helium / gateway-mfr-rs Goto Github PK

License: Apache License 2.0

Rust 100.00%

gateway-mfr-rs's Introduction

gateway-mfr-rs

The gateway_mfr application provisions an security part (like the ECC508/ECC608) for use as part of a Helium hotspot, and provides utilities for testing and benchmarking the addressed part.

In the ECC case, it does provisioning by configuring and locking the ECC configuration fields and then generating the miner key in the slot identified in the device URL (default slot 0).

Other security parts may be provisioned in different ways or may have been locked down before hotspot integration.

The public part of the miner key needs to be captured from the output of this application and supplied as part of the data required to get into the Helium Onboarding Server if gateway add and assert location transactions are to be paid for on behalf of the user.

This applications should be used as part of a manufacturing image that does NOT include the Helium miner software and is solely used for testing and provisioning the built hotspot before setting up the production miner image.

Addressing

The security device to provision or test is addressed using a --device option. In the ECC case, for exmaple this URL could be ecc://i2c-1:96?slot=0 to address the /dev/i2c-1 linux device, using the bus address96 and slot 0 on the ECC device. This is also the default URL for the application, and must be provided for ECC parts with a different bus address or slot.

If you are passing an additional command such as those decribed in the usage section below those commands need to come after the device address. For example:

gateway_mfr --device ecc://i2c-1:96?slot=0 key

Each security part will have it's own URL scheme and host/path arguments to address the specific system and entry used for key material and provisioning.

Usage

Using the application can be done in two ways;
- Download a pre-built binary from the releases page. Note that the unknown target systems are all ecc608 based targets. To find the right target binary for a given platform, look at the supported targets for the maker name and associated target.
- Build the application. This will involve installing rust on the host system and cross compiling for running the application on the target hardware. Install cross make cross compiling to targets easier. Also install cargo-make to set up for packaging and specific profile support.
  
  For example to compile for Raspbery-Pi's aarch64 architecture:
```
cargo make --profile aarch64-unknown-linux-musl --release
```
  The resulting cross compiled binary will be located in ./target/ aarch64-unknown-linux-musl/release/gateway_mfr
  
  NOTE: For some profiles the resulting target will not be in the profile name but under the target system triplet that was used to build the target. For example, the x86_64-tpm-debian-gnu uses the x86_64-unkown-linux-gnu target but a custom Docker file to build using Debian since that is where tpm is supported.
As part of the provisioning/QA steps start and provision the security part:
```
gateway_mfr provision
```
This will configure the security part, generate the miner key and output it to stdout. Capture this output and collect it and other required information for use by the Onboarding Server.

If you need the extract the onboarding/miner key at a later stage you can run:
```
gateway_mfr key
```
NOTE: Do not include this application in the final image as it is not used as part of normal hotspot operations.
To verify that the security part is configured correctly you can run a final test cycle as part of the QA steps:
```
gateway_mfr test
```
This will output a json table with all executed tests for the security part and their results. This includes a top level result key with pass or fail as the value.

Tests are specific for each security part and are intended to test that the security part is locked, and that signing and ecdh opterations function
To benchmark a security part as part of integration:
```
gateway_mfr bench
```
This will run a number of signing iterations (default 100) and report the average signing time and the number of signing operations per second.

Helium Hotspots using a full miner will need 6-7 or better signing operations per second while light/dataonly hotspots should be able to operate with around 3-5 operations per second (this number needs to be confirmed).

The security part is now configured for production use. The production image, including the Helium miner can be installed and started. If configured correctly the miner software will use the configured key in slot 0 as the miner key and use the security part for secured transaction signing.

The full suite of options can be found by running the help command:

gateway_mfr help

This will give you an output like the following where you can find all of the options listed:

gateway_mfr 0.3.2
Gateway Manufacturing 

USAGE:
    gateway_mfr [OPTIONS] <SUBCOMMAND>

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information

OPTIONS:
        --device <device>    The security device to use [default: ecc://i2c-1]

SUBCOMMANDS:
    bench        Run a benchmark test
    config       Gets the zone, slot or key config for a given ecc slot
    help         Prints this message or the help of the given subcommand(s)
    info         Get ecc chip information
    key          Prints public key information for a given slot
    provision    Configures the ECC for gateway/miner use. This includes configuring slot and key configs for †he
                 given slot, locking the data and config zone and generating an ecc compact key in the configured
                 slot
    test         Read the slot configuration for a given slot

gateway-mfr-rs's People

Contributors

Stargazers

Watchers

gateway-mfr-rs's Issues

test gateway-mfr with signing and ecdh test

confirm that configuration works and ecc functions as expected.

gateway_mfr can't run in a mipsel platform

hi,
I build the gateway_mfr with "cross build --target mipsel-unknown-linux-musl --release",but it can not run on MT688(when i run ./gateway_mfr, it shows "-ash: ./gateway_mfr: not found"). But I build the gateway_rs with the same steps, it works.

Getting error "timeout waiting for bus free"

Hi,
When I'm trying to run the gateway_mfr application, I keep getting the following error:
[ 80.877565] i2c i2c-0: i2c_pxa: timeout waiting for bus free
[ 81.261564] i2c i2c-0: i2c_pxa: timeout waiting for bus free
Although I see the ECC608 device using i2cdetect and pointing the app to the right bus using:
./gateway_mfr --device ecc://i2c-0:60?slot=0 info

get error msg 'not a compact key'

Hi
I am testing the prebuild binary, and get some errors. Could you help to solve this?

linaro@linaro-alip:/userdata$ wget 'https://github.com/helium/gateway-mfr-rs/releases/download/v0.2.1/gateway-mfr-v0.2.1-aarch64-unknown-linux-gnu.tar.gz'
linaro@linaro-alip:/userdata$ tar xzvf gateway-mfr-v0.2.1-aarch64-unknown-linux-gnu.tar.gz 
gateway_mfr
linaro@linaro-alip:/userdata$ sudo ./gateway_mfr --device ecc://i2c-1:54?slot=0 info
{
  "info": "00006003",
  "serial": "0123c7062b1ab5db01"
}
linaro@linaro-alip:/userdata$ sudo ./gateway_mfr --device ecc://i2c-1:54?slot=0 config
{
  "key_config": {
    "auth_key": 0,
    "intrusion_disable": false,
    "x509_index": 0,
    "private": true,
    "pub_info": true,
    "key_type": "ecc",
    "lockable": false,
    "req_random": true,
    "req_auth": false
  },
  "slot_config": {
    "secret": true,
    "encrypt_read": false,
    "limited_use": false,
    "no_mac": false,
    "read_key": {
      "external_signatures": true,
      "internal_signatures": false,
      "ecdh_operation": true,
      "ecdh_write_slot": false
    },
    "write_config": 0,
    "write_key": 0
  },
  "zones": [
    {
      "zone": "config",
      "locked": true
    },
    {
      "zone": "data",
      "locked": true
    }
  ]
}
linaro@linaro-alip:/userdata$ sudo ./gateway_mfr --device ecc://i2c-1:54?slot=0 key
Error: decode error

Caused by:
    not a compact key
linaro@linaro-alip:/userdata$ sudo ./gateway_mfr --device ecc://i2c-1:54?slot=0 test
{
  "result": "fail",
  "tests": {
    "ecdh(0)": {
      "error": "decode error\n\nCaused by:\n    not a compact key",
      "result": "fail"
    },
    "key_config(0)": {
      "checks": {
        "auth_key": "0",
        "intrusion_disable": "false",
        "key_type": "ecc",
        "lockable": {
          "expected": "false",
          "found": "true"
        },
        "private": "true",
        "pub_info": "true",
        "req_auth": "false",
        "req_random": {
          "expected": "true",
          "found": "false"
        },
        "x509_index": "0"
      },
      "result": "fail"
    },
    "miner_key(0)": {
      "error": "decode error\n\nCaused by:\n    not a compact key",
      "result": "fail"
    },
    "sign(0)": {
      "error": "decode error\n\nCaused by:\n    not a compact key",
      "result": "fail"
    },
    "slot_config(0)": {
      "checks": {
        "ecdh_operation": "true",
        "encrypt_read": "false",
        "external_signatures": "true",
        "internal_signatures": {
          "expected": "false",
          "found": "true"
        },
        "limited_use": "false",
        "secret": "true"
      },
      "result": "fail"
    },
    "zone_locked(config)": {
      "checks": "ok",
      "result": "pass"
    },
    "zone_locked(data)": {
      "checks": "ok",
      "result": "pass"
    }
  }
}
linaro@linaro-alip:/userdata$ sudo ./gateway_mfr --device ecc://i2c-1:54?slot=0 provision
Error: ecc error ExecError
linaro@linaro-alip:/userdata$ sudo ./gateway_mfr --device ecc://i2c-1:54?slot=0 bench
Error: decode error

Caused by:
    not a compact key


linaro@linaro-alip:/userdata$ uname -a
Linux linaro-alip 4.19.232 #8 SMP Sat Jun 4 13:16:11 CST 2022 aarch64 GNU/Linux
linaro@linaro-alip:/userdata$ ldd gateway_mfr 
        linux-vdso.so.1 (0x0000007f9fe45000)
        libgcc_s.so.1 => /lib/aarch64-linux-gnu/libgcc_s.so.1 (0x0000007f9fcb1000)
        librt.so.1 => /lib/aarch64-linux-gnu/librt.so.1 (0x0000007f9fc99000)
        libpthread.so.0 => /lib/aarch64-linux-gnu/libpthread.so.0 (0x0000007f9fc6a000)
        libdl.so.2 => /lib/aarch64-linux-gnu/libdl.so.2 (0x0000007f9fc56000)
        libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000007f9fae4000)
        /lib/ld-linux-aarch64.so.1 (0x0000007f9fe17000)
linaro@linaro-alip:/userdata$ dpkg -S /lib/aarch64-linux-gnu/libc.so.6
libc6:arm64: /lib/aarch64-linux-gnu/libc.so.6
linaro@linaro-alip:/userdata$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

miner_key test fails

I was trying to use gateway-mfr-rs to verify proper ECC608 configuration. However, it's returning a fail where gateway_mfr provided a pass.

The gateway_mfr(-erl) output is:

pi@raspberrypi:~ $ docker exec provision gateway_mfr ecc test
+--------------------+------+
|        name        |result|
+--------------------+------+
|     serial_num     |  ok  |
|{zone_locked,config}|  ok  |
| {zone_locked,data} |  ok  |
|    slot_config     |  ok  |
|     key_config     |  ok  |
|     miner_key      |  ok  |
+--------------------+------+

I try to run gateway-mfr-rs:

pi@raspberrypi:~ $ ./gateway_mfr test
{
  "result": "fail",
  "tests": [
    {
      "output": "ok",
      "result": "pass",
      "test": "serial"
    },
    {
      "output": "ok",
      "result": "pass",
      "test": "zone_locked(data)"
    },
    {
      "output": "ok",
      "result": "pass",
      "test": "zone_locked(config)"
    },
    {
      "output": "ok",
      "result": "pass",
      "test": "slot_config(0..=15, ecc)"
    },
    {
      "output": "ok",
      "result": "pass",
      "test": "key_config(0..=15, ecc)"
    },
    {
      "output": "decode error\n\nCaused by:\n    not a compact key",
      "result": "fail",
      "test": "miner_key(0)"
    }
  ]
}

So it seems like the last test on the miner_key is perhaps wrong?

invalid value

I try the command gateway_mfr --device "ecc://i2c-5:96?slot=0" test, but it fail as following:
error: invalid value 'ecc://i2c-5:96?slot=0' for '--device ': invalid device url "ecc://i2c-5:96?slot=0"
I have verify that i2c bus,address,slot is OK,but why output fail?

Data reception from atecc608 implementation

Reading atecc information with this tool ends with timeout and I'm not sure it's correctly implementing the accesses on the chip regarding read direction at least.

N.B.: I'm using the atecc608a instead of the atecc608b, I'm not sure it should change something.
However, my first question would be has it been tested yet on atecc608b or is it still under development for the following aspects?

After some investigation, it appears Microchip's crypto lib and this tool don't work the same way (my observations with "get info" feature).

Cryptoauthlib (custom code following lib samples)

wake up with low pulse for >50us on SDA
tx get info command: 0x60W, 0x03, 0x07, 0x30, 0x00, 0x00, 0x00, 0x03, 0x5D
wait command timing
tx reset address counter: 0x60W, 0x00
rx polling, receive 0x60R, 0x07 + NAK (not ready)
rx polling, receive the result, info : 0x60R, 0x00, 0x00, 0x60, 0x02, 0x80, 0x38
--> I receive 0x00, 0x00, 0x60, 0x02 for the info which is correct for a atecc608a.

gateway-mfs-rs (info command)

wake up with 0x00 data sent on the bus
tx get info command: 0x60W, 0x03, 0x07, 0x30, 0x00, 0x00, 0x00, 0x03, 0x5D
wait command timing
rx receive the result 0x60R, 0x07 and get stuck here with SCL which continue for a byte and SDA which get low.
--> timeout on the bus, retry for 10 times and error

I tried to change timing and let more time to the atecc but it doesn't seems related to that.
The cryptoauthlib implements polling while this tool doesn't but my impression is more there is some inconsistent state inside the atecc without the reset address counter command before reading.

While it's maybe due to the atecc608a usage, I'm just pointing this out because it doesn't follow the Microchip code, calib_execute_command for example and could probably cause some other issues or instabilities.

Also, I can't find a clear explanation in the atecc's datasheet which would define one solution or the other to be the right one.

Any feedback on that would be appreciated.

gateway_mfr can't run in a mipsel platform

hi,
Sorry to bring this issue again (#7)
my platform is [ramips_24kec] (MT7628 is its soc, sorry to confuse you before)
the error as #7, it just cannot run but gateway-rs can.

and problem solved after I add static link flag in .cargo/config as below
[target.mipsel-unknown-linux-musl]
rustflags = ["-C", "target-feature=+crt-static"]

sorry I am newbie of rust, not sure if correct solution for this.

key programmed with gateway-mfr-rs showing error with gateway-mfr-rs and gateway_mfr

We have some devices which were previously successfully programmed with keys:

11G2gWc9ejatoMqJWgLJDRnbtCiG6GQTc8SagAJAhePWCGVnwna
112JUc61GKvnV3m6oRAVJJhafZp9e5hxgMgh9dt3Kn18qnH18hZy

However, they now have stopped working, and both gateway-mfr-rs and gateway_mfr show errors with them not being compact keys (before the customer has been able to onboard them)...

root@f2bb3b2936d7:/opt/python-dependencies/hm_pyhelper# ./gateway_mfr key 0
Error: decode error

Caused by:
    not a compact key

root@f2bb3b2936d7:/opt/python-dependencies/hm_pyhelper# ./gateway_mfr config key 0
{
  "key_config": {
    "auth_key": 0,
    "intrusion_disable": false,
    "key_type": "ecc",
    "lockable": true,
    "private": true,
    "pub_info": true,
    "req_auth": false,
    "req_random": false,
    "x509_index": 0
  },
  "slot": 0
}

root@f2bb3b2936d7:/opt/python-dependencies/hm_pyhelper# ./gateway_mfr info
{
  "info": "00006003",
  "serial": "012373fa15535bc4ee"
}
root@f2bb3b2936d7:/opt/python-dependencies/hm_pyhelper# ./gateway_mfr test
{
  "result": "fail",
  "tests": [
    {
      "output": "ok",
      "result": "pass",
      "test": "serial"
    },
    {
      "output": "ok",
      "result": "pass",
      "test": "zone_locked(data)"
    },
    {
      "output": "ok",
      "result": "pass",
      "test": "zone_locked(config)"
    },
    {
      "output": "ok",
      "result": "pass",
      "test": "slot_config(0..=15, ecc)"
    },
    {
      "output": "ok",
      "result": "pass",
      "test": "key_config(0..=15, ecc)"
    },
    {
      "output": "decode error\n\nCaused by:\n    not a compact key",
      "result": "fail",
      "test": "miner_key(0)"
    },
    {
      "output": "decode error\n\nCaused by:\n    not a compact key",
      "result": "fail",
      "test": "sign(0)"
    },
    {
      "output": "decode error\n\nCaused by:\n    not a compact key",
      "result": "fail",
      "test": "ecdh(0)"
    }
  ]
}

root@18e6619:/opt/gateway_mfr# /opt/gateway_mfr/bin/gateway_mfr ecc test
+--------------------+-------------------+
|        name        |      result       |
+--------------------+-------------------+
|     serial_num     |        ok         |
|{zone_locked,config}|        ok         |
| {zone_locked,data} |        ok         |
|    slot_config     |        ok         |
|     key_config     |        ok         |
|     miner_key      |{error,not_compact}|
+--------------------+-------------------+

Any idea on how to fix this?

failed to get `p256`

Hi Sir,

I got below p256 error. Do you have any idea to fix it?

Command: cross build --target armv5te-unknown-linux-gnueabi --release
Updating git repository https://github.com/helium/elliptic-curves
error: failed to get p256 as a dependency of package helium-crypto v0.1.0 (https://github.com/helium/helium-crypto-rs?tag=v0.1.0#22bb781a)
... which is depended on by gateway-mfr v0.1.2-dev (/project)

Caused by:
failed to load source for dependency p256

Caused by:
Unable to update https://github.com/helium/elliptic-curves?branch=madninja/compact_point_impl#c7fe19ba

Caused by:
object not found - no match for id (c7fe19baf31e6d26aa6d56f89f5f00899bb996c7); class=Odb (9); code=NotFound (-3)