Just a few notes on what I’m doing with my RockChip64, and anything using a RockChip in general.
First off, I’m typing this on the RockPro64, so it isn’t like I’m abandoning it.
I just did a full update to Armbian / Buster (latest release) on it. Yesterday, I’d tried Armbian / Focal (Ubuntu latest release). Focal had garbled sound on videos at YouTube and playback “had issues”. Buster works Just Fine.
So, with a new Armbian Buster on it, playback of videos is GREAT. The A72 cores can drive my TV at full motion 1080p without issues. (With the right working OS…) I’ve now moved it to the Bedroom TV as media driver for it. I’ll also do very occasional postings from there too. BUT, it gets NO logins to financial places, no email, no random browsing of odd websites. It isn’t used to download software or really do anything much that requires high security.
Well, basically, because China has become “An Issue” and they will be increasingly hostile. To the extent they have backdoors, or just know in detail the places where there is an exploit available in their products, that’s an exposure. And the RockPro64 uses a Chinese CPU / SOC.
Rockchip (Fuzhou Rockchip Electronics Co., Ltd.) is a Chinese fabless semiconductor company based in Fuzhou, Fujian province. Rockchip has been providing SoC products for tablets & PCs, streaming media TV boxes, AI audio & vision, IoT hardware since founded in 2001. It has offices in Shanghai, Beijing, Shenzhen, Hangzhou and Hong Kong. It designs system on a chip (SoC) products, using the ARM architecture licensed from ARM Holdings for the majority of its projects.
Rockchip has been ranked one of the TOP50 Fabless Company IC Suppliers Worldwide. The company established cooperation with Google, Microsoft, Intel. On 27 May 2014, Intel announced an agreement with Rockchip to adopt the Intel architecture for entry-level tablets.
Rockchip is a supplier of SoCs to Chinese white-box tablet manufacturers as well as supplying OEMs such as Asus, HP, Samsung and Toshiba.
As there are binary blobs of firmware loaded to “make it go”, it might be possible to sneak an exposure into a normal “firmware update”. There is a way to get “blobless boot” but I’ve not done that (yet). So the easier thing is to just isolate the usage profile (and eventually move the board to the TVs-Only network).
Blobless boot with RockPro64
Posted on 2019-09-15 by Andrius Štikonas
This is a guide for booting RockPro64 computer (https://www.pine64.org/rockpro64/) without using any proprietary blobs. RockPro64 is based on Rockchip’s rk3399 SoC, so if you have some other rk3399 board, you might still find this guide useful.
I’m using Gentoo GNU/Linux in this guide but steps should be quite similar on other distributions.
IF you ever wondered why the hard core security type guys, like at OpenBSD, were so obsessive about “Binary Blobs”, now you know why. It is quite possible, and in fact somewhat likely, that someone from the CCP Military will have at least explored how to embed an exploit in the Binary Blob Device Drivers et. al. Normally, the threat level of that is quite low due to the low value of hacking into an IoT embedded system ARM chip like a doorbell or washing machine. But these particular chips are used in lots of tablets and phones and such. Higher value targets. Also, the Chinese have a huge amount of dirt cheap labor so the wasted time poking at a million devices to find the dozen that matter is not as high a cost to them. Their cost / benefit ratio is much better for the hack.
Thus my moving it over to TV La La Land use.
When I have time, in a few months?, I’m going to convert this board to Devuan (via that ‘assemble the parts yourself’ approach noted on the XU4 thread). In fact, this install of Buster is precisely to get that base level install done (later to swap out userland for Devuan…). But since that’s a longer slower someday as time permits kind of project, for now, this board leaves the Lab Network where more interesting things are done ;-)
Because of the “blob” issue, I need to work out the steps to incorporate the Gentoo Blobless method with the Devuan “Franken Build” of Buster kernel, modules, headers, libraries and Devuan Userland. I’m assuming that whole thing is not just an afternoon with a cuppa but more like a week or three of tech wilderness wandering. It will be fun (to me ;-) to do it, but not at this time.
I’m also going to evaluate my ROck64 and Pine64 for SOC Blob and Chinese exposures and treat them accordingly. As they spend 99% of their time turned off in a box, that’s not high priority either. More a “Someday Thing”. I’m planning to go Franken Devuan on them, as well, now that I know it can be done. I suspect the process will be highly similar across all the Rock/Pine products.
Their (Pine) slogan of “Designed in Silicon Valley made in Silicon Delta China” was known to me when I bought the boards, and I knew this potential risk existed. I’ve generally preferred the Korean Odroid brand for their avoidance of China parts and risks. But Odroid has a bothersome signed bootloader, so I wanted to know there was a reasonable easier alternative.
Do note: I’m not particularly paranoid about the China Chip risk. I don’t really have anything to steal (public climate data? copies of public Linux releases?) and I’m not prone to a lot of risky behaviors that get you exposed to a lot of hack attacks. It is more just a few decades of professional computer security habit causing me to ‘be aware’, and that is made less present if I do something about it.
I do like the RockPro64 as a hardware platform. It would be better with 2 x USB 3.0 ports instead of just one. (Part of my slow disk to disk copy with Slackware may well have been the USB 2.0 on one of the disks and the need to move data between the two port types). As a Media Server / Occasional Browser it is a great solution. Putting it here also frees up my Odroid N2 (which has more fast cores and more USB 3.0 ports) to go back to the Lab and get an OS upgrade (now that the software is more mature and it is no longer the “newest board with quicky sloppy OS port…”). So I’m going to bring it up to date, too. (AND that will also update the Chromium browser on it removing that security risk / exposure. It will then be used as the station for Disk Management. Having lots of fast cores and fast ports means moving around TB of disk goes a lot faster on it. I’m also hopeful that the same Franken Devuan system build approach will let me move it from Android to Devuan too.
Would I feel afraid if all I had was one RockPro64 and couldn’t just segment my usage over multiple systems / networks? Not really. Yes “security by obscurity” is no security at all… but… The likelihood of a hack attack on the RK3399 SOC on RockPro64 boards is pretty slim.
Were I planning an attack on RK3399 systems, I’d likely do an upfront screen to preferentially attack the higher value targets using the chips. Routers, tablets, cell phones. I’d avoid the “Hacker Board” community for 2 large reasons. 1) Not much of interest to get there. 2) MUCH higher probability someone will notice the attempt and issue a warning / patch / piss in my beer.
But I would buy a few different uSD cards at $8 or so each and segment my work across them. One for “financial and such” tasks. One of “recreational browsing and music and videos”. One for “tech and software stuff”. Then if you DO hit an abusive web site that hacks the box, they get your YouTube play list and saved music, but not your financial / email stuff or your photo archive on the media editing station. Easy high value “fix” for much of the risk profile.
Furthermore, I’m pretty sure the folks at Pine in Silicon Valley AND their user community are the kind of folks who will be indulging in excessive scrutiny of any chip designs, fab products, and binary blobs (especially if it grows by 20% with no apparent change of function…)
Im just looking at it thinking: The Odroid N2 would be much better used on my lab desktop and the RockPro64 makes a dandy Media Station and the N2 software has enough age on it now… so why not swap them? Getting the Chinese SOC moved out of the inside network is just Security Gravy.