Raspberry Pi in Secure Embedded Systems: WTF? (What? That Fails)

Written by randyhyde@me.com on April 24, 2021 in Hardware/Electronics with 6 comments.

Although I haven’t made much use of the Raspberry Pi as an embedded CPU, I’ve always wanted to make more use of it and I constantly promote the little board as such a tool. The Pi isn’t perfect, but at the price point and hardware capabilities, I’ve always thought it was a great tool for many embedded uses despite a common joke I repeat about the Pi:

“The Pi is great for embedded system except during three different times of execution: during startup, during normal execution, and during shutdown.”

The follow up is this:

During startup, the Pi takes too long to boot. Many embedded system require near-immediate operation (operating within a couple of seconds) and can’t tolerate the 30 seconds to a couple minutes boot time of Pi OS.

During normal operation, the Pi cannot support real-time response, so it is completely unsuitable for those applications requiring real-time operation.

During shutdown, you must explicitly shut down the Pi (i.e., you cannot simply cut power to it without risking damage to the SD card).

Very little can be done about the boot time. Fortunately, not all embedded applications require immediate operation after applying power, so although the Pi isn’t usable for all embedded application, it can still be used for many that can tolerate a slow startup period.

If your application requires real-time response, you’re not going to get it out of Pi OS. Fortunately, not all applications require this type of response time. Furthermore, for many applications that do require real-time response, it’s easy enough attach a small SBC (such as a Teensy 4.x or other Arduino-class device) to handle the real-time portions of your application.

Most embedded systems are shut down by removing power from device. That’s a very bad practice for Linux-based systems (such as Pi OS). Fortunately, there is a hardware solution for the Raspberry Pi 3: https://juice4halt.com. This is a supercapacitor-based “uninterruptable power supply” module that will provide about 30 seconds of power to the Pi when power is removed. This device sends a signal to the Pi that power has been lost so it can shut down in a safe fashion before the super capacitor supply is exhausted.

I actually used a Pi 3 (with a Pi touchscreen display) in a Nuclear Fuel Temperature Monitor (NFTM) device I installed at National Tsing-Hua University (NTHU) in Taiwan. This device monitors the nuclear fuel temperature and SCRAMs the reactor if the fuel temperature exceeds some set point (typically around 500C). FWIW, the FTM contains three main components: an analog trip system (SCRAMming the reactor is always done by analog circuitry, never by software; this makes the regulators much happier), a Weensy 4.1 board (based on the Teensy 4.1 module), and a Raspberry Pi 3. The Raspberry Pi is basically a glorified video display card for the system, providing a user interface and temperature display. The Weensy provides all the real-time control. The analog trip board handles the actual reactor SCRAMs.

Originally, I had planned to have the Raspberry Pi also provide an Ethernet interface to the reactor console. This feature was never needed at NTHU, so I never finished that code and left the Ethernet jack on the Pi disconnected. This turned out to be a very good thing.

Recently, I was involved with another reactor project at Idaho National Labs (INL). On their NRAD reactor (a small TRIGA reactor used for neutron radiography), they wanted to be able to monitor the reactor operation remotely. The NRAD reactor uses a General Atomics digital control console (Ethernet based). They wanted to pass some operational data from the local reactor network to the general INL network. Now, you *DON’T* connect a reactor’s network directly to any outside network. The NRC (or DOE in INL’s case) doesn’t allow this. However, by using some special (uber-firewall) equipment that guarantees a one-way transmission from the reactor’s network to the outside world, it is possible to satisfy regulatory agencies and they will allow this.

So I designed a two-Pi system that included one Pi on the local reactor network that received UDP messages from the reactor’s computer. This “inside Pi” retransmits the UDP packets across the uber-firewall to the “outside Pi” sitting on the INL network (which is highly controlled and not an “open Internet” type network). This Pi makes the data available to INL services (using TCP/IP transmissions).

I developed the software, tested it out on the reactor (without connecting it to the INL network, using a Pi 400 to simulate the INL server), and got it all working nice and pretty. Then the day arrived that we plugged it into the network. All of a sudden I’m getting calls from the INL IT crew: “why is your machine trying to contact Google? Why is it slamming our DNS? We cannot allow this device on our secured network.”

Now I knew that the Pi would try to contact an NTP server to get the time. So I had installed an Adafruit DS3231 RTC on the Pi (and properly installed the drivers; see https://www.adafruit.com/product/4282) to avoid this. Contacting Google? That was new to me. Slamming their DNS? No idea what was going on there. Needless to say, this is not a behavior you want from a system connected to a nuclear reactor (or even on a secured network operated by the Department of Energy).

A couple hours’ spent trying to figure out what was going on didn’t turn up anything. By this point, the INL IT staff was telling me there was no way they were going to allow a Pi running Pi OS on their network, so I abandoned further research on the matter. They suggested installing a version of Ubuntu. However, I wasn’t sure whether this would support the Juice4Pi drivers or even the Pi touchscreen. So I had to abandon the Pi and switch to a small Windows-based PC.

Perhaps, at some point, I’ll look back into what caused this problem. Until that day arrives, however, I’m very reticent about recommending the Pi for embedded applications. I just don’t feel good about machines accessing things on the Internet that I haven’t explicitly asked them to do. This could be something innocuous, such as automatically checking for updates (though, why Google?). However, it should be documented and easy to shut off. Until then, caveat emptor is the key word here.

6 Responses to “Raspberry Pi in Secure Embedded Systems: WTF? (What? That Fails)

  1. GNU Linux is a beast.
    So while I can understand your frustration a bit… that’s linux.
    (It’s perhaps not really accurate to “blame” raspberry pi, as probably any linux would have given you a similar result.)

    GNU Linux: You get a lot, I mean a whole damn lot (man years of code that you will NEVER EVER be able to achieve yourself).
    But you need to understand the system. And that’s not for free: It takes time, dedication, experience to build up knowhow.

    It would be pretty easy to figure out what was happening. Have wireshark (or tshark: a cool command-line variant) trace what’s happening. Obviously this also requires time, dedication, experience …

    > Now I knew that the Pi would try to contact an NTP server to get the time. So I had installed an Adafruit DS3231 RTC on the Pi (and properly installed the drivers; see https://www.adafruit.com/product/4282) to avoid this.

    hmmmmm… that’s not enough. You need to disable ntp: Maby along these lines
    sudo timedatectl set-ntp true; sudo systemctl stop ntp; sudo systemctl disable ntp; sudo systemctl stop systemd-timesyncd; sudo systemctl disable systemd-timesyncd
    (I haven’t checked it myself)
    https://unix.stackexchange.com/questions/585519/should-i-disable-systemd-timesyncd-if-ntp-is-installed
    https://www.raspberrypi.org/forums/viewtopic.php?t=237391#p1451130
    https://www.raspberrypi.org/forums/viewtopic.php?t=255190#p1599821

    Another thing: you can obviously run realtime embedded software on a raspberry pi: Just ditch the linux and go baremetal:
    googling
    baremetal raspberry pi
    brings up highly interesting tutorials on github!

    But bare metal comes at a price. Gone are all the goodies… gone is the possibility of python scripting etc. etc.

    • Oh, for sure I had disabled NTP. I’ve been using Linux since the 1990s. Though I’m not an expert sysadmin with it, I have written device drivers and the like in the past (however, I’m not a “kernel” person at all, never had the time to devote to that).

      While the thought of Pi bare metal is intriguing, I chose the Pi for this project because it was cheap and accessible (or so I thought, after losing about two month’s of effort developing for the Pi, it turned out to be quite expensive); I also *really* wanted to use the Pi in a “not-a-toy” embedded application. Oh, well, back to toy projects from now on.

      Another possibility for the Pi is VxWorks (https://labs.windriver.com/downloads/wrsdk-vxworks7-docs/README-raspberrypi4b.html). While there have been some less-than-serious RTOS developments for the Pi, VxWorks is pretty heavy-duty stuff (though expensive if not doing this for personal projects). However, like the Ubuntu fix, just not the appropriate solution for this particular “knock out something quick” project for INL.

      Ultimately, I paid the price for “let’s try something new and fun” rather than going with the “tried-and-true” solution. Lesson learned.

  2. > “why is your machine trying to contact Google? Why is it slamming our DNS? We cannot allow this device on our secured network.”

    Probably just means google’s public DNS servers at 8.8.8.8 or 8.8.4.4
    https://developers.google.com/speed/public-dns/docs/using

    Because Raspberry Pi’s default DNS is 8.8.8.8 as can be seen in the image creation scripts:
    https://github.com/RPi-Distro/pi-gen/blob/66cd2d17a0d2d04985b83a2ba830915c9a7d81dc/export-image/02-network/files/resolv.conf#L1

  3. Well, that makes sense.
    Sadly, whether I figure this out or not, INL has blacklisted the PiOS (even before my problem, didn’t know this when I started using the Pi) so it’s not an option. As I mentioned, they will allow an Ubuntu distro, but that’s water under the bridge. I bought a little “Digital Engine” x86 PC to do the honors; INL is happy with Windows, so that’s what it’s going to have to be.

Leave a Reply to Randall Hyde Cancel reply

Your email address will not be published.