Comments (4)
cfriedt
commented on September 27, 2024
We probably want to have a couple of options for configuring how to load certificates. So I'll probably add a menuconfig for that.
CONFIG_GREYBUS_USE_TLS
Would select
CONFIG_NET_SOCKETS_SOCKOPT_TLS
In the menuconfig, we should have an entry for CONFIG_GREYBUS_CERTS_BUILTIN. This would be the simplest way to get certificates working. It is, however, completely insecure to have certificates stored in plaintext inside of a binary. Other future options should include a way to read the certificate from a secure enclave, or via encrypted eeprom partition (again decrypting using a key in a secure enclave).
For the CONFIG_GREYBUS_TLS_BUILTIN option, the following menu items should be visible
CONFIG_GREYBUS_TLS_CA_CERT: path to file containing CA cert
CONFIG_GREYBUS_SERVER_CERT: path to file containing server cert
CONFIG_GREYBUS_AUTHORIZED_KEYS: semicolon-separated list of paths containing the public keys of authorized users
https://github.com/zephyrproject-rtos/zephyr/blob/master/cmake/extensions.cmake#L582
Prior to the bus starting, we will likely want to use the Zephyr API to load credentials via tls_credential_add. This should be done before the service starts. Example here.
from greybus-for-zephyr.
cfriedt
commented on September 27, 2024
The CONFIG_NET_SOCKETS_SOCKOPT_DTLS option is useful for using UDP instead of TCP for sockets.
It's probably somewhat possible to extract certs to do encryption over a UART as well, but I probably will not be adding that functionality in this ticket.
from greybus-for-zephyr.
cfriedt
commented on September 27, 2024
It would be nice to recycle CONFIG_TLS_CREDENTIAL_FILENAMES but it only seems to be available with CONFIG_NET_SOCKETS_OFFLOAD.
from greybus-for-zephyr.
cfriedt
commented on September 27, 2024
Getting somewhere, but the handshake is failing atm.
[1/276] Preparing syscall dependency handling
[270/276] Linking C executable zephyr/zephyr_prebuilt.elf
Memory region Used Size Region Size %age Used
FLASH: 220116 B 256 KB 83.97%
SRAM: 51104 B 64 KB 77.98%
IDT_LIST: 168 B 2 KB 8.20%
[275/276] To exit from QEMU enter: 'CTRL+a, x'[QEMU] CPU: cortex-m3
qemu-system-arm: warning: nic stellaris_enet.0 has no peer
*** Booting Zephyr OS build zephyr-v2.4.0-2547-gb68f47fdb9a0 ***
W: No entropy device on the system, TLS communication may be insecure!
I: Initializing network
I: IPv4 address: 192.0.2.1
I: Initializing Greybus
I: Initializing built-in certificates
D: (main): Allocated TLS context, 0x2000178c
D: (main): socket: ctx=0x20005730, fd=1
I: CPort 0 mapped to TCP/IP port 4242
D: (main): Allocated TLS context, 0x20001b64
D: (main): socket: ctx=0x200057b8, fd=3
I: CPort 1 mapped to TCP/IP port 4243
I: Greybus TCP/IP Transport initialized
I: Registering GPIO greybus driver.
I: Greybus is active
D: (main): Allocated TLS context, 0x20001f3c
D: (main): socket: ctx=0x20005840, fd=5
D: (rx_q[0]): parent=0x200057b8, ctx=0x200058c8, st=0
D: (main): ssl_tls.c:8194: |2| => handshake
D: (main): ssl_cli.c:3785: |2| client state: 0
D: (main): ssl_tls.c:2847: |2| => flush output
D: (main): ssl_tls.c:2859: |2| <= flush output
D: (main): ssl_cli.c:3785: |2| client state: 1
D: (main): ssl_tls.c:2847: |2| => flush output
D: (main): ssl_tls.c:2859: |2| <= flush output
D: (main): ssl_cli.c:0805: |2| => write client hello
D: (main): ssl_cli.c:0860: |3| client hello, max version: [3:3]
D: (main): ssl_cli.c:0870: |3| dumping 'client hello, random bytes' (32 bytes)
D: (main): ssl_cli.c:0870: |3| 0000: 4c 1a 20 fa f4 d1 ee 52 7f 92 ea a6 a6 ca ae 09 L. ....R........
D: (main): ssl_cli.c:0870: |3| 0010: dc a1 4b 7e dd b4 95 42 b1 1d 34 94 c1 65 61 ab ..K~...B..4..ea.
D: (main): ssl_cli.c:0930: |3| client hello, session id len.: 0
D: (main): ssl_cli.c:0931: |3| dumping 'client hello, session id' (0 bytes)
D: (main): ssl_cli.c:0997: |3| client hello, add ciphersuite: 003d
D: (main): ssl_cli.c:0997: |3| client hello, add ciphersuite: 0035
D: (main): ssl_cli.c:0997: |3| client hello, add ciphersuite: 003c
D: (main): ssl_cli.c:0997: |3| client hello, add ciphersuite: 002f
D: (main): ssl_cli.c:0997: |3| client hello, add ciphersuite: 000a
D: (main): ssl_cli.c:1012: |3| client hello, got 5 ciphersuites (excluding SCSVs)
D: (main): ssl_cli.c:1022: |3| adding EMPTY_RENEGOTIATION_INFO_SCSV
D: (main): ssl_cli.c:1076: |3| client hello, compress len.: 1
D: (main): ssl_cli.c:1077: |3| client hello, compress alg.: 0
D: (main): ssl_cli.c:0212: |3| client hello, adding signature_algorithms extension
D: (main): ssl_cli.c:0483: |3| client hello, adding max_fragment_length extension
D: (main): ssl_cli.c:1217: |3| client hello, total extension length: 15
D: (main): ssl_tls.c:3286: |2| => write handshake message
D: (main): ssl_tls.c:3445: |2| => write record
D: (main): ssl_tls.c:3522: |3| output record: msgtype = 22, version = [3:3], msglen = 72
D: (main): ssl_tls.c:3527: |4| dumping 'output record sent to network' (77 bytes)
D: (main): ssl_tls.c:3527: |4| 0000: 16 03 03 00 48 01 00 00 44 03 03 4c 1a 20 fa f4 ....H...D..L. ..
D: (main): ssl_tls.c:3527: |4| 0010: d1 ee 52 7f 92 ea a6 a6 ca ae 09 dc a1 4b 7e dd ..R..........K~.
D: (main): ssl_tls.c:3527: |4| 0020: b4 95 42 b1 1d 34 94 c1 65 61 ab 00 00 0c 00 3d ..B..4..ea.....=
D: (main): ssl_tls.c:3527: |4| 0030: 00 35 00 3c 00 2f 00 0a 00 ff 01 00 00 0f 00 0d .5.<./..........
D: (main): ssl_tls.c:3527: |4| 0040: 00 06 00 04 04 01 03 01 00 01 00 01 02 .............
D: (main): ssl_tls.c:2847: |2| => flush output
D: (main): ssl_tls.c:2865: |2| message length: 77, out_left: 77
D: (rx_q[0]): ctx=0x200058c8, pkt=0x2000afa0, st=0, user_data=(nil)
D: (main): ssl_tls.c:2871: |2| ssl->f_send() returned 77 (-0xffffffb3)
D: (main): ssl_tls.c:2899: |2| <= flush output
D: (main): ssl_tls.c:3578: |2| <= write record
D: (main): ssl_tls.c:3422: |2| <= write handshake message
D: (main): ssl_cli.c:1255: |2| <= write client hello
D: (main): ssl_cli.c:3785: |2| client state: 2
D: (main): ssl_tls.c:2847: |2| => flush output
D: (main): ssl_tls.c:2859: |2| <= flush output
D: (main): ssl_cli.c:1684: |2| => parse server hello
D: (main): ssl_tls.c:4419: |2| => read record
D: (main): ssl_tls.c:2628: |2| => fetch input
D: (main): ssl_tls.c:2788: |2| in_left: 0, nb_want: 5
D: (greybus): accept: ctx=0x200058c8, fd=7
D: (greybus): Allocated TLS context, 0x20002314
D: (greybus): close: ctx=0x200058c8, fd=7
D: (greybus): discarding pkt 0x2000afa0
D: (rx_q[0]): ctx=0x20005840, pkt=(nil), st=-104, user_data=(nil)
D: (rx_q[0]): Marked socket 0x20005840 as peer-closed
D: (main): NULL return from fifo
D: (main): ssl_tls.c:2812: |2| in_left: 0, nb_want: 5
D: (main): ssl_tls.c:2814: |2| ssl->f_recv(_timeout)() returned 0 (-0x0000)
D: (main): ssl_tls.c:5081: |1| mbedtls_ssl_fetch_input() returned -29312 (-0x7280)
D: (main): ssl_tls.c:4452: |1| ssl_get_next_record() returned -29312 (-0x7280)
D: (main): ssl_cli.c:1691: |1| mbedtls_ssl_read_record() returned -29312 (-0x7280)
D: (main): ssl_tls.c:8204: |2| <= handshake
E: TLS handshake error: -7280
ASSERTION FAIL [r == 0] @ CMAKE_SOURCE_DIR/src/gpio.c:143
connect: 113
E: r0/a1: 0x00000004 r1/a2: 0x0000008f r2/a3: 0x90000000
E: r3/a4: 0x0002b7fe r12/ip: 0x00000000 r14/lr: 0x00000c6f
E: xpsr: 0x41000000
E: Faulting instruction address (r15/pc): 0x0001fa2a
E: >>> ZEPHYR FATAL ERROR 4: Kernel panic on CPU 0
E: Current thread: 0x200011f0 (main)
E: Halting system
qemu-system-arm: terminating on signal 2
ninja: build stopped: interrupted by user.
For the gpio test and qemu_cortex_m3:
prj.conf.txt
qemu_cortex_m3.conf.txt
from greybus-for-zephyr.
Related Issues (20)
- subsys: greybus: use a common log level HOT 1
- subsys: greybus: tie log levels into kconfig
- doc: fix readme to update submodules HOT 1
- subsys: greybus: update devicetree macros
- manifesto: version bump to eliminate configparser warning
- build: broken build for cc1352r_sensortag HOT 1
- build: create a build matrix
- doc: readme section for generated greybus manifest
- test: greybus: gpio: fix gpio on qemu
- update copyright and license
- gbridge: controllers: add tls controller HOT 1
- greybus: tcpip + tls: use a single socket
- doc: tls: document building with tls
- build: run compliance checks
- build: scan code for licenses
- subsys: greybus: remove qsort implementation HOT 3
- Connection diagram HOT 5
- subsys: greybus: can adc be supported? HOT 3
- Issue linking ring buffers for new board support HOT 13
- update for release branch or LTS and conform to the Zephyr example application HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from greybus-for-zephyr.