SecurityAgent and Thunder Security Integration in RPI
Refer Thunder Security page to understand the basics of ThunderSecurity module and SecurityAgent plugin and its purpose and functionality. This page is intended to cover integration and validation of these modules in RPI CMF stack.
Code change to enable SecurityAgent plugin.
meta-layer path:
meta-cmf-raspberrypi/meta-rdk-video/recipes-extended/rdkservices/rdkservices_git.bbappend
diff –git a/recipes-extended/rdkservices/rdkservices_git.bbappend b/recipes-extended/rdkservices/rdkservices_git.bbappend
index 1ff7634..33a8145 100644
— a/recipes-extended/rdkservices/rdkservices_git.bbappend
+++ b/recipes-extended/rdkservices/rdkservices_git.bbappend
@@ -20,7 +20,7 @@ CXXFLAGS += “-DENABLE_THERMAL_PROTECTION”
CXXFLAGS += “-DPLATFORM_BROADCOM_REF”
PACKAGECONFIG_remove = “controlservice hdmicec remoteactionmapping
– securityagent opencdmi datacapture”
+ opencdmi datacapture”
# displayinfo is temporarily not supported for RPi until fixes are being in main branch
PACKAGECONFIG_remove = “displayinfo”
Code changes to enable thundersecurity.
Meta layer path:
meta-cmf-raspberrypi/conf/distro/include/rdk-rpi.inc
Corresponding patch file.
Patch :
diff –git a/conf/distro/include/rdk-rpi.inc b/conf/distro/include/rdk-rpi.inc
index ba9aeda..024c3a5 100644
— a/conf/distro/include/rdk-rpi.inc
+++ b/conf/distro/include/rdk-rpi.inc
@@ -23,6 +23,8 @@ DISTRO_FEATURES_append = ” ctrlm_voice_sdk”
# Disable Thunder Security
DISTRO_FEATURES_append = ” thunder_security_disable”
+# Enables Thunder Security
+DISTRO_FEATURES_remove = ” thunder_security_disable”
DISTRO_FEATURES_append = ” enable_icrypto_openssl”
DISTRO_FEATURES_remove = “netflix_cryptanium”
RFC Support.
Thunder Security can be enabled/disabled using RFC Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.ThunderSecurity.Enable.
Set ThunderSecurity to true with below command.
tr181 -s -t boolean -v true Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.ThunderSecurity.Enable
Get the setted value with below command.
tr181 Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.ThunderSecurity.Enable
Note: RPI needs to be rebooted after changing the RFC value.
Ex:
From Wpeframework logs we could see Security ENABLED, incoming requests need to be authorized!!! And ThunderSecurity value = true.
We can get Security token with running of WPEFrameworkSecurityUtility binary.
root@raspberrypi-rdk-mc:/usr/bin# ./WPEFrameworkSecurityUtility
{“token”:”eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo”,”success”:true}
Ex:
To validate of SecurityAgent plugin need to use Security token with curl command as below.
curl command :
curl -H “Content-Type: application/json” -H “Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo” -X POST -d ‘{“jsonrpc”: “2.0”,”id”: 1234567890,”method”: “SecurityAgent.1.validate”,”params”: {“token”: “eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo”}}’ http://127.0.0.1:9998/jsonrpc
Response :
{“jsonrpc”:”2.0″,”id”:1234567890,”result”:{“valid”:true}}
Ex:
Here Manually changed the security token to wrong and expected result should be false.
Curl command :
root@raspberrypi-rdk-mc:~# curl -H “Content-Type: application/json” -H “Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo” -X POST -d ‘{“jsonrpc”: “2.0”,”id”: 1234567890,”method”: “SecurityAgent.1.validate”,”params”: {“token”: “eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voK“}}’ http://127.0.0.1:9998/jsonrpc
Response :
{“jsonrpc”:”2.0″,”id”:1234567890,”result”:{“valid”:false}}.
setCurrentResolution with Security token.
Curl command:
curl -H “Content-Type: application/json” -H “Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo” -X POST -d ‘{“jsonrpc”: “2.0”,”id”: 42,”method”: “org.rdk.DisplaySettings.1.setCurrentResolution”,”params”: {“videoDisplay”: “HDMI0″,”resolution”: “1080p”,”persist”: true}}’ http://127.0.0.1:9998/jsonrpc
Response:
{“jsonrpc”:”2.0″,”id”:42,”result”:{“success”:true}}
Ex:
Here Manually changed the security token to wrong and expected result should be Request needs authorization. Missing or invalid token.
Curl command:
curl -H “Content-Type: application/json” -H “Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5” -X POST -d ‘{“jsonrpc”: “2.0”,”id”: 42,”method”: “org.rdk.DisplaySettings.1.setCurrentResolution”,”params”: {“videoDisplay”: “HDMI0″,”resolution”: “1080p”,”persist”: true}}’ http://127.0.0.1:9998/jsonrpc
Response:
{“jsonrpc”:”2.0″,”id”:42,”error”:{“code”:-32604,”message”:”Request needs authorization. Missing or invalid token.”}}root@raspberrypi-rdk-mc:/usr/bin#
Ex:
Check-in list of Security Agent and Thunder Security Integration in RPI
No: | Topic | Repo | Checkin | Remarks | CL status |
---|---|---|---|---|---|
1 | Enable SecurityAgent | https://code.rdkcentral.com/r/c/rdk/components/generic/rdk-oe/meta-cmf-raspberrypi/+/78717 | PACKAGECONFIG_remove = “controlservice hdmicec remoteactionmapping | Active | |
2 | ResidentApp changes | appmanager | ResidentApp changes to handle JSON RPC calls to rdkservices using authorization token if the ThunderSecurity RFC is enabled | Already merged | |
3 | Enable thunder security | meta-cmf-raspberrypi | https://code.rdkcentral.com/r/c/rdk/components/generic/rdk-oe/meta-cmf-raspberrypi/+/78717 | DISTRO_FEATURES_remove = ” thunder_security_disable” | Active |
4 | Add ResidentApp url to thunder_acl file | meta-cmf-video | Add apps.rdkcentral.com to /etc/thunder_acl.json | Already merged |