groov EPIC边缘计算安全性二:Linux操作系统和存储

首页    简体中文    产品信息    groov EPIC边缘计算安全性二:Linux操作系统和存储

groov EPIC Security Series, Part 6: Linux Operating System and Repository

groov EPIC边缘计算安全性二:Linux操作系统和存储

The OS, or operating system, of groov EPIC is very different from traditional controllers. Instead of a proprietary OS, EPIC uses an open-source Linux® operating system.

From a security standpoint, an open source OS sounds scary. But in many ways it is more secure than a closed-source one, especially a well-known and often-attacked OS such as Microsoft® Windows®.

groov EPICOS操作系统与传统控制器有很大不同。 EPIC使用的是开源Linux®操作系统,而不是私有操作系统。


One of the advantages of open source is that it means crowd sourced. Open-source software is largely used to power the internet, and a worldwide community supports the code base. Because of the huge number of developers working on Linux, vulnerabilities tend to be addressed very quickly and thoroughly. Thats the power of the crowd. With such a large number of developers viewing and developing the source code, safer and more reliable software results.

The open-source nature of Linux can also be less open than you might think. In other words, there are several custom distributions of Linux in the world today for very specific devices.

Linux的开源特性也可能没有你想象的那么开放。 换句话说,对于非常特定的设备,当今世界上有几种Linux自定义发行版。

If youre not familiar with it, the Yocto Project is a multi-vendor initiative that was started in late 2010. It is not a Linux distribution itself; its a tool set. It provides the means and methodologies for developers to create custom-made Linux distributions for their embedded Linux hardware. Its still Linux under the hood, but its not the typical Linux approach of one size fits all. Instead, its purpose-built for a specific device.

如果您不熟悉它,Yocto项目是一个多供应商计划,于2010年底启动。它本身不是Linux发行版; 这是一个工具集。 它为开发人员提供了为其嵌入式Linux硬件创建定制Linux发行版的方法和方法。 它仍然是Linux的底层,但它并不是“一刀切”的典型Linux方法。相反,它是专门为特定设备构建的。

The easiest vulnerability to address is the one you dont include, noted Ryan Ware, Security Architect at Intel®, in 2017.

Thats exactly why we use a Yocto Project build of Linux in groov EPIC. Our Yocto build is custom built just for the groov EPIC, and we include only the packages required for EPIC functionality. Leaving out all unneeded packages reduces attack vectors, because every application you add makes it more difficult to keep your installation secure, stable, and up to date.

“最容易解决的漏洞是你不包含的漏洞,”2017年英特尔®安全架构师Ryan Ware指出。

这正是我们在groov EPIC中使用LinuxYocto Project构建的原因。 我们的Yocto构建是专为groov EPIC定制的,我们只包含EPIC功能所需的软件包。 省去所有不需要的软件包可以减少攻击向量,因为您添加的每个应用程序都会使您的安装更加安全,稳定和最新。

On top of all this, the Yocto build of EPIC Linux (basically, the EPIC's firmware) is cryptographically signed with the Opto 22 Private Key. (See our blog post on encryption and how certificates work for more about private keys.) This cryptographic signature proves that its been built by Opto 22 and guarantees that the firmware has not been altered or corrupted since it was signed.

Any firmware or software package anyone might try to upload to the EPIC must be Opto 22 cryptographically signed, or the processor will not accept it.

最重要的是,EPIC LinuxYocto构建(基本上是EPIC的固件)使用Opto 22私钥进行加密签名。(请参阅我们关于加密的文章以及证书如何工作以获取有关私钥的更多信息。)此加密签名证明它是由Opto 22构建的,并保证固件自签名后未被更改或损坏。
任何人可能尝试上传到EPIC的固件或软件包必须是Opto 22加密签名,否则处理器将不接受它。

Its interesting to note that Linux generally does not use code signing, since its open-source nature lends itself to code inspection. However, Opto 22 has chosen to use code signing to protect the EPIC, because it is a control system.

If youre a developer using Secure Shell access (SSH) with groov EPIC, you may notice that the software repository (or repo), seems smaller than you expect. The repo is where code packages are stored so developers can pull them in order to build their custom applications. Because all code has been signed by the Opto 22 key, the repo may seem smaller than usual, but it is safer.

值得注意的是,Linux通常不使用代码签名,因为它的开源特性有助于代码检查。 但是,Opto 22选择使用代码签名来保护EPIC,因为它是一个控制系统。
如果您是使用带有groov EPICSecure Shell访问(SSH)的开发人员,您可能会注意到软件存储库(或repo)似乎比您预期的要小。 repo是存储代码包的地方,因此开发人员可以提取代码包以构建自定义应用程序。因为所有代码都已经由Opto 22密钥签名,所以 repo可能看起来比平时小,但更安全。


Usually a shell command like apt-get is used to download and install the required function from the repo. Apt-get still works exactly the same for groov EPIC, but it checks only the Opto 22 repo and pulls only software that has been known to work with the groov EPIC system. Of course the repository is not static; we add to it as needed for each groov EPIC firmware update.

Put all this together and the raw power of the Linux OS gives groov EPIC a very long life with room to grow in the futureand all the while helping you build a more secure system.

通常使用像'apt-get'这样的shell命令从repo下载并安装所需的函数。 对于groov EPIC'Apt-get'仍然完全相同,但它仅检查Opto 22 repo并且仅提取已知与groov EPIC系统一起使用的软件。当然,存储库不是静态的; 我们根据需要为每个groov EPIC固件更新添加它。

把所有这些放在一起,Linux操作系统的原始功能为groov EPIC提供了很长的使用寿命和未来发展空间 - 同时帮助您构建更安全的系统。

2019年6月26日 07:54