Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow temporarily disabling device protection #2770

Merged
merged 35 commits into from
Jun 19, 2024
Merged

Allow temporarily disabling device protection #2770

merged 35 commits into from
Jun 19, 2024

Conversation

sergeuz
Copy link
Member

@sergeuz sergeuz commented May 20, 2024
edited by monkbroc
Loading

Description

Implement a challenge-response protocol between the device and the cloud to temporarily disable device protection. An external tool like the CLI transfers the information from the device to the API and back.

Changes

Behavior of protected mode

  • All the USB USART functions return a neutral result when called when device protection is currently active.
  • LogHandler changes for protected mode are reversed.
    • The consequence is that SerialLogHandler does not output anything in protected mode, but starts outputing when protection is temporarily disabled, and other LogHandlers (including custom ones) still output in protected mode.

Control requests

  • GetProtectedStateReply
    • state returns true when the device is currently protected
    • overriden returns true when the device would have been protected but protection is temporarily disabled
  • SetProtectedStateRequest. New request (see below for use)

Unprotect algorithm

  • SetProtectedStateRequest has 3 steps: prepare, confirm and reset.
  • Prepare generates a random device nonce, and responds with a signature of the device id, the server nonce, and the device nonce. The response also include the fingerprint of the device key used for the signature. It also saves the time when prepare was done.
  • Confirm checks that prepare was started less than a minute ago. It first checks that the server that generated the signature is the one we have a key for (KEY_MISMATCH error). It then verifies the signature sent by the server (INVALID_SIGNATURE error).
    • If everything checks out, device protection is disabled for 20 reboots and 24 hours.
  • Reset clears the temporary unlock.
  • The counter of remaining resets and remaining seconds for the temporary unlock is stored in system flags.
  • In the bootloader system tick, a 1 second counter is decremented. When that gets to 0, the remaining seconds for the temporary unlock is decremented and the system flags are saved.
  • Outside the bootloader, a 1 second OS timer is used to decrement the remaining seconds for the temporary unlock and save the system flags.

References

  • sc-127946

@sergeuz sergeuz changed the base branch from develop to develop-6.x May 20, 2024 21:44
@sergeuz sergeuz mentioned this pull request May 21, 2024
Merged
@sergeuz sergeuz force-pushed the disable-protected-mode/sc-127946 branch from 0a7dbac to ad2609d Compare May 24, 2024 13:07
@Kategrode Kategrode added the 6.x label Jun 3, 2024
@technobly technobly added this to the 6.1.1 milestone Jun 14, 2024
@sergeuz sergeuz marked this pull request as ready for review June 14, 2024 18:01
@sergeuz
Copy link
Member Author

sergeuz commented Jun 14, 2024

I'm marking this PR as ready for review even though it currently overflows on some of the platforms – we'll investigate that separately. The test steps can be found in sc-127946.

avtolstoy
avtolstoy approved these changes Jun 18, 2024
View reviewed changes
services/src/security_mode.cpp
Load_SystemFlags();
system_flags.security_mode_override_value = MODULE_INFO_SECURITY_MODE_NONE;
system_flags.security_mode_override_reset_count = 20;
system_flags.security_mode_override_timeout = 24 * 60 * 60; // Seconds
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: define a constant for this?

@avtolstoy avtolstoy force-pushed the disable-protected-mode/sc-127946 branch from fee5f04 to b3e24f2 Compare June 19, 2024 14:26
@avtolstoy avtolstoy force-pushed the disable-protected-mode/sc-127946 branch from b3e24f2 to 700bfc9 Compare June 19, 2024 16:59
@avtolstoy avtolstoy merged commit 8106ede into develop-6.x Jun 19, 2024
13 checks passed
@avtolstoy avtolstoy deleted the disable-protected-mode/sc-127946 branch June 19, 2024 19:06
@sergeuz sergeuz mentioned this pull request Jul 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@avtolstoy avtolstoy avtolstoy approved these changes

@monkbroc monkbroc monkbroc approved these changes

Assignees
No one assigned
Labels
6.x bootloader feature
Projects
None yet
Milestone
6.1.1
Development

Successfully merging this pull request may close these issues.
5 participants
@sergeuz @avtolstoy @monkbroc @technobly @Kategrode