kmwebnet/OpenSK
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into gendx-patch-1

Browse Source
This commit is contained in:
Jean-Michel Picod
2020-02-19 16:16:03 +01:00
committed by GitHub
parent 9aab5520f7 7fda4c6435
commit 76aaea0333
5 changed files with 579 additions and 418 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
README.md
View File

@@ -49,23 +49,22 @@ For a more detailed guide, please refer to our
./setup.sh ./setup.sh
``` ```
2. If you have a Nordic development board that doesn't already have Tock OS 2. If Tock OS is already installed on your board, move to the next step.
installed, you can install both TockOS and the OpenSK application by running Otherwise, just run one of the following commands, depending on the board
the following command, depending on the board you have: you have:
```shell ```shell
# Nordic nRF52840-DK board # Nordic nRF52840-DK board
board=nrf52840dk ./deploy.sh os app ./deploy.py os --board=nrf52840_dk
# Nordic nRF52840-Dongle # Nordic nRF52840-Dongle
board=nrf52840_dongle ./deploy.sh os app ./deploy.py os --board=nrf52840_dongle
``` ```
3. If Tock OS is already installed and you want to install/update the OpenSK 3. Next step is to install/update the OpenSK application on your board
application on your board (**Warning**: it will erase the locally stored (**Warning**: it will erase the locally stored credentials). Run:
credentials), run:
```shell ```shell
./deploy.sh app ./deploy.py app --opensk
``` ```
4. On Linux, you may want to avoid the need for `root` privileges to interact 4. On Linux, you may want to avoid the need for `root` privileges to interact
@@ -83,7 +82,7 @@ If you build your own security key, depending on the hardware you use, there are
a few things you can personalize: a few things you can personalize:
1. If you have multiple buttons, choose the buttons responsible for user 1. If you have multiple buttons, choose the buttons responsible for user
presence in main.rs. presence in `main.rs`.
2. Decide whether you want to use batch attestation. There is a boolean flag in 2. Decide whether you want to use batch attestation. There is a boolean flag in
`ctap/mod.rs`. It is mandatory for U2F, and you can create your own `ctap/mod.rs`. It is mandatory for U2F, and you can create your own
self-signed certificate. The flag is used for FIDO2 and has some privacy self-signed certificate. The flag is used for FIDO2 and has some privacy

430
deploy.py Executable file
View File

@@ -0,0 +1,430 @@
#!/usr/bin/env python3
# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Lint as: python3
from __future__ import absolute_import
from __future__ import division
from __future__ import print_function
import argparse
import colorama
import copy
import os
import shutil
import subprocess
import sys
from tockloader import tab, tbfh, tockloader
# This structure allows us in the future to also support out-of-tree boards.
SUPPORTED_BOARDS = {
"nrf52840_dk": "third_party/tock/boards/nordic/nrf52840dk",
"nrf52840_dongle": "third_party/tock/boards/nordic/nrf52840_dongle"
}
# The STACK_SIZE value below must match the one used in the linker script
# used by the board.
# e.g. for Nordic nRF52840 boards the file is `nrf52840dk_layout.ld`.
STACK_SIZE = 0x4000
# The following value must match the one used in the file
# `src/entry_point.rs`
APP_HEAP_SIZE = 90000
def get_supported_boards():
boards = []
for name, root in SUPPORTED_BOARDS.items():
if all((os.path.exists(os.path.join(root, "Cargo.toml")),
os.path.exists(os.path.join(root, "Makefile")))):
boards.append(name)
return tuple(set(boards))
def fatal(msg):
print("{style_begin}fatal:{style_end} {message}".format(
style_begin=colorama.Fore.RED + colorama.Style.BRIGHT,
style_end=colorama.Style.RESET_ALL,
message=msg))
sys.exit(1)
def error(msg):
print("{style_begin}error:{style_end} {message}".format(
style_begin=colorama.Fore.RED,
style_end=colorama.Style.RESET_ALL,
message=msg))
def info(msg):
print("{style_begin}info:{style_end} {message}".format(
style_begin=colorama.Fore.GREEN + colorama.Style.BRIGHT,
style_end=colorama.Style.RESET_ALL,
message=msg))
class RemoveConstAction(argparse.Action):
def __init__(self,
option_strings,
dest,
const,
default=None,
required=False,
help=None,
metavar=None):
super(RemoveConstAction, self).__init__(
option_strings=option_strings,
dest=dest,
nargs=0,
const=const,
default=default,
required=required,
help=help,
metavar=metavar)
def __call__(self, parser, namespace, values, option_string=None):
# Code is simply a modified version of the AppendConstAction from argparse
# https://github.com/python/cpython/blob/master/Lib/argparse.py#L138-L147
# https://github.com/python/cpython/blob/master/Lib/argparse.py#L1028-L1052
items = getattr(namespace, self.dest, [])
if type(items) is list:
items = items[:]
else:
items = copy.copy(items)
if self.const in items:
self.remove(self.const)
setattr(namespace, self.dest, items)
class OpenSKInstaller(object):
def __init__(self, args):
colorama.init()
self.args = args
# Where all the TAB files should go
self.tab_folder = os.path.join("target", "tab")
# This is the filename that elf2tab command expects in order
# to create a working TAB file.
self.target_elf_filename = os.path.join(
self.tab_folder, "cortex-m4.elf")
self.tockloader_default_args = argparse.Namespace(
arch="cortex-m4",
board=getattr(self.args, "board", "nrf52840"),
debug=False,
force=False,
jlink=True,
jlink_device="nrf52840_xxaa",
jlink_if="swd",
jlink_speed=1200,
jtag=False,
no_bootloader_entry=False,
page_size=4096,
port=None,
)
def checked_command_output(self, cmd):
cmd_output = ""
try:
cmd_output = subprocess.check_output(cmd)
except subprocess.CalledProcessError as e:
fatal("Failed to execute {}: {}".format(cmd[0], str(e)))
# Unreachable because fatal() will exit
return cmd_output.decode()
def update_rustc_if_needed(self):
target_toolchain_fullstring = "stable"
with open("rust-toolchain", "r") as f:
target_toolchain_fullstring = f.readline().strip()
target_toolchain = target_toolchain_fullstring.split("-", maxsplit=1)
if len(target_toolchain) == 1:
# If we target the stable version of rust, we won't have a date
# associated to the version and split will only return 1 item.
# To avoid failing later when accessing the date, we insert an
# empty value.
target_toolchain.append('')
current_version = self.checked_command_output(["rustc", "--version"])
if not all(
(target_toolchain[0] in current_version,
target_toolchain[1] in current_version)):
info("Updating rust toolchain to {}".format(
"-".join(target_toolchain)))
# Need to update
self.checked_command_output(
["rustup", "install", target_toolchain_fullstring])
self.checked_command_output(
["rustup", "target", "add", "thumbv7em-none-eabi"])
info("Rust toolchain up-to-date")
def build_and_install_tockos(self):
self.checked_command_output(
["make", "-C", SUPPORTED_BOARDS[self.args.board], "flash"]
)
def build_and_install_example(self):
assert(self.args.application)
self.checked_command_output([
"cargo",
"build",
"--release",
"--target=thumbv7em-none-eabi",
"--features={}".format(",".join(self.args.features)),
"--example",
self.args.application
])
self.install_elf_file(os.path.join(
"target/thumbv7em-none-eabi/release/examples",
self.args.application))
def build_and_install_opensk(self):
assert(self.args.application)
info("Building OpenSK application")
self.checked_command_output([
"cargo",
"build",
"--release",
"--target=thumbv7em-none-eabi",
"--features={}".format(",".join(self.args.features)),
])
self.install_elf_file(os.path.join(
"target/thumbv7em-none-eabi/release", self.args.application))
def generate_crypto_materials(self, force_regenerate):
has_error = subprocess.call([
os.path.join("tools", "gen_key_materials.sh"),
"Y" if force_regenerate else "N",
])
if has_error:
error((
"Something went wrong while trying to generate ECC "
"key and/or certificate for OpenSK"))
def install_elf_file(self, elf_path):
assert(self.args.application)
package_parameter = "-n"
elf2tab_ver = self.checked_command_output(
["elf2tab", "--version"]).split(' ', maxsplit=1)[1]
# Starting from v0.5.0-dev the parameter changed.
# Current pyblished crate is 0.4.0 but we don't want developers
# running the HEAD from github to be stuck
if "0.5.0-dev" in elf2tab_ver:
package_parameter = "--package-name"
os.makedirs(self.tab_folder, exist_ok=True)
tab_filename = os.path.join(
self.tab_folder,
"{}.tab".format(self.args.application))
shutil.copyfile(elf_path, self.target_elf_filename)
self.checked_command_output([
"elf2tab",
package_parameter,
self.args.application,
"-o",
tab_filename,
self.target_elf_filename,
"--stack={}".format(STACK_SIZE),
"--app-heap={}".format(APP_HEAP_SIZE),
"--kernel-heap=1024",
"--protected-region-size=64"
])
self.install_padding()
info("Installing Tock application {}".format(self.args.application))
args = copy.copy(self.tockloader_default_args)
setattr(args, "app_address", 0x40000)
setattr(args, "erase", self.args.clear_apps)
setattr(args, "make", False)
setattr(args, "no_replace", False)
setattr(args, "sticky", False)
tock = tockloader.TockLoader(args)
tock.open(args)
tabs = [tab.TAB(tab_filename)]
try:
tock.install(tabs, replace="yes",
erase=args.erase, sticky=args.sticky)
except tockloader.exceptions.TockLoaderException as e:
fatal("Couldn't install Tock application {}: {}".format(
self.args.application, str(e)))
def install_padding(self):
fake_header = tbfh.TBFHeader("")
fake_header.version = 2
fake_header.fields["header_size"] = 0x10
fake_header.fields["total_size"] = 0x10000
fake_header.fields["flags"] = 0
padding = fake_header.get_binary()
info("Flashing padding application")
args = copy.copy(self.tockloader_default_args)
setattr(args, "address", 0x30000)
tock = tockloader.TockLoader(args)
tock.open(args)
try:
tock.flash_binary(padding, args.address)
except tockloader.exceptions.TockLoaderException as e:
fatal("Couldn't install padding: {}".format(str(e)))
def clear_apps(self):
args = copy.copy(self.tockloader_default_args)
setattr(args, "app_address", 0x40000)
info("Erasing all installed applications")
tock = tockloader.TockLoader(args)
tock.open(args)
try:
tock.erase_apps(False)
except tockloader.exceptions.TockLoaderException as e:
# Erasing apps is not critical
info(("A non-critical error occured while erasing "
"apps: {}".format(str(e))))
def run(self):
if self.args.action is None:
# Nothing to do
return
self.update_rustc_if_needed()
if self.args.action == "os":
info("Installing Tock on board {}".format(self.args.board))
self.build_and_install_tockos()
if self.args.action == "app":
if self.args.application is None:
fatal("Unspecified application")
if self.args.clear_apps:
self.clear_apps()
if self.args.application == "ctap2":
self.generate_crypto_materials(self.args.regenerate_keys)
self.build_and_install_opensk()
else:
self.build_and_install_example()
def main(args):
# Make sure the current working directory is the right one before running
os.chdir(os.path.realpath(os.path.dirname(__file__)))
# Check for pre-requisite executable files.
if not shutil.which("JLinkExe"):
fatal(("Couldn't find JLinkExe binary. Make sure Segger JLink tools "
"are installed and correctly set up."))
OpenSKInstaller(args).run()
if __name__ == '__main__':
shared_parser = argparse.ArgumentParser(add_help=False)
shared_parser.add_argument(
"--dont-clear-apps",
action="store_false",
default=True,
dest="clear_apps",
help=(
"When installing an application, previously installed "
"applications won't be erased from the board."
),
)
parser = argparse.ArgumentParser()
commands = parser.add_subparsers(
dest="action",
help=(
"Indicates which part of the firmware should be compiled and "
"flashed to the connected board."
)
)
os_commands = commands.add_parser(
"os",
parents=[shared_parser],
help=(
"Compiles and installs Tock OS. The target board must be "
"specified by setting the --board argument."
),
)
os_commands.add_argument(
"--board",
metavar="BOARD_NAME",
dest="board",
choices=get_supported_boards(),
help="Indicates which board Tock OS will be compiled for.",
required=True
)
app_commands = commands.add_parser(
"app",
parents=[shared_parser],
help="compiles and installs an application."
)
app_commands.add_argument(
"--panic-console",
action="append_const",
const="panic_console",
dest="features",
help=(
"In case of application panic, the console will be used to "
"output messages before starting blinking the LEDs on the "
"board."
),
)
app_commands.add_argument(
"--no-u2f",
action=RemoveConstAction,
const="with_ctap1",
dest="features",
help=(
"Compiles the OpenSK application without backward compatible "
"support for U2F/CTAP1 protocol."
),
)
app_commands.add_argument(
"--regen-keys",
action="store_true",
default=False,
dest="regenerate_keys",
help=(
"Forces the generation of files (certificates and private keys) "
"under the crypto_data/ directory. "
"This is useful to allow flashing multiple OpenSK authenticators "
"in a row without them being considered clones."
),
)
app_commands.add_argument(
"--debug",
action="append_const",
const="debug_ctap",
dest="features",
help=(
"Compiles and installs the OpenSK application in debug mode "
"(i.e. more debug messages will be sent over the console port "
"such as hexdumps of packets)."
),
)
apps = app_commands.add_mutually_exclusive_group()
apps.add_argument(
"--opensk",
dest="application",
action="store_const",
const="ctap2",
help="Compiles and installs the OpenSK application."
)
apps.add_argument(
"--crypto_bench",
dest="application",
action="store_const",
const="crypto_bench",
help=(
"Compiles and installs the crypto_bench example that tests "
"the performance of the cryptographic algorithms on the board."
)
)
app_commands.set_defaults(features=["with_ctap1"])
main(parser.parse_args())

327
deploy.sh
View File

@@ -1,327 +0,0 @@
#!/usr/bin/env bash
# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
if [ "x$VERBOSE" != "x" ]
then
set -x
fi
info_text="$(tput bold)info:$(tput sgr0)"
error_text="$(tput bold)error:$(tput sgr0)"
tab_folder="target/tab"
# elf2tab requires a file named "cortex-m4", so this path is used for all
# target applications.
elf_file_name="${tab_folder}/cortex-m4.elf"
# elf2tab 0.4.0 and below uses "-n" flag but 0.5.0-dev changes that "-p" or
# "--package-name"
# We try to be compatible with both versions.
elf2tab_package_param="-n"
if which elf2tab > /dev/null 2>&1
then
if [ "$(elf2tab --version | cut -d' ' -f2)" = "0.5.0-dev" ]
then
# Short parameter is "-p" but long parameter names should be prefered
# when they are used in scripts.
elf2tab_package_param="--package-name"
fi
else
echo ""
echo "Command elf2tab not found. Have you run the setup.sh script?"
exit 2
fi
# We need to specify the board explicitly to be able to flash after 0x80000.
tockloader_flags=(
--jlink
--board="${board:-nrf52840}"
--arch=cortex-m4
--jlink-device=nrf52840_xxaa
--page-size=4096
)
declare -A supported_boards
supported_boards["nrf52840dk"]="Y"
supported_boards["nrf52840_dongle"]="Y"
declare -A enabled_features=( [with_ctap1]=Y )
print_usage () {
cat <<EOH
Usage: $0 [options...] <actions...>
Example:
In order to install TockOS and a debug version of OpenSK on a Nordic nRF52840-DK
board, you need to run the following command:
board=nrf52840dk $0 --panic-console os app_debug
Actions:
os
Compiles and installs Tock OS on the selected board.
The target board must be indicated by setting the environment
variable \$board
app
Compiles and installs OpenSK application.
app_debug
Compiles and installs OpenSK application in debug mode (i.e. more debug messages
will be sent over the console port such as hexdumps of packets)
crypto_bench
Compiles and installs the crypto_bench example that tests the performance
of the cryptographic algorithms on the board.
Options:
--dont-clear-apps
When installing an application, previously installed applications won't
be erased from the board.
--no-u2f
Compiles OpenSK application without backward compatible support for
U2F/CTAP1 protocol.
--regen-keys
Forces the generation of src/ctap/key_materials.rs file.
This won't force re-generate OpenSSL files under crypto_data/ directory.
If the OpenSSL files needs to be re-generated, simply delete them (or
the whole directory).
--panic-console
In case of application panic, the console will be used to output messages
before starting blinking the LEDs on the board.
EOH
}
display_supported_boards () {
echo "$info_text Currently supported boards are:"
for b in ${!supported_boards[@]}
do
if [ -d "third_party/tock/boards/nordic/$b" -a \
-e "third_party/tock/boards/nordic/$b/Cargo.toml" ]
then
echo " - $b"
fi
done
}
# Import generate_crypto_materials function
source tools/gen_key_materials.sh
build_app_padding () {
# On nRF52840, the MMU can have 8 sub-regions and the flash size is 0x1000000.
# By default, applications are flashed at 0x30000 which means the maximum size
# for an application is 0x40000 (an application of size 0x80000 would need 16
# sub-regions of size 0x10000; sub-regions need to be aligned on their size).
# This padding permits to have the application start at 0x40000 and increase
# the maximum application size to 0x80000 (with 4 sub-regions of size
# 0x40000).
(
# Version: 2
echo -n "0200"
# Header size: 0x10
echo -n "1000"
# Total size: 0x10000
echo -n "00000100"
# Flags: 0
echo -n "00000000"
# Checksum
echo -n "02001100"
) | xxd -p -r > "${tab_folder}/padding.bin"
}
comma_separated () {
# Flatten the array
# This is equivalent to the following python snippet: ' '.join(arr).replace(' ', ',')
local list=$(IFS=$'\n'; echo "$@")
if [ "X${list}" != "X" ]
then
feature_list="${list// /,}"
fi
echo ${list}
}
build_app () {
local feature_list="$(comma_separated "$@")"
cargo build \
--release \
--target=thumbv7em-none-eabi \
--features="${feature_list}"
mkdir -p "target/tab"
cp "target/thumbv7em-none-eabi/release/ctap2" "$elf_file_name"
elf2tab \
"${elf2tab_package_param}" "ctap2" \
-o "${tab_folder}/ctap2.tab" \
"$elf_file_name" \
--stack 16384 \
--app-heap 90000 \
--kernel-heap 1024 \
--protected-region-size=64
}
build_crypto_bench () {
local feature_list="$(comma_separated "$@")"
cargo build \
--release \
--target=thumbv7em-none-eabi \
--features="${feature_list}" \
--example crypto_bench
mkdir -p "target/tab"
cp "target/thumbv7em-none-eabi/release/examples/crypto_bench" "$elf_file_name"
elf2tab \
"${elf2tab_package_param}" "crypto_bench" \
-o "${tab_folder}/crypto_bench.tab" \
"$elf_file_name" \
--stack 16384 \
--app-heap 90000 \
--kernel-heap 1024 \
--protected-region-size=64
}
deploy_tock () {
if [ "x$board" = "x" ];
then
echo "$error_text You must set the board in order to install Tock OS (example: \`board=nrf52840dk $0 os\`)"
display_supported_boards
return 1
fi
if [ "${supported_boards[$board]+x}" = "x" -a -d "third_party/tock/boards/nordic/$board" ]
then
make -C third_party/tock/boards/nordic/$board flash
else
echo "$error_text The board '$board' doesn't seem to be supported"
display_supported_boards
return 1
fi
}
clear_apps=Y
install_os=N
install_app=none
force_generate=N
has_errors=N
if [ "$#" -eq "0" ]
then
print_usage
exit 1
fi
while [ "$#" -ge "1" ]
do
case "$1" in
--dont-clear-apps)
clear_apps=N
;;
--no-u2f)
unset enabled_features["with_ctap1"]
;;
--regen-keys)
force_generate=Y
;;
--panic-console)
enabled_features["panic_console"]="Y"
;;
os)
install_os=Y
;;
app)
install_app=ctap2
;;
app_debug)
install_app=ctap2
enabled_features["debug_ctap"]="Y"
;;
crypto_bench)
install_app=crypto_bench
;;
*)
echo "$error_text Unsupported option: '"$1"'"
has_errors=Y
;;
esac
shift 1
done
if [ "$has_errors" = "Y" ]
then
echo ""
print_usage
exit 1
fi
# Test if we need to update Rust toolchain
# rustc --version outputs a version line such as:
# rustc 1.40.0-nightly (0e8a4b441 2019-10-16)
# The sed regexp turns it into:
# nightly-2019-10-16
current_toolchain=$(rustc --version | sed -e 's/^rustc [0-9]*\.[0-9]*\.[0-9]*-\(nightly\) ([0-9a-f]* \([0-9]*-[0-9]*-[0-9]*\))$/\1-\2/')
target_toolchain=$(head -n 1 rust-toolchain)
if [ "x${current_toolchain}" != "x${target_toolchain}" ]
then
rustup install "${target_toolchain}"
rustup target add thumbv7em-none-eabi
fi
if [ "$install_os" = "Y" ]
then
deploy_tock
fi
# Don't try to uninstall app if we don't plan to install after.
if [ "$install_app" != "none" -a "$clear_apps" = "Y" ]
then
# Uninstall can fail if there's no app already installed.
# This is fine and we don't want that to stop the script
tockloader uninstall "${tockloader_flags[@]}" -a 0x40000 || true
fi
if [ "$install_app" = "ctap2" ]
then
generate_crypto_materials "${force_generate}"
build_app "${!enabled_features[@]}"
fi
if [ "$install_app" = "crypto_bench" ]
then
build_crypto_bench "${!enabled_features[@]}"
fi
if [ "$install_app" != "none" ]
then
build_app_padding
tockloader flash "${tockloader_flags[@]}" -a 0x30000 "${tab_folder}/padding.bin"
tockloader install "${tockloader_flags[@]}" -a 0x40000 "${tab_folder}/${install_app}.tab"
fi

157
docs/install.md
View File

@@ -63,19 +63,21 @@ $ ./setup.sh
[-] Applying patch "02-usb.patch"... DONE. [-] Applying patch "02-usb.patch"... DONE.
[-] Applying patch "03-app-memory.patch"... DONE. [-] Applying patch "03-app-memory.patch"... DONE.
[-] Applying patch "04-rtt.patch"... DONE. [-] Applying patch "04-rtt.patch"... DONE.
[-] Applying patch "01-panic_console.patch"... DONE. [-] Applying patch "01-linked_list_allocator.patch"... DONE.
[-] Applying patch "02-timer.patch"... DONE. [-] Applying patch "02-panic_console.patch"... DONE.
[-] Applying patch "03-public_syscalls.patch"... DONE. [-] Applying patch "03-timer.patch"... DONE.
[-] Applying patch "04-bigger_heap.patch"... DONE. [-] Applying patch "04-public_syscalls.patch"... DONE.
[-] Applying patch "05-bigger_heap.patch"... DONE.
[-] Applying patch "06-no_spin_allocator.patch"... DONE.
Signature ok Signature ok
subject=CN = Google OpenSK CA subject=CN = Google OpenSK CA
Getting Private key Getting Private key
Signature ok Signature ok
subject=CN = Google OpenSK Hacker Edition subject=CN = Google OpenSK Hacker Edition
Getting CA Private Key Getting CA Private Key
info: syncing channel updates for 'nightly-2020-01-16-x86_64-unknown-linux-gnu' info: syncing channel updates for 'nightly-2020-02-03-x86_64-unknown-linux-gnu'
nightly-2020-01-16-x86_64-unknown-linux-gnu unchanged - rustc 1.42.0-nightly (3291ae339 2020-01-15) nightly-2020-02-03-x86_64-unknown-linux-gnu unchanged - rustc 1.42.0-nightly (f43c34a13 2020-02-02)
Requirement already up-to-date: tockloader in /usr/lib/python3/dist-packages/tockloader-1.4.0.dev0-py3.7.egg (1.4.0.dev0) Requirement already up-to-date: tockloader in /usr/lib/python3/dist-packages/tockloader-1.4.0.dev0-py3.7.egg (1.4.0.dev0)
Requirement already satisfied, skipping upgrade: argcomplete>=1.8.2 in /usr/lib/python3/dist-packages (from tockloader) (1.10.0) Requirement already satisfied, skipping upgrade: argcomplete>=1.8.2 in /usr/lib/python3/dist-packages (from tockloader) (1.10.0)
@@ -127,8 +129,9 @@ File | Purpose
If you want to use your own attestation certificate and private key, simply If you want to use your own attestation certificate and private key, simply
replace `opensk_cert.pem` and `opensk.key` files. replace `opensk_cert.pem` and `opensk.key` files.
Our build script is responsible for converting `opensk_cert.pem` and Our build script `build.rs` is responsible for converting `opensk_cert.pem` and
`opensk.key` files into the following Rust file: `src/ctap/key_material.rs`. `opensk.key` files into raw data that is then used by the Rust file:
`src/ctap/key_material.rs`.
### Flashing a firmware ### Flashing a firmware
@@ -138,11 +141,22 @@ Our build script is responsible for converting `opensk_cert.pem` and
1. Connect a micro USB cable to the JTAG USB port. 1. Connect a micro USB cable to the JTAG USB port.
1. Run our script for compiling/flashing your device (_output may differ_): 1. Run our script for compiling/flashing Tock OS on your device (_output may
differ_):
```shell ```shell
$ board=nrf52840dk ./deploy.sh app os $ ./deploy.py os --board=nrf52840_dk
make: Entering directory './third_party/tock/boards/nordic/nrf52840dk' info: Updating rust toolchain to nightly-2020-02-03
info: syncing channel updates for 'nightly-2020-02-03-x86_64-unknown-linux-gnu'
info: checking for self-updates
info: component 'rust-std' for target 'thumbv7em-none-eabi' is up to date
info: Rust toolchain up-to-date
info: Installing Tock on board nrf52840_dk
Compiling tock-registers v0.5.0 (./third_party/tock/libraries/tock-register-interface)
Compiling tock-cells v0.1.0 (./third_party/tock/libraries/tock-cells)
Compiling enum_primitive v0.1.0 (./third_party/tock/libraries/enum_primitive)
Compiling tock_rt0 v0.1.0 (./third_party/tock/libraries/tock-rt0)
Compiling nrf52840dk v0.1.0 (./third_party/tock/boards/nordic/nrf52840dk)
Compiling kernel v0.1.0 (./third_party/tock/kernel) Compiling kernel v0.1.0 (./third_party/tock/kernel)
Compiling cortexm v0.1.0 (./third_party/tock/arch/cortex-m) Compiling cortexm v0.1.0 (./third_party/tock/arch/cortex-m)
Compiling nrf5x v0.1.0 (./third_party/tock/chips/nrf5x) Compiling nrf5x v0.1.0 (./third_party/tock/chips/nrf5x)
@@ -152,31 +166,47 @@ Our build script is responsible for converting `opensk_cert.pem` and
Compiling nrf52840 v0.1.0 (./third_party/tock/chips/nrf52840) Compiling nrf52840 v0.1.0 (./third_party/tock/chips/nrf52840)
Compiling components v0.1.0 (./third_party/tock/boards/components) Compiling components v0.1.0 (./third_party/tock/boards/components)
Compiling nrf52dk_base v0.1.0 (./third_party/tock/boards/nordic/nrf52dk_base) Compiling nrf52dk_base v0.1.0 (./third_party/tock/boards/nordic/nrf52dk_base)
Compiling nrf52840dk v0.1.0 (./third_party/tock/boards/nordic/nrf52840dk) Finished release [optimized + debuginfo] target(s) in 11.97s
Finished release [optimized + debuginfo] target(s) in 11.28s
text data bss dec hex filename
114688 1760 260384 376832 5c000 target/thumbv7em-none-eabi/release/nrf52840dk
tockloader flash --address 0x00000 --jlink --board nrf52dk target/thumbv7em-none-eabi/release/nrf52840dk.bin
[STATUS ] Flashing binar(y|ies) to board... [STATUS ] Flashing binar(y|ies) to board...
[INFO ] Using known arch and jtag-device for known board nrf52dk [INFO ] Using known arch and jtag-device for known board nrf52dk
[INFO ] Finished in 0.324 seconds [INFO ] Finished in 0.284 seconds
```
make: Leaving directory './third_party/tock/boards/nordic/nrf52840dk' 1. Run our script for compiling/flashing the OpenSK application on your device
[STATUS ] Preparing to uninstall apps... (_output may differ_):
[INFO ] Using known arch and jtag-device for known board nrf52dk
[ERROR ] No apps are installed on the board
```shell
$ ./deploy.py app --opensk
info: Updating rust toolchain to nightly-2020-02-03
info: syncing channel updates for 'nightly-2020-02-03-x86_64-unknown-linux-gnu'
info: checking for self-updates
info: component 'rust-std' for target 'thumbv7em-none-eabi' is up to date
info: Rust toolchain up-to-date
info: Erasing all installed applications
All apps have been erased.
info: Building OpenSK application
Compiling autocfg v1.0.0
Compiling pkg-config v0.3.17
Compiling cc v1.0.50
Compiling libc v0.2.66
Compiling bitflags v1.2.1
Compiling foreign-types-shared v0.1.1
Compiling openssl v0.10.28
Compiling cfg-if v0.1.10
Compiling lazy_static v1.4.0
Compiling byteorder v1.3.2
Compiling linked_list_allocator v0.6.6
Compiling arrayref v0.3.6
Compiling cbor v0.1.0 (./libraries/cbor)
Compiling subtle v2.2.2
Compiling foreign-types v0.3.2
Compiling libtock v0.1.0 (./third_party/libtock-rs) Compiling libtock v0.1.0 (./third_party/libtock-rs)
Compiling crypto v0.1.0 (./libraries/crypto) Compiling crypto v0.1.0 (./libraries/crypto)
Compiling openssl-sys v0.9.54
Compiling ctap2 v0.1.0 (.) Compiling ctap2 v0.1.0 (.)
Finished release [optimized] target(s) in 7.60s Finished release [optimized] target(s) in 15.34s
[STATUS ] Flashing binar(y|ies) to board... info: Flashing padding application
[INFO ] Using known arch and jtag-device for known board nrf52dk info: Installing Tock application ctap2
[INFO ] Finished in 0.305 seconds
[STATUS ] Installing app on the board...
[INFO ] Using known arch and jtag-device for known board nrf52dk
[INFO ] Finished in 0.975 seconds
``` ```
1. Connect a micro USB cable to the device USB port. 1. Connect a micro USB cable to the device USB port.
@@ -202,11 +232,22 @@ the board in order to see your OpenSK device on your system.
![Nordic dongle retainer clip](img/dongle_clip.jpg) ![Nordic dongle retainer clip](img/dongle_clip.jpg)
1. Run our script for compiling/flashing your device (_output may differ_): 1. Run our script for compiling/flashing Tock OS on your device (_output may
differ_):
```shell ```shell
$ board=nrf52840_dongle ./deploy.sh app os $ ./deploy.py os --board=nrf52840_dongle
make: Entering directory './third_party/tock/boards/nordic/nrf52840_dongle' info: Updating rust toolchain to nightly-2020-02-03
info: syncing channel updates for 'nightly-2020-02-03-x86_64-unknown-linux-gnu'
info: checking for self-updates
info: component 'rust-std' for target 'thumbv7em-none-eabi' is up to date
info: Rust toolchain up-to-date
info: Installing Tock on board nrf52840_dongle
Compiling tock-cells v0.1.0 (./third_party/tock/libraries/tock-cells)
Compiling tock-registers v0.5.0 (./third_party/tock/libraries/tock-register-interface)
Compiling enum_primitive v0.1.0 (./third_party/tock/libraries/enum_primitive)
Compiling tock_rt0 v0.1.0 (./third_party/tock/libraries/tock-rt0)
Compiling nrf52840_dongle v0.1.0 (./third_party/tock/boards/nordic/nrf52840_dongle)
Compiling kernel v0.1.0 (./third_party/tock/kernel) Compiling kernel v0.1.0 (./third_party/tock/kernel)
Compiling cortexm v0.1.0 (./third_party/tock/arch/cortex-m) Compiling cortexm v0.1.0 (./third_party/tock/arch/cortex-m)
Compiling nrf5x v0.1.0 (./third_party/tock/chips/nrf5x) Compiling nrf5x v0.1.0 (./third_party/tock/chips/nrf5x)
@@ -216,31 +257,47 @@ the board in order to see your OpenSK device on your system.
Compiling nrf52840 v0.1.0 (./third_party/tock/chips/nrf52840) Compiling nrf52840 v0.1.0 (./third_party/tock/chips/nrf52840)
Compiling components v0.1.0 (./third_party/tock/boards/components) Compiling components v0.1.0 (./third_party/tock/boards/components)
Compiling nrf52dk_base v0.1.0 (./third_party/tock/boards/nordic/nrf52dk_base) Compiling nrf52dk_base v0.1.0 (./third_party/tock/boards/nordic/nrf52dk_base)
Compiling nrf52840_dongle v0.1.0 (./third_party/tock/boards/nordic/nrf52840_dongle) Finished release [optimized + debuginfo] target(s) in 11.72s
Finished release [optimized + debuginfo] target(s) in 10.47s
text data bss dec hex filename
110592 1688 252264 364544 59000 target/thumbv7em-none-eabi/release/nrf52840_dongle
tockloader flash --address 0x00000 --jlink --board nrf52dk target/thumbv7em-none-eabi/release/nrf52840_dongle.bin
[STATUS ] Flashing binar(y|ies) to board... [STATUS ] Flashing binar(y|ies) to board...
[INFO ] Using known arch and jtag-device for known board nrf52dk [INFO ] Using known arch and jtag-device for known board nrf52dk
[INFO ] Finished in 0.296 seconds [INFO ] Finished in 0.280 seconds
```
make: Leaving directory './third_party/tock/boards/nordic/nrf52840_dongle' 1. Run our script for compiling/flashing the OpenSK application on your device
[STATUS ] Preparing to uninstall apps... (_output may differ_):
[INFO ] Using known arch and jtag-device for known board nrf52dk
[ERROR ] No apps are installed on the board
```shell
$ ./deploy.py app --opensk
info: Updating rust toolchain to nightly-2020-02-03
info: syncing channel updates for 'nightly-2020-02-03-x86_64-unknown-linux-gnu'
info: checking for self-updates
info: component 'rust-std' for target 'thumbv7em-none-eabi' is up to date
info: Rust toolchain up-to-date
info: Erasing all installed applications
All apps have been erased.
info: Building OpenSK application
Compiling autocfg v1.0.0
Compiling pkg-config v0.3.17
Compiling cc v1.0.50
Compiling libc v0.2.66
Compiling bitflags v1.2.1
Compiling foreign-types-shared v0.1.1
Compiling openssl v0.10.28
Compiling cfg-if v0.1.10
Compiling lazy_static v1.4.0
Compiling byteorder v1.3.2
Compiling linked_list_allocator v0.6.6
Compiling arrayref v0.3.6
Compiling cbor v0.1.0 (./libraries/cbor)
Compiling subtle v2.2.2
Compiling foreign-types v0.3.2
Compiling libtock v0.1.0 (./third_party/libtock-rs) Compiling libtock v0.1.0 (./third_party/libtock-rs)
Compiling crypto v0.1.0 (./libraries/crypto) Compiling crypto v0.1.0 (./libraries/crypto)
Compiling openssl-sys v0.9.54
Compiling ctap2 v0.1.0 (.) Compiling ctap2 v0.1.0 (.)
Finished release [optimized] target(s) in 7.60s Finished release [optimized] target(s) in 15.34s
[STATUS ] Flashing binar(y|ies) to board... info: Flashing padding application
[INFO ] Using known arch and jtag-device for known board nrf52dk info: Installing Tock application ctap2
[INFO ] Finished in 0.317 seconds
[STATUS ] Installing app on the board...
[INFO ] Using known arch and jtag-device for known board nrf52dk
[INFO ] Finished in 0.902 seconds
``` ```
1. Remove the programming cable and the USB-A extension cable. 1. Remove the programming cable and the USB-A extension cable.

8
tools/gen_key_materials.sh Normal file → Executable file
View File

@@ -23,9 +23,6 @@ generate_crypto_materials () {
local opensk_key=crypto_data/opensk.key local opensk_key=crypto_data/opensk.key
local opensk_cert_name=crypto_data/opensk_cert local opensk_cert_name=crypto_data/opensk_cert
# Rust file that we will generate will all cryptographic data.
local rust_file=src/ctap/key_material.rs
# Allow invoker to override the command with a full path. # Allow invoker to override the command with a full path.
local openssl=${OPENSSL:-$(which openssl)} local openssl=${OPENSSL:-$(which openssl)}
@@ -36,6 +33,9 @@ generate_crypto_materials () {
exit 1 exit 1
fi fi
# Exit on first error
set -e
force_generate="$1" force_generate="$1"
mkdir -p crypto_data mkdir -p crypto_data
if [ ! -f "${ca_priv_key}" ] if [ ! -f "${ca_priv_key}" ]
@@ -85,3 +85,5 @@ generate_crypto_materials () {
-sha256 -sha256
fi fi
} }
generate_crypto_materials "$1"