From owner-freebsd-hackers@FreeBSD.ORG Tue Dec 19 15:46:16 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AC22416A416 for ; Tue, 19 Dec 2006 15:46:16 +0000 (UTC) (envelope-from devon.odell@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0274F43C9F for ; Tue, 19 Dec 2006 15:46:15 +0000 (GMT) (envelope-from devon.odell@gmail.com) Received: by py-out-1112.google.com with SMTP id f31so1007305pyh for ; Tue, 19 Dec 2006 07:46:15 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qH3UzyyK/by9ijuFpb3Hz2qGXJM0dciN3cND9bYZsTlz5IxpBaVwPlBCYXr7NDXak+3SCJWcO3bt0/O5imXdBSxlOvFhNv9/x8clUJeUwHMt7Lri5e9S10mc7TUq2WWHUSa3TPJaYKmuhqQZQRzgMNkUhdTIHPxbzx3Td79ytYs= Received: by 10.35.50.1 with SMTP id c1mr10344827pyk.1166541555492; Tue, 19 Dec 2006 07:19:15 -0800 (PST) Received: by 10.108.12.19 with HTTP; Tue, 19 Dec 2006 07:19:15 -0800 (PST) Message-ID: <9ab217670612190719r4d72c1d5tcf793aca5c781401@mail.gmail.com> Date: Tue, 19 Dec 2006 10:19:15 -0500 From: "Devon H. O'Dell" To: "Koen Martens" In-Reply-To: <4587F6F1.1050000@metro.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <4587F6F1.1050000@metro.cx> Cc: freebsd-hackers@freebsd.org Subject: Re: unique hardware identification X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Dec 2006 15:46:16 -0000 2006/12/19, Koen Martens : > Hi All, > > I was wondering, if something like a unique hardware identification > would be possible on FreeBSD. > > I'd like a machine to authenticate to a server, for which it will > need a unique identification. Problem is, it should be generated > automatically and not easy to fake / detect without already having > root access to the box. > > I'm thinking of something like combining serial numbers from > CPU/disks for example, but there does not seem to be a clear way to > obtain these (not all cpu's even have a serial number in there). > > I am just inquiring if someone on this list has an idea that might > help with this problem. > > Gr, > > Koen Hey Koen, I know a lot of people / companies use the MAC address of a given interface for this purpose, but it's not generally very useful since most interfaces will allow you to set your own MAC address. Something you could use instead is a one-wire device, attached to the motherboard (if it has a header for it). If the motherboard does not, you can get LCDs from e.g. CrystalFontz that provide an interface to such devices. The Dallas one-wire thermometers have a unique 64-bit identifier on them, however this is only really useful if you have the ability to control the hardware platform. If you are attempting to identify a specific hardware platform (e.g. a standard set of motherboards and devices), you can enumerate devices and device IDs on the PCI bus, creating some sort of hash of those. In the end, with the client controlling the hardware, client-side security and validation is rather difficult. Even hacking the kernel to only run signed binaries is going to be difficult to keep secure, even keeping the key in some hardware secured storage, shipping the system without a debugger or symbols, and controlling the hardware. Thank you, media, for blowing the Pentium III CPUID feature up into something horrible. Uniquely identifiable hardware is very useful when licensing :\. Regarding your questions, the serial number of the hard drive is usually not too difficult to figure out. Take a look at atacontrol(8), for instance: dho# atacontrol cap ad4 Protocol Serial ATA II device model WDC WD1600JS-75NCB2 serial number WD-WCANM3753524 The serial number should be unique. camcontrol(8) can probably give you similar information for SCSI disks. Hope this is of some use. I'd be interested in seeing what others are doing. Kind regards, Devon H. O'Dell