Unique Card ID

Is there a code-accessible globally unique ID for each CPU card?

 

We have customers with multiple systems with differing specifications (i.e. they have paid for advanced features on one system). We want to prevent cloning of the better system. Hiding a file / MAC addresses can be cloned.

 

Do we have to buy USB dongles (we would rather not)? Do you recommend one? (I am tempted by a UniKey STD)...

The best procedure would be to change the Delta Tau default password. This would prevent anyone from entering the underlying Linux file system without the password.

I didn't think this would prevent a filesystem image clone from one PPMAC to another, or would it?

Yes, because it will prevent a user form logging into the Linux file system and running a "dd" command or anything for that matter - even the IDE. Note that this is the Linux logon password not the IDE's encryption password.

Sorry Steve, I was talking about connecting a PC directly to the daughterboard USB socket which mounts it as a drive, running WinImage to backup one PPMAC to VHD and restore to another. It is the same approach you use to repair a bricked card (and maybe even when you commission a new card) or put your non-video image on a card.

 

Also the direct USB connection bypasses the need for root login to examine the filesystem and edit files on it as a removable drive.

 

I have pointed out this security flaw before.

Encrypted "dongle" code is the only option then.

daves:

 

How about reading the hardware MAC address and hashing it to generate a unique ID, in combination with encrypting the filesystem?

 

You will also need to create a script to delete the /.readonly/etc/udev/rules.d/70-persistent-net.rules file on powerup. If this file isn't found, the kernel will automatically read the MAC address(es) from hardware instead of from disk next time it boots.

 

Then if they clone the filesystem to a different card it will generate different MAC addresses, which will hash to different ID numbers. Because the filesystem is encrypted they won't be able to change the MAC addresses.

Thanks for the replies.

 

shansen: That sounds like an interesting idea. If we had more resources I would look into it. Not sure about encrypting the filesystem (how to do it or what it might affect...)

 

I think the risk of our customers actually bothering to "crack" our systems is very small so we are looking for a minimal effort solution. We have experience of dongles and the UniKey one seems to have linux driverless ability to get a HID or SoftID (plus other features we may find useful in future). I'm going to evaluate it.

So, I examined firmware 2.1.0.39 and see the addition of libSecureDongle. This seems to be exactly what I was asking about! Is there going to be a DT supported dongle option?

 

Should I hold off on investigating UniKey? I have some on order and to be honest we like the nano size they offer (can't see that on SecureDongle)...

This will not be supported in future firmware versions. You should go ahead and investigate other options.

OK thanks for the info