From a1854bb98ae0edea56ee54ee6eea779f6e2e436a Mon Sep 17 00:00:00 2001 From: Jean-Michel Picod Date: Fri, 11 Dec 2020 03:16:17 +0100 Subject: [PATCH] Update documentation --- README.md | 43 +++++++++++++++++++++++++++---------------- docs/install.md | 9 ++++++--- 2 files changed, 33 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index ccb6fc7..cca4eac 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,5 @@ # OpenSK logo -[![Build Status](https://travis-ci.org/google/OpenSK.svg?branch=master)](https://travis-ci.org/google/OpenSK) ![markdownlint](https://github.com/google/OpenSK/workflows/markdownlint/badge.svg?branch=master) ![pylint](https://github.com/google/OpenSK/workflows/pylint/badge.svg?branch=master) ![Cargo check](https://github.com/google/OpenSK/workflows/Cargo%20check/badge.svg?branch=master) @@ -31,7 +30,8 @@ our implementation was not reviewed nor officially tested and doesn't claim to be FIDO Certified. We started adding features of the upcoming next version of the [CTAP2.1 specifications](https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html). -The development is currently between 2.0 and 2.1, with updates hidden behind a feature flag. +The development is currently between 2.0 and 2.1, with updates hidden behind +a feature flag. Please add the flag `--ctap2.1` to the deploy command to include them. ### Cryptography @@ -58,8 +58,8 @@ For a more detailed guide, please refer to our ./setup.sh ``` -2. Next step is to install Tock OS as well as the OpenSK application on your - board (**Warning**: it will erase the locally stored credentials). Run: +1. Next step is to install Tock OS as well as the OpenSK application on your + board. Run: ```shell # Nordic nRF52840-DK board @@ -68,7 +68,17 @@ For a more detailed guide, please refer to our ./deploy.py --board=nrf52840_dongle --opensk ``` -3. On Linux, you may want to avoid the need for `root` privileges to interact +1. Finally you need to inejct the cryptographic material if you enabled + batch attestation or CTAP1/U2F compatibility (which is the case by + default): + + ```shell + ./tools/configure.py \ + --certificate=crypto_data/opensk_cert.pem \ + --private-key=crypto_data/opensk.key + ``` + +1. On Linux, you may want to avoid the need for `root` privileges to interact with the key. For that purpose we provide a udev rule file that can be installed with the following command: @@ -148,7 +158,7 @@ operation. The additional output looks like the following. -``` +```text # Allocation of 256 byte(s), aligned on 1 byte(s). The allocated address is # 0x2002401c. After this operation, 2 pointers have been allocated, totalling # 384 bytes (the total heap usage may be larger, due to alignment and @@ -163,12 +173,12 @@ A tool is provided to analyze such reports, in `tools/heapviz`. This tool parses the console output, identifies the lines corresponding to (de)allocation operations, and first computes some statistics: -- Address range used by the heap over this run of the program, -- Peak heap usage (how many useful bytes are allocated), -- Peak heap consumption (how many bytes are used by the heap, including - unavailable bytes between allocated blocks, due to alignment constraints and - memory fragmentation), -- Fragmentation overhead (difference between heap consumption and usage). +* Address range used by the heap over this run of the program, +* Peak heap usage (how many useful bytes are allocated), +* Peak heap consumption (how many bytes are used by the heap, including + unavailable bytes between allocated blocks, due to alignment constraints and + memory fragmentation), +* Fragmentation overhead (difference between heap consumption and usage). Then, the `heapviz` tool displays an animated "movie" of the allocated bytes in heap memory. Each frame in this "movie" shows bytes that are currently @@ -177,10 +187,11 @@ allocated. A new frame is generated for each (de)allocation operation. This tool uses the `ncurses` library, that you may have to install beforehand. You can control the tool with the following parameters: -- `--logfile` (required) to provide the file which contains the console output - to parse, -- `--fps` (optional) to customize the number of frames per second in the movie - animation. + +* `--logfile` (required) to provide the file which contains the console output + to parse, +* `--fps` (optional) to customize the number of frames per second in the movie + animation. ```shell cargo run --manifest-path tools/heapviz/Cargo.toml -- --logfile console.log --fps 50 diff --git a/docs/install.md b/docs/install.md index cf355fa..61866ff 100644 --- a/docs/install.md +++ b/docs/install.md @@ -125,6 +125,7 @@ This is the expected content after running our `setup.sh` script: File | Purpose ----------------- | -------------------------------------------------------- +`aaguid.txt` | Text file containaing the AAGUID value `opensk_ca.csr` | Certificate sign request for the Root CA `opensk_ca.key` | ECC secp256r1 private key used for the Root CA `opensk_ca.pem` | PEM encoded certificate of the Root CA @@ -136,9 +137,11 @@ File | Purpose If you want to use your own attestation certificate and private key, simply replace `opensk_cert.pem` and `opensk.key` files. -Our build script `build.rs` is responsible for converting `opensk_cert.pem` and -`opensk.key` files into raw data that is then used by the Rust file: -`src/ctap/key_material.rs`. +Our build script `build.rs` is responsible for converting `aaguid.txt` file +into raw data that is then used by the Rust file `src/ctap/key_material.rs`. + +Our configuration script `tools/configure.py` is responsible for configuring +an OpenSK device with the correct certificate and private key. ### Flashing a firmware