2

For a secure key generator using Yubikeys to back-up master private keys and seperate Yubikeys to containt authetication subkey private keys I'm looking for a way to run a Raspberry Pi zero with no writable storage as a potential key leaking channel besides the network isolation (airgap) the pi-zero has by nature. Since the pi-zero is capable of booting from USB I think booting from a one-time writable CD/DVD medium would tackle this. Skimming the internet gave me no results yet other than running in ram with read only sd-card image like Nard. So my questions are: Would it be possible to have the pi-zero boot from a CD/DVD? This is different from booting from a harddrive since cd- or -dvd rom have different boot handling.

If so where to start to create a live distro from ie. Raspbian or another RaspberryPi linux distro which only needs a command-line shell?

Thanks //Serge

Serge Tensen
  • 31
  • 6
  • 1
    Your CD/DVD drive would have been connected via USB and most of them require more than 500mA to spin the disc. That is why most of them have two USB type A plugs or use USB 3.0 even they never can achieve the speed. Also I don't know if the boot from optical media is implemented on a SoC that is intended for use with smartphones. So if you have seen an Android phone booting of a Linux Live CD then there are chances. Why don't you go for those USB sticks with write protection? flash them once and then dismount the switch. – kwasmich Jun 19 '19 at 13:35
  • 2
    Possible duplicate of Boot from USB hard disk? – Aloha Jun 19 '19 at 13:49
  • You cannot boot a Pi Zero from USB. Only the Pi3 models which support this. – Milliways Jun 20 '19 at 00:49

1 Answers1

1

The assumption that the pi-zero can boot from USB seems wrong. I can't find back the source that gave this idea. It might still be possible with some tricks (custom bootcode.bin on an sd and remove that after the boot process of the cd is finished) but it will all be to complex to build. So I decided to find another way to create a proper air-gapped key generator and not investigate this option further.

//Serge

Serge Tensen
  • 31
  • 6