SecurityAgent and Thunder Security Integration in RPI

Created on June 21, 2022

Refer Thunder Security page to understand the basics of ThunderSecurity module and SecurityAgent plugin and its purpose and functionality. This page is intended to cover integration and validation of these modules in RPI CMF stack.


Code change to enable SecurityAgent plugin.

meta-layer path:
meta-cmf-raspberrypi/meta-rdk-video/recipes-extended/rdkservices/rdkservices_git.bbappend

diff –git a/recipes-extended/rdkservices/rdkservices_git.bbappend b/recipes-extended/rdkservices/rdkservices_git.bbappend
index 1ff7634..33a8145 100644
— a/recipes-extended/rdkservices/rdkservices_git.bbappend
+++ b/recipes-extended/rdkservices/rdkservices_git.bbappend
@@ -20,7 +20,7 @@ CXXFLAGS += “-DENABLE_THERMAL_PROTECTION”
 CXXFLAGS += “-DPLATFORM_BROADCOM_REF”

 PACKAGECONFIG_remove = “controlservice hdmicec remoteactionmapping
–                        securityagent opencdmi datacapture”
+                        opencdmi datacapture”
 # displayinfo is temporarily not supported for RPi until fixes are being in main branch
 PACKAGECONFIG_remove = “displayinfo”


Code changes to enable thundersecurity.
Meta layer path:

meta-cmf-raspberrypi/conf/distro/include/rdk-rpi.inc

Corresponding patch file.

Patch :

diff –git a/conf/distro/include/rdk-rpi.inc b/conf/distro/include/rdk-rpi.inc
index ba9aeda..024c3a5 100644
— a/conf/distro/include/rdk-rpi.inc
+++ b/conf/distro/include/rdk-rpi.inc
@@ -23,6 +23,8 @@ DISTRO_FEATURES_append = ” ctrlm_voice_sdk”

 # Disable Thunder Security
 DISTRO_FEATURES_append = ” thunder_security_disable”
+# Enables Thunder Security
+DISTRO_FEATURES_remove = ” thunder_security_disable”

 DISTRO_FEATURES_append = ” enable_icrypto_openssl”
 DISTRO_FEATURES_remove = “netflix_cryptanium”


RFC Support.
Thunder Security can be enabled/disabled using RFC Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.ThunderSecurity.Enable.

Set ThunderSecurity to true with below command.
tr181 -s -t boolean -v true Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.ThunderSecurity.Enable
Get the setted value with below command.
tr181 Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.ThunderSecurity.Enable

Note: RPI needs to be rebooted after changing the RFC value.

Ex:


From Wpeframework logs we could see  Security ENABLED, incoming requests need to be authorized!!! And ThunderSecurity value = true.

We can get Security token with running of WPEFrameworkSecurityUtility binary.

root@raspberrypi-rdk-mc:/usr/bin# ./WPEFrameworkSecurityUtility
{“token”:”eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo”,”success”:true}

Ex:

To validate of SecurityAgent plugin need to use Security token with curl command as below.

curl command :
curl -H “Content-Type: application/json” -H “Authorization: Bearer  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo” -X POST   -d ‘{“jsonrpc”: “2.0”,”id”: 1234567890,”method”: “SecurityAgent.1.validate”,”params”: {“token”: “eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo”}}’ http://127.0.0.1:9998/jsonrpc
Response :
{“jsonrpc”:”2.0″,”id”:1234567890,”result”:{“valid”:true}}

Ex:

Here Manually changed the security token to wrong and expected result should be false.

Curl command :
root@raspberrypi-rdk-mc:~# curl -H “Content-Type: application/json” -H “Authorization: Bearer  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo” -X POST   -d ‘{“jsonrpc”: “2.0”,”id”: 1234567890,”method”: “SecurityAgent.1.validate”,”params”: {“token”: “eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voK“}}’ http://127.0.0.1:9998/jsonrpc
Response :
{“jsonrpc”:”2.0″,”id”:1234567890,”result”:{“valid”:false}}.


setCurrentResolution with Security token.

Curl command:
curl -H “Content-Type: application/json”  -H “Authorization: Bearer  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo” -X POST   -d ‘{“jsonrpc”: “2.0”,”id”: 42,”method”: “org.rdk.DisplaySettings.1.setCurrentResolution”,”params”: {“videoDisplay”: “HDMI0″,”resolution”: “1080p”,”persist”: true}}’ http://127.0.0.1:9998/jsonrpc
Response:
{“jsonrpc”:”2.0″,”id”:42,”result”:{“success”:true}}

Ex:

Here Manually changed the security token to wrong and expected result should be Request needs authorization. Missing or invalid token.

Curl command:

curl -H “Content-Type: application/json”  -H “Authorization: Bearer  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5” -X POST   -d ‘{“jsonrpc”: “2.0”,”id”: 42,”method”: “org.rdk.DisplaySettings.1.setCurrentResolution”,”params”: {“videoDisplay”: “HDMI0″,”resolution”: “1080p”,”persist”: true}}’ http://127.0.0.1:9998/jsonrpc

Response:
{“jsonrpc”:”2.0″,”id”:42,”error”:{“code”:-32604,”message”:”Request needs authorization. Missing or invalid token.”}}root@raspberrypi-rdk-mc:/usr/bin#

Ex:

Check-in list of Security Agent and Thunder Security Integration in RPI

No:

Topic

Repo

Checkin

Remarks

CL status

1

Enable SecurityAgent

meta-cmf-raspberrypi

https://code.rdkcentral.com/r/c/rdk/components/generic/rdk-oe/meta-cmf-raspberrypi/+/78717

PACKAGECONFIG_remove = “controlservice hdmicec remoteactionmapping
–                        securityagent opencdmi datacapture”
+                        opencdmi datacapture”

Active

2ResidentApp changesappmanager

68559

ResidentApp changes to handle JSON RPC calls to rdkservices using authorization token if the ThunderSecurity RFC is enabledAlready merged
3Enable thunder securitymeta-cmf-raspberrypihttps://code.rdkcentral.com/r/c/rdk/components/generic/rdk-oe/meta-cmf-raspberrypi/+/78717DISTRO_FEATURES_remove = ” thunder_security_disable”Active
4Add ResidentApp url to thunder_acl filemeta-cmf-video

68002

Add apps.rdkcentral.com to /etc/thunder_acl.jsonAlready merged
Go To Top