Open Source Summit North America 2022

With IoT, 5G, and embedded devices becoming a big part of everyone’s daily lives, security should be on everyone’s minds. Security and more importantly trust in our embedded devices are essential for many reasons. Embedded devices have not always had good security with the last several years seeing a significant number of high-profile hacks that could prevent people from widely adopting IoT in their homes. The federal government also signed an executive order signed last year that requires companies selling connected devices must include a SBoM. But SBoMs are only a small part of the story around keeping embedded devices secure and from a developer and operator point of view, the more important issue is knowing that what you are running and deploying are from trusted sources. In this talk, we’ll discuss the security requirements for embedded Linux devices, with a focus on origin determination and how this can (or cannot) be achieved with the existing tools and practices. We’ll then go through a use case to show how all components of an embedded device can be signed, attested and verified with the help of Pantavisor Linux’s “revisions” and then drill down on code signing, and revoking (if necessary) the provenance of malicious and unsigned code on embedded Linux systems.