Not sure who was first(as the article linked isn't dated), but remember seeing something a few years back that someone else created as a business Linux card
Edit: somehow I duplicate posted when I edited my last comment, qchris beat me to posting this (and was on HN in 2019, I think I probably saw it on hackaday at the time)
I'm the author of the first article. I'm very pleased to see a trend of this theme!
Of course, the software on this card is perhaps more impressive than mine. All I did was patch the kernel and make an image. This card does all that and emulate a processor.
I was greatly entertained by the description of the DMA. I am unsure why DMA always ends up being the boogeyman, but I don't disagree.
"Booting up" [suspicious device] isn't really a security risk. It's it's own hardware with no access to anything else you own.
Plugging it into your PC, which this one seems to almost require, is the dangerous part of course, but not any more so than plugging in any other USB device. The fact this runs Linux is essentially irrelevant. A promotional USB stick, charging cable, battery bank or whatever other USB gadgets marketing departments throw around these days could hurt you just as easily.
An interesting application of this could be to share your PGP/whatever public key. Anything providing storage would work but maybe so would a full computer.
"My business card emulates a long-obsolete MIPS-based DEC computer, which then runs Linux" is a more accurate, and certainly significantly more impressive, description :)
Just you wait, i am working on booting ULTRIX on it, and then hopefully emulating JAZZ system and booting windows NT (video provided over virtual vnc over virtual ethernet over usb)
Windows NT had a fairly complete POSIX subsystem (for the time) [0] (but not virtualization layer) so you’d only be able to use Linux if it could compile as a rump kernel (it can’t).
That was followed by a replacement subsystem, Windows Services for Unix [1], which later used a “real” Unix compatible layer after their purchase of Interix.
WSLv1 was therefore the fourth subsystem available (though it couldn’t do some of what the previous ones did, and did some of what they couldn’t), and the complete rewrite as WSLv2 is at least the fifth such attempt.
I wish I still had my old DECStation 3100. I know there's an oil refinery near me that runs VAXStation 3100s to control SCADA systems still, in mint condition in glass-fronted racks in the control outstation buildings, with the protective plastic film still on the badges. I *want* those when they get decommed!
Fun story: since the kernel is kept in a FAT partition that Linux can (and does) mount on /boot, and since gcc works, one of these cards is currently sitting on my desk compiling its own kernel, so that i can then "cp vmlinux /boot; reboot" and have it boot a kernel built on it.
Trying to write optimized Huffman decompression code for the PlayStation 1 (which by total coincidence happens to be MIPS R3000-based) taught me this. C can go very far if you know how to optimize it, but at some point you are going to run into roadblocks anyway since the compiler will not generate the exact code you want it to generate. It will generate code that _looks_ compact and fast, but can't hold a candle to properly hand-rolled assembly that takes pipelining and asynchronous behavior into account.
And of course this gets worse with CPUs that were not designed to be a target for compiled code in the first place, i.e. the vast majority of 8-bit architectures which for better or worse still dominate the low-end microcontroller market.
Contrary to modern knowledge, C compilers were quite crappy back in those days, it was the increasing tricks used by C optmizisers, specially regarding the nowadays so beloved UB, that really improved it.
There is a reason why Michael Abrash books are all about Assembly.
I was so excited for the ATSAMD21 series when I first came across it maybe five or six years ago, because on paper it had most of everything I was looking for while remaining approachable for single-man dev teams and home(lab) assembly. Like OP, I found it extremely difficult to successfully use in practice, and have since then migrated to STMicroelectronics' offerings (STM32 MCUs, available in a huge range that includes Cortex-M0, M3, M4, M7, and now M33 for ARMv8-M). They're much more intimidating on paper, but they actually work like it says on the sticker.
I have a fondness for MIPS as I first learned CPU architecture and more advanced compiler design against it, but I'm surprised OP didn't go with ARMv7 support. The bi-endianness is almost a non-issue as it's effectively a Little Endian architecture with a Big Endian toggle for backwards compatibility - I can't say I'm positive, but my gut instinct would be that it's been forever since ARMv3 shipped defaulting to Little Endian, and most (if not all) of the kernel code has been migrated to Little Endian since then to unify with the most popular targets.
I've thinked about this one for the longest one, but I do not know anything about working on this kind of stuff. The only thing I know is that HDMI doesn't provide enough energy to power something like this, which would have been the most elegant solution
I wonder how simple I could make a business card with a microcontroller on it that only had a serial UART with copper pads to solder wires to, or some kind of pins.
People will be paranoid about inserting a USB device into their PC, but maybe a business card thing clearly labeled like "I am a 96008N1 RS232 terminal" would encourage people to wire it up and take a look.
People in the small UAV industry absolutely would since serial uarts are incredibly common interfaces on small flight controllers, how they talk to radios for command/control and to motor ESCs.
0.6mm is too loose in most cables. It works but is jiggly. 0.7 would be ideal. But my board house doesn’t do that thickness. 0.8 works very well and fits snugly.
It doesn't fix the software side, but I wonder if projects like this are a reasonable solution to hardware-based trusting trust worries. The real hardware is unlikely to know what it's being used for, and Linux is running in a custom VM that's tiny enough to audit.
What, just based off of the custom-ness of the device? I think the endgame of this type of security-by-obscurity is like a randomized FPGA computer trying to fool a hypervisor in the same chip.
More or less, yes. A backdoor has to be able to pattern match to find what it's backdooring; the more custom your implementation is the harder that should be. AIUI, it would be easy to make, say, a CPU that recognizes gcc doing a compile natively. It would be, I think, extremely difficult to create a CPU that recognizes the instructions to emulate a MIPS processor running gcc, especially when the emulator didn't even exist when the chip was taped out.
This is roughly how the game obfuscation layers work to prevent crackers. If it takes weeks for top hackers to crack a game, there's no way it will be done automatically by the chip that was taped out before the VM was generated.
I was contemplating something like this as I’ve been thinking about a modern business card. I don’t need to run Linux, but I do like some degree of interactivity and uniqueness associated with something I could hand out.
Very creative and original, but I don't think I want to plug any complete machine into mine, let alone over USB haha. This is sort of like passing out flash drives, and plugging it in hoping there's no malicious content.
I'm not a computer scientist, but can someone explain to me how this can be a computer without all the other bits you normally associate with it other than the CPU. I.e. a chip for interfaces, the mmu/fpu (I don't understand how you can get the cpu to cover this role?). I can see it doesn't have/need sound/gpu. Just would have thought more would be needed!
Given no graphics output and all I/O is via serial port... not directly. You could try SLiRP to get proper TCP/IP and use that to connect to an X server somewhere else, and ... I suppose I can't see any reason why that wouldn't work, actually. No promises about it fitting (you're not exactly drowning in free storage or RAM here), it'd be hilariously slow (like, I'd bet below 1 frame per second), but... maybe?
That really is the worst possible DMA engine. Given how those tiny cortex M0s rely on DMA to get pretty much everything done, it is confusing why atmel put a basically useless DMA engine in place.
Those chips generally have on-board RAM, so accessing it 14 times isn't much of a big deal. This DMA engine can be fed very quickly (in core clock cycles) if you are doing several DMA transfers at a time: write out all the descriptors to RAM and then just go one pointer at a time.
Very nice! At that amount your biggest expense would be in time.
Have you ever considered offering this as a service to others? I'm guessing you could make some pretty big savings in parts too if you were ordering in bulk.
Please don't dismiss this so easily. You don't need to be the head of anything to take security seriously. Regardless of who you are or what you do, everybody has secrets they should protect.
And I mean secrets not only in the "human" sense (what you like/dislike), but also technical (credentials and so on).
Losing say, your bank account because you plugged in a USB can be devastating no matter who you are.
If you wanted to do something nefarious, using a medium that has your contact details printed on it seems unwise.
We all have a line. You may not plug things into your USB ports, some people don't even connect to the internet.
Either way, if I have a secret I'm sure as hell not going to write it down, let alone put evidence of it on a computer. Defraud my bank if you want, that's between you and them and honestly they can afford it.
If you wanted to do something nefarious, using a medium that has your contact details printed on it seems unwise.
Then put someone else's contact details on it "Hey man, I just found this 'linux business card' with Linus Torvald's contact information on it -- plug it in and try it!"
I'd notice it isn't Linus handing me his business card. The author is handing this to people in person. I wouldn't use it if he was wearing a ski mask. If you are already there, showing your face, commiting crimes, just use a gun to get whatever you want and skip the cloak and dagger stuff.
That's a very unrealistic view of how that works. If you plug a USB into your computer and your computer is compromised, the next time you log into bank account your cookies are snagged and they do something with your money.
If it’s that easy to do, why do I get spam emails and texts with broken English? Seriously the earlier comment was accurate, if you feel the need to comment on the security of this obviously not nefarious project change fields, you don’t have the stomach for infosec.
Only heads of state are targets of black hat hackers?
The proliferation of virus scanners, firewall products and spam filters either means we have a lot of heads of state or a lot of people rich enough to own several computers and not give a damn about at least one of them.
> everyone’s naked under their clothes and it’s no big deal
Until the day you render human biological urges inconsequential to the one experiencing them, all that phrase adds up to is the kind of line a teenage boy uses to get his girlfriend's clothes off.
I can think of vastly more humiliating things, like a video of a woman spreading antivax or pro-choice propaganda. And, differently from a blowjob, which is just a religiously motivated prejudice, those acts are actually harmful and evil.
One can be impressed by the effort and ingenuity (I am) and still question the premise. Business cards have a purpose — to provide info about a person/company. This implementation defeats that purpose.
Plugging in any USB data device is prohibited by most infosec policies. Even if it wasn’t, it’s generally not a good idea. Not everyone has an isolated second computer.
I would argue the business card isn’t the card itself but the blog post detailing how it was made.
On the other hand, if you want to covertly infect someone's computer, probably don't etch your name and contact information prominently on the PCB of the infecting device.
I'm going to assume that someone handing me their contact details is someone I probably don't know well enough to know whether those details are correct.
That is why I provide sources. Inspect them and tell me if you find anything scary. At most, maybe i forgot to implement some corner of USB-CDC spec :D
To be very clear, since someone else got confused: This is awesome, and you should be proud. I'm just probably not plugging it into my work computer. :-p
But you have no way to prove your business card actually runs the released source. And if users are expected to build from source, the card becomes less meaningful.
Similar to the original comment, I fully agree this is a very cool thing. But a business card, which is by definition given to people that likely neither know or trust you, is probably not a particularly good application for it.
If you have no way to reach the console, how do you know it's running Linux? Or doing anything at all really? The card has no way to display anything by itself.
If you need all kinds of "condoms", each allowing a single protocol, you lose the "universal" part. It would be just as annoying as specialized adapters.
Tracked it down: https://hackaday.com/2019/12/24/now-even-your-business-card-...
https://www.thirtythreeforty.net/posts/2019/12/my-business-c...
This design looks better.
Both creative
Edit: somehow I duplicate posted when I edited my last comment, qchris beat me to posting this (and was on HN in 2019, I think I probably saw it on hackaday at the time)