subsys: greybus: authentication and encryption

[cfriedt]

While there was some original work that targeted authentication and encryption, it was primarily a proof of concept. The PoC used two SSH keys and some python code to emulate a device. The authentication and encryption messages themselves were assigned greybus message types out of the "reserved" numerical range.

The PoC code was more or less identical to what standard TLS does, with the absence of verifying a certificate against a trusted 3rd party Certificate Authority.

Due to the nature of how CPorts are implemented in TCP/IP, and that each CPort is independent of the others, each service is required to perform authentication and encryption independently.

It would be ideal to support industry standard TLS rather than using some custom method. Zephyr provides support for mbedTLS as well as special BSD socket options for TLS security.

The approach that will likely be taken with the initial TLS implementation will be that certificates will likely be self-signed and they will be distributed at build time.

Also, it is unclear whether TLS supports some kind of "NULL" security equivalent to plain-text that can be automatically used during the negotiation phase. If something like that does not exist, then it will be necessary to fix security at build-time both on the Linux side and on the microcontroller side.

[cfriedt]

We probably want to have a couple of options for configuring how to load certificates. So I'll probably add a menuconfig for that.

CONFIG_GREYBUS_USE_TLS
Would select
CONFIG_NET_SOCKETS_SOCKOPT_TLS

In the menuconfig, we should have an entry for CONFIG_GREYBUS_CERTS_BUILTIN. This would be the simplest way to get certificates working. It is, however, completely insecure to have certificates stored in plaintext inside of a binary. Other future options should include a way to read the certificate from a secure enclave, or via encrypted eeprom partition (again decrypting using a key in a secure enclave).

For the CONFIG_GREYBUS_TLS_BUILTIN option, the following menu items should be visible

CONFIG_GREYBUS_TLS_CA_CERT: path to file containing CA cert
CONFIG_GREYBUS_SERVER_CERT: path to file containing server cert
CONFIG_GREYBUS_AUTHORIZED_KEYS: semicolon-separated list of paths containing the public keys of authorized users

https://github.com/zephyrproject-rtos/zephyr/blob/master/cmake/extensions.cmake#L582

Prior to the bus starting, we will likely want to use the Zephyr API to load credentials via tls_credential_add. This should be done before the service starts. Example here.

[cfriedt]

The CONFIG_NET_SOCKETS_SOCKOPT_DTLS option is useful for using UDP instead of TCP for sockets.

It's probably somewhat possible to extract certs to do encryption over a UART as well, but I probably will not be adding that functionality in this ticket.

[cfriedt]

It would be nice to recycle CONFIG_TLS_CREDENTIAL_FILENAMES but it only seems to be available with CONFIG_NET_SOCKETS_OFFLOAD.