SCM - Getting Started


Introduction to Beta Release


Thank you for agreeing to evaluate our SCM Beta release. Your testing and feedback will help us improve the features and quality of final product before it’s general release.

The following types of feedback will be very helpful to us:

  • Quality - does the feature work as advertised?
  • Useability – was the feature easy/intuitive to use? Or totally mind numbing?
  • Improvements/new features – what improvements or new features would you like to see?

The following are key features of the product that we encourage you to test. Most have specific tutorials or documentation to support your evaluation linked below.

  • Tightening up standard Pi login access
  • Pre-configured and encrypted operating system
  • Supervised Boot
  • Sanitization Script
  • Tamper sensors and policies

Getting Support

Contact Support

Pen Testing and Beyond

For those of you trying pen test the device, we understand that anything and everything is possible! Its just a question of how much time, money and expertise you have.

  • Can you brick it? Yes if you do bad things to it!
  • Can you extract sensitive data from it? Try it.

Useful feedback on pen testing would include how you had configured the SCM – what sensors and policies did you have enabled, what attack and escalation path did you follow. If you have any cool pictures of angle grinders or drills, or lasers, please share them!

Final Thoughts on Purpose

SCM is a commercial product, designed to bring a higher level of security to applications that use single board computers deployed outside the security of a data center – IoT, gateways, terminals etc. Its purpose is to protect valuable assets like IP, data and credentials from typical real-world exploits. It’s designed for developers to innovate freely using familiar tools, without needing expert security knowledge or additional layers of technology.

If you can help us achieve our purpose of making compute hardware products more secure, we’re on the same page. Thanks for testing – we look forward to your feedback and suggestions!

Team Zymbit.


Overview

The SCM Beta kit provides all the hardware and software components required to evaluate the Zymbit Secure Compute Module. The product you are receiving is beta-release which means the release is considered feature complete, but a few known bugs exist that have not yet been resolved. Refer to SCM Beta Release Notes.

Notice
All necessary Zymbit software has been pre-installed. No further installation is necessary. The pre-installed image is encrypted and cannot be replaced via rpiboot in the field. Please contact support@zymbit.com for assistance.

Register your device, receive SSH passphrase

Before getting started your will need to register your device to receive a unique passphrase that has been associated with your device by Zymbit. Register here:

Register

register

Contents of Kit

  • Zymbit Secure Compute Module including Pi CM4
  • Zymbit Secure Compute I/O Motherboard
  • (optional) Raspberry Pi CM4 I/O board (Datasheet)
  • Zymbit Perimeter Detect Cable for Channel 2
  • Zymbit External Battery
  • 12V Power Supply
  • USB drive with SSH keys necessary for SSH login
Contents

SCM Alpha Kit

Secure Compute Module

The Zymbit Secure Compute Module comprises a Zymbit Security Module + Hardware Wallet + Raspberry Pi CM4 integrated into a secure encapsulated module.

SCM Physical Architecture

SCM Functional Architecture

Highlights
  • 100% pin compatible with RPi CM4, all configurations.
  • 100% code compatible with RPi
  • Easy to Scale
  • Pre-fuzzed, pre-encrypted file system
    Notice
    The pre-installed image is encrypted and cannot be replaced via rpiboot in the field. Please contact support@zymbit.com for assistance.
  • Pre-loaded Linux kernel (bullseye 32-bit)
  • Pre-load with customer software
  • Pre-defined file manifest & policies
  • Custom MAC OUID blocks available
  • Embedded hardware wallet with SLIP39-Shamir’s Secret Sharing
Layers of Security
  • Supervised boot
  • Fully encapsulated
  • Last gasp power defenses
  • Tamper sense and response
  • File system encryption
  • Measured system identity & authentication
  • Data encryption & signing
Compute Options
  • Broadcom BCM2711, Quad core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz
  • LPDDR4 RAM: 1G to 8G, eMMC: 0G to 32G
  • 2.4/5.0GHz Wi-Fi & Bluetooth

Configure and Setup your SCM

1) Power On and Bootup
  • Connect up the ethernet and 12V power. The unit is designed to run headless. You do not need a monitor, keyboard, or mouse. As shipped, the hostname is zymbit-dev and a user named zymbit can be used for SSH login. SSH login is restricted to only use keys.
Notice
The total boot time as configured should take approximately 90 seconds from power on.
  • Monitor the Blue LED on the Zymbit SCM module. It will go through the following stages:
    • one slow blink: initializing the SCM
    • one -> two -> three -> four blinks: Supervised Boot is verifying the signed file information
    • rapid blinking: Supervised Boot successfully completed, booting underway
    • blinking stops: USB bus enumeration found SCM; may stay off for seconds
    • one blink every 3 seconds: zkifc has loaded and the system is ready to go
Example of Successful Supervised Boot LED Sequence (Click image for video)

2) Login via SSH with key

The SSH key is included on the USB drive in two formats: PPK for use with Putty and PEM for standard linux ssh

SSH login with Putty
  • Copy PPK key file zscn.ppk from USB drive to your host
Open PuTTY

Load SSH key file into PuTTY

Open PuTTY, navigate to SSH -> Auth, and Browse to the PPK file.

Configure and Save

Choose Session, then name and Save

Choose Session, then fill out the Host Name, the Session name, and Save.

Open SSH Session

Open your PuTTY Session

Choose your saved session and Open. Enter the Passphrase you received from Zymbit when prompted.

SSH login from Linux CLI
  1. Copy PEM key file zscn.pem from USB drive to your host
  2. ssh -i zscn.pem zymbit@zymbit-dev
  3. Present your passphrase when prompted

Using SCM: API and Examples

Support