SCM - Getting Started


Introduction to Alpha Release


A big thank you for agreeing to checkout out our new SCM Alpha release. Your testing and feedback will help us improve the features and quality of final product before it’s general release.

The following types of feedback will be very helpful to us:

  • Quality - does the feature work as advertised?
  • Useability – was the feature easy/intuitive to use? Or totally mind numbing?
  • Improvements/new features – what improvements or new features would you like to see?

The following are key features of the product that we encourage you to test. Most have specific tutorials or documentation to support your evaluation linked below.

  • Tightening up standard Pi login access
  • Pre-configured and encrypted operating system
  • Supervised Boot
  • Sanitization Script
  • Tamper sensors and policies

Getting Support

Contact Support

Pen Testing and Beyond

For those of you trying pen test the device, we understand that anything and everything is possible! Its just a question of how much time, money and expertise you have.

  • Can you brick it? Yes if you do bad things to it!
  • Can you extract sensitive data from it? Try it.

Useful feedback on pen testing would include how you had configured the SCM – what sensors and policies did you have enabled, what attack and escalation path did you follow. If you have any cool pictures of angle grinders or drills, or lasers, please share them!

Final Thoughts on Purpose

SCM is a commercial product, designed to bring a higher level of security to applications that use single board computers deployed outside the security of a data center – IoT, gateways, terminals etc. Its purpose is to protect valuable assets like IP, data and credentials from typical real-world exploits. It’s designed for developers to innovate freely using familiar tools, without needing expert security knowledge or additional layers of technology.

If you can help us achieve our purpose of making compute hardware products more secure, we’re on the same page. Thanks for testing – we look forward to your feedback and suggestions!

Team Zymbit.


Overview

The SCM Alpha kit provides all the hardware and software components required to evaluate the Zymbit Secure Compute Module. The product you are receiving is alpha-release which means there are a small number of features that have not been included, and a few known bugs that have not yet been resolved. Refer to SCM Alpha Release Notes.

Register your device, receive SSH passphrase

Before getting started your will need to register your device to receive a unique passphrase that has been associated with your device by Zymbit. Register here:

Register

register

Contents of Kit

  • Zymbit Secure Compute Module including Pi CM4
  • Raspberry Pi CM4 I/O board (Datasheet)
  • Zymbit Perimeter Detect Cable
  • Zymbit External Battery
  • 12V Power Supply
  • USB drive with SSH keys necessary for SSH login
Contents

SCM Alpha Kit

Secure Compute Module

The Zymbit Secure Compute Module comprises a Zymbit Security Module + Hardware Wallet + Raspberry Pi CM4 integrated into a secure encapsulated module.

SCM Physical Architecture

SCM Functional Architecture

Highlights
  • 100% pin compatible with RPi CM4, all configurations.
  • 100% code compatible with RPi
  • Easy to Scale
  • Pre-fuzzed, pre-encrypted file system
    Notice
    The pre-installed image is encrypted and cannot be replaced via rpiboot in the field for Alpha. Please contact support@zymbit.com for assistance.
  • Pre-loaded Linux kernel
  • Pre-load with customer software
  • Pre-defined file manifest & policies
  • Custom MAC OUID blocks available
  • Embedded hardware wallet with SLIP39-Shamir’s Secret Sharing
Layers of Security
  • Supervised boot
  • Fully encapsulated
  • Last gasp power defenses
  • Tamper sense and response
  • File system encryption
  • Measured system identity & authentication
  • Data encryption & signing
Compute Options
  • Broadcom BCM2711, Quad core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz
  • LPDDR4 RAM: 1G to 8G, eMMC: 0G to 32G
  • 2.4/5.0GHz Wi-Fi & Bluetooth

Configure and Setup your SCM

1) Power On and Bootup
  • Connect up the ethernet and 12V power. The unit is designed to run headless. You do not need a monitor, keyboard, or mouse. As shipped, the hostname is zymbit-dev and a user named zymbit can be used for SSH login. SSH login is restricted to only use keys.
Notice

If you received a Secure Compute Node Type D35 enclosure, the Blue LED of the SCM called out in the following section is not visible from outside the D35 box. The production version of the D35 product includes an Blue LED on the front panel.

The total boot time as configured should take approximately 90 seconds from power on.

  • Monitor the Blue LED on the Zymbit SCM module. It will go through the following stages:
    • one slow blink: initializing the SCM
    • one -> two -> three -> four blinks: Supervised Boot is verifying the signed file information
    • rapid blinking: Supervised Boot successfully completed, booting underway
    • blinking stops: USB bus enumeration found SCM; may stay off for seconds
    • one blink every 3 seconds: zkifc has loaded and the system is ready to go
Example of Successful Supervised Boot LED Sequence (Click image for video)

2) Login via SSH with key

The SSH key is included on the USB drive in two formats: PPK for use with Putty and PEM for standard linux ssh

SSH login with Putty
  • Copy PPK key file zscn.ppk from USB drive to your host
Open PuTTY

Load SSH key file into PuTTY

Open PuTTY, navigate to SSH -> Auth, and Browse to the PPK file.

Configure and Save

Choose Session, then name and Save

Choose Session, then fill out the Host Name, the Session name, and Save.

Open SSH Session

Open your PuTTY Session

Choose your saved session and Open. Enter the Passphrase you received from Zymbit when prompted.

SSH login from Linux CLI
  1. Copy PEM key file zscn.pem from USB drive to your host
  2. ssh -i zscn.pem zymbit@zymbit-dev
  3. Present your passphrase when prompted

Update to the latest Zymbit software

FEATURE CHANGE: Changed references from Verified Boot to Supervised Boot. The names of methods and function calls for the Python, C, and C++ APIs changed. Any programs written to manipulate the manifest will require updating. Changes are in version zkapputilslib 1.1-24 and zku 1.0.32. To update to the new naming convention,

sudo apt-get update
sudo apt-get upgrade
sudo pip3 install -i https://test.pypi.org/simple/ zku --upgrade

To check the current versions,

dpkg --list zkapputilslib
pip3 show zku

NOTE: The host_security_sanitization.py script included in the image also references the old format. A script with the new format is available here: host_security_sanitation.py

Using SCM: API and Examples

Support