About the Fobnail project
Fobnail is a project that aims to provide a reference architecture for building offline integrity measurement verifiers on the USB device (Fobnail Token) and attesters running in Dynamically Launched Measured Environments (DLME). It allows the Fobnail owner to verify the trustworthiness of the running system before performing any sensitive operation. This project was founded by NlNet Foundation. More information about the project can be found in the Fobnail documentation. Also, make sure to read other posts related to this project by visiting fobnail tag.
Communication in CHARRA
CHARRA is a “Challenge/Response Remote Attestation” interaction model of the IETF RATS Reference Interaction Models for Remote Attestation Procedures using TPM 2.0. In this project, the attester and verifier communicate with themselves using libcoap. In order to achieve that we need to implement Ethernet over USB on the Fobnail Token. We decided to use Rust so nrf-hal project provides us with a USB driver, and the conducted research allowed us to determine that EEM will be the most appropriate protocol implementing Ethernet over USB. Additionally, we use smoltcp which is an interesting project that provides an implementation of TCP/IP stack.
The Fobnail SDK
We started our work on Fobnail SDK. This is a Docker container containing all tools essential for building and flashing Fobnail firmware. You can build the SDK in a few minutes.
Building applications for Fobnail
With Fobnail SDK ready we moved on to running the
hello-world example using
Rust nrf-hal. It turns out that the repository is missing an example for the
nRF52840 which we use as a Fobnail prototype. We have to port the
and the needed code can be found on
fork of nrf-hal project. The full process is described in the
The next step was to implement EEM protocol and integrate it with smoltcp. The
code can be found
here. Like in the
hello-world example, here we also use dockerized Fobnail
SDK which allows building Rust
applications. During the development, we encountered some
and the status of the current
can be found in Fobnail documentation.
The last step was to prepare a Fobnail firmware example, which for now is an
application that allows to read Ethernet frames and send them back unchanged
using the USB over Ethernet driver. Code is available
here. Repo contains
build.sh that builds firmware for the selected platform. Building is simple
and it requires only a single command (once the repo is cloned).
Running Fobnail firmware
Running the Fobnail demo on the nRF52840
is really straightforward if only the
environment was correctly prepared.
have been made publicly available. Firmware running is also handled by
build.sh which automatically builds firmware (if needed), flashes it to target
device and spawns RTT console (used for debugging). The example presented below
was executed with the dongle attached to PC USB port.
The Fobnail firmware can also run directly on PC (see Developing firmware on PC), thanks to that it is possible to develop firmware without any additional hardware.
As part of the described phase, we were able to implement Ethernet over USB and properly run it on nRF52840 dongle. It is also worth paying attention to the provided code that allows you to use this implementation in isolation from the hardware layer - without using the USB standard. This will allow you to work on CHARRA functionality in the future without the need for hardware. Future development of this project will be presented in subsequent blog posts.
If you think we can help in improving the security of your firmware or you
looking for someone who can boost your product by leveraging advanced features
of used hardware platform, feel free to book a call with us
or drop us email to
contact<at>3mdeb<dot>com. If you are interested in similar
content feel free to sign up to our newsletter