SCM - Getting Started
Introduction to Alpha Release
A big thank you for agreeing to checkout out our new SCM Alpha release. Your testing and feedback will help us improve the features and quality of final product before it’s general release.
The following types of feedback will be very helpful to us:
- Quality - does the feature work as advertised?
- Useability – was the feature easy/intuitive to use? Or totally mind numbing?
- Improvements/new features – what improvements or new features would you like to see?
The following are key features of the product that we encourage you to test. Most have specific tutorials or documentation to support your evaluation linked below.
- Tightening up standard Pi login access
- Pre-configured and encrypted operating system
- Supervised Boot
- Sanitization Script
- Tamper sensors and policies
Pen Testing and Beyond
For those of you trying pen test the device, we understand that anything and everything is possible! Its just a question of how much time, money and expertise you have.
- Can you brick it? Yes if you do bad things to it!
- Can you extract sensitive data from it? Try it.
Useful feedback on pen testing would include how you had configured the SCM – what sensors and policies did you have enabled, what attack and escalation path did you follow. If you have any cool pictures of angle grinders or drills, or lasers, please share them!
Final Thoughts on Purpose
SCM is a commercial product, designed to bring a higher level of security to applications that use single board computers deployed outside the security of a data center – IoT, gateways, terminals etc. Its purpose is to protect valuable assets like IP, data and credentials from typical real-world exploits. It’s designed for developers to innovate freely using familiar tools, without needing expert security knowledge or additional layers of technology.
If you can help us achieve our purpose of making compute hardware products more secure, we’re on the same page. Thanks for testing – we look forward to your feedback and suggestions!
The SCM Alpha kit provides all the hardware and software components required to evaluate the Zymbit Secure Compute Module. The product you are receiving is alpha-release which means there are a small number of features that have not been included, and a few known bugs that have not yet been resolved. Refer to SCM Alpha Release Notes.
Register your device, receive SSH passphrase
Before getting started your will need to register your device to receive a unique passphrase that has been associated with your device by Zymbit. Register here:
Contents of Kit
- Zymbit Secure Compute Module including Pi CM4
- Raspberry Pi CM4 I/O board (Datasheet)
- Zymbit Perimeter Detect Cable
- Zymbit External Battery
- 12V Power Supply
- USB drive with SSH keys necessary for SSH login
Secure Compute Module
The Zymbit Secure Compute Module comprises a Zymbit Security Module + Hardware Wallet + Raspberry Pi CM4 integrated into a secure encapsulated module.
- 100% pin compatible with RPi CM4, all configurations.
- 100% code compatible with RPi
- Easy to Scale
- Pre-fuzzed, pre-encrypted file system
NoticeThe pre-installed image is encrypted and cannot be replaced via
rpibootin the field for Alpha. Please contact firstname.lastname@example.org for assistance.
- Pre-loaded Linux kernel
- Pre-load with customer software
- Pre-defined file manifest & policies
- Custom MAC OUID blocks available
- Embedded hardware wallet with SLIP39-Shamir’s Secret Sharing
Layers of Security
- Supervised boot
- Fully encapsulated
- Last gasp power defenses
- Tamper sense and response
- File system encryption
- Measured system identity & authentication
- Data encryption & signing
- Broadcom BCM2711, Quad core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz
- LPDDR4 RAM: 1G to 8G, eMMC: 0G to 32G
- 2.4/5.0GHz Wi-Fi & Bluetooth
Configure and Setup your SCM
1) Power On and Bootup
- Connect up the ethernet and 12V power. The unit is designed to run headless. You do not need a monitor, keyboard, or mouse. As shipped, the hostname is
zymbit-devand a user named
zymbitcan be used for SSH login. SSH login is restricted to only use keys.
If you received a Secure Compute Node Type D35 enclosure, the Blue LED of the SCM called out in the following section is not visible from outside the D35 box. The production version of the D35 product includes an Blue LED on the front panel.
The total boot time as configured should take approximately 90 seconds from power on.
- Monitor the Blue LED on the Zymbit SCM module. It will go through the following stages:
- one slow blink: initializing the SCM
- one -> two -> three -> four blinks: Supervised Boot is verifying the signed file information
- rapid blinking: Supervised Boot successfully completed, booting underway
- blinking stops: USB bus enumeration found SCM; may stay off for seconds
- one blink every 3 seconds: zkifc has loaded and the system is ready to go
Example of Successful Supervised Boot LED Sequence (Click image for video)
2) Login via SSH with key
The SSH key is included on the USB drive in two formats: PPK for use with Putty and PEM for standard linux ssh
SSH login with Putty
- Copy PPK key file zscn.ppk from USB drive to your host
SSH login from Linux CLI
- Copy PEM key file zscn.pem from USB drive to your host
ssh -i zscn.pem zymbit@zymbit-dev
- Present your passphrase when prompted
Update to the latest Zymbit software
FEATURE CHANGE: Changed references from Verified Boot to Supervised Boot. The names of methods and function calls for the Python, C, and C++ APIs changed. Any programs written to manipulate the manifest will require updating. Changes are in version
zkapputilslib 1.1-24 and
zku 1.0.32. To update to the new naming convention,
sudo apt-get update sudo apt-get upgrade sudo pip3 install -i https://test.pypi.org/simple/ zku --upgrade
To check the current versions,
dpkg --list zkapputilslib pip3 show zku
NOTE: The host_security_sanitization.py script included in the image also references the old format. A script with the new format is available here: host_security_sanitation.py
Using SCM: API and Examples
- See API Documentation
- Working with Supervised Boot
- Securing the SCM further with the example Sanitization Script
- Working with the HD Wallet
- Setting up Tamper Detect