile on the Swissbit micro SD card with following steps:
1. Re-Insert the microSD card into your Windows-based PC or notebook
2. Click on “Cancel” if your system requests to format the second partition on the micoSD card

Fig. 8 Click on “Abbrechen” / “Cancel”

A Protection Profile has to be set only in case “Multiple Partition Protection” has been selected in step 4.3
Note: If Multiple Partition Support has not been activated, this step cannot be applied since the protection profile
is applied implicitly.
The Protection Profile determines which kind of protection is in force after security has been activated on the
card. Protection profiles are assigned to partitions. Each partition can have exactly one profile type assigned.
It is strongly recommended to check "Protect MBR". With this setting, the card's MBR can be read but not be
modified. Even in unlocked state, the MBR is immutable and the card cannot be repartitioned.

Page 13 of 21
 Note: Repartitioning of the MBR is possible by the Admin and requires deactivation of the card's security first.
See 8.1 .
The OS integrity use case (e.g. for the Raspberry Pi) assumes two partitions. A boot partition that shall be readable
at any time and a root file system partition that shall be accessible only after authentication.
Set a protection profile with following steps:
1. Start the Swissbit Device Manager
2. Go to menu “Manage > Manage Protection Profiles”
3. If a popup window titled “Profiles not matching partitions” appears, asking whether you “want to
reset all protection profiles?”, click “Yes”.
4. For Partition 1 choose value “Public CD-ROM”
5. For Partition 2 choose value “Private RW”
6. Check “Protect MBR”
7. Click “OK”

2
3

Fig. 9 Setting Protection Profiles for a Raspberry Pi installation.

ⓘ If you see more than 2 partitions (e.g. 4 partitions) under “manage protection profiles”, please make sure
that this is what you want. More than 2 partitions also appear if the “installing Operating System” step has been
skipped by mistake. If so, please go back to Chapter 4.6 .
ⓘ Please note that the “Public CD-ROM” partition becomes read-only after the DP Card protection has been
activated (see Ch. 6). Even in read-only mode the partition appears to be writable, but all changes will be
reverted after removing & re-inserting the memory card.
When the protection is not activated like described in Chapter 6. (Card is in “transparent mode”), regular
read/write operation is possible on the partition.

5. U-Boot Installation
The U-Boot files required for the Swissbit U-Boot implementation on Raspberry Pi consists of a U-Boot binary
and a U-Boot configuration script.

1. Insert the microSD-Card into a Windows-based machine and depending on your Raspberry Pi model,
please follow the according steps as stated below:

2. If your Raspberry Pi model is a Raspberry PI 2:

a. Copy the file <sdkroot>\Raspberry\RPI2\u-bootRPI2.bin onto the first partition of your microSD
card.
b. Copy the file <sdkroot>\Raspberry\ RPI2\boot.scr.uimg to the first partition of your microSD card.
c. On the first partition of your microSD card open the file “config.txt” and add the following line
at the end:
kernel=u-bootRPI2.bin

Page 14 of 21
 3. If your Raspberry Pi model is a Raspberry PI 3 B Plus:
a. Copy the file <sdkroot>\Raspberry\RPI3\u-bootRPI3.bin onto the first partition of your microSD
card.
b. Copy the file <sdkroot>\Raspberry\RPI3\BPlus\boot.scr.uimg onto the first partition of your
microSD card.
c. Copy the file <sdkroot>\Raspberry\RPI3\BPlus\bcm2837-rpi-3-b-plus.dtb onto the first partition
of your microSD card
d. On the first partition of your microSD card please open the file “config.txt” and add the
following line at the end:
kernel=u-bootRPI3.bin

6. Activation of Card Data Protection

In case the PIN or USB policy has been set before, please proceed with the activation of the DP card data
protection.
In case the NET policy has been set before, please verify that the authentication server is up and running, then
please proceed with the activation of the DP card data protection.
Insert the microSD-Card into a Windows-based machine and follow these steps:
1. Start the Swissbit Device Manager

2. Go to menu “Manage > Activate Data Protection”

3. Set a Password (min. 4 characters), which will be your user PIN, and set the Security Officer Password
(min. 8 characters)
NOTE: If you have chosen “USB policy”, the password must match the authenticity secret of the
authentication dongle (USB stick PU-50n “Raspberry Pi Edition”), which has been set in Chapter 4.5.2 .

4. Click on “Activate Data Protection”.

NOTE: The “Public CD-ROM” partition(s) (see Chapter 4.7 ) will become read-only after the micro SD card
data protection has been activated. Even in read-only mode the partition(s) will appear to be writable,
but all changes will be reverted after removing & re-inserting the memory card.

Page 15 of 21
1

Fig. 10 Activating Data Protection

Fig. 11 Device Manager view after Data Protection activation

Page 16 of 21
7. Booting the Raspberry Pi with activated security
Now you can insert the prepared microSD Card Raspberry Pi Edition into your Raspberry Pi and securely boot up
your Raspberry Pi.

When using …
1. PIN policy: you will be asked to enter the Password in order to boot up the Raspberry PI

Fig. 12 Secure Boot of Raspberry PI with PIN policy

Page 17 of 21
 2.USB policy: please make sure that the Authenticity dongle (= USB stick PU-50n) is inserted into your
Raspberry PI before you power up your Raspberry PI
The boot up of your Raspberry PI will look similar to the screenshot shown below:

Fig. 13 Secure Boot of Raspberry PI with USB policy

Page 18 of 21
 3. NET Policy: Please make sure, that your Raspberry PI is connected to the network and the net policy
server is up and running.
The boot up of your Raspberry PI will look similar to shown below:

Fig. 14 Secure Boot of Raspberry PI with NET policy

Page 19 of 21
8. Appendix
8.1 Deactivating DP Card Data Protection
If you want to make changes to the boot partition of the Swissbit DP card (PS-45u Raspberry Pi Edition), you can
do this only when the card has data protection deactivated (transparent mode).
Deactivate DP card following steps:
1. Start the Swissbit Device Manager
2. Go to menu “Manage > Deactivate Data Protection”
3. Enter the Security Officer Password
4. Click on “Deactivate Data Protection”

2
Fig. 15 Deactivating Data Protection

8.2 Reference Material

Swissbit
Swissbit Net Policy Server User Manual

U-Boot
https://www.denx.de/wiki/view/DULG/UBoot
http://www.denx.de/wiki/DULG/Faq

Raspberry Pi
https://elinux.org/RPi_U-Boot

Page 20 of 21
9. Document History
Version Updated on Updated by Short description

2.0 April 20th, 2020 Swissbit AG First public release

Page 21 of 21