sched/nsh: Remove Hard-coded Default Password#18396
sched/nsh: Remove Hard-coded Default Password#18396Abhishekmishra2808 wants to merge 4 commits intoapache:masterfrom
Conversation
Abhishekmishra2808
requested review from
GUIDINGLI,
Ouss4,
acassis,
anchao,
btashton,
jerpelea,
pussuw,
raiden00pl,
simbit18,
tmedicci,
xiaoxiang781216 and
yamt
as code owners
github-actions
bot
added
Area: Documentation
Abhishekmishra2808
changed the title
|
@Abhishekmishra2808 the Documentation and the boardshould be (each one) in a separated. Normally we separate the logic implementation from the board support and Documentation. |
Abhishekmishra2808
force-pushed
the
Issue-16822
branch
from
53b43ad to
0670d28
Compare
|
Thank you @Abhishekmishra2808 :-)
|
Abhishekmishra2808
force-pushed
the
Issue-16822
branch
from
0670d28 to
0214816
Compare
|
Hi @cederom , I used AI tools only to help refine wording and improve clarity in the description, but the implementation, debugging, and testing were done by me. |
|
@acassis I have fixed the changes suggested by you, and CI was failing because password generation was enabled in the defconfig files without setting a password. I have now removed |
Abhishekmishra2808
changed the title
|
@Abhishekmishra2808 after the esp32 fix, please update your upstream branch and rebase your branch to it. |
cederom
left a comment
cederom
left a comment
There was a problem hiding this comment.
Very cool, thank you @Abhishekmishra2808, lets just wait with merge until CI is fixed :-)
@xiaoxiang781216 sources updated could you please take a look? :-)
|
@Abhishekmishra2808 One question: |
|
@simbit18
CMake:
All 5 builds completed successfully. The mkpasswd host tool compiles and produces the correct 5-field passwd entry format, and empty passwords are correctly rejected at build time. |
|
@Abhishekmishra2808 please update your upstream branch and rebase your branch to upstream |
Abhishekmishra2808
force-pushed
the
Issue-16822
branch
from
da1f7b4 to
d7b5de0
Compare
|
is there something else required from my side to get it merged? |
|
@Abhishekmishra2808 no, it is just a matter of reviewers to check again and remove the Change Request @linguini1 and @raiden00pl could you please test on your side too? I tested and it worked fine, and even the generated password is equal to the original if you define it as admin/Administrator, so it is not consider a breaking change, because original files are compatibles. @Abhishekmishra2808 @linguini1 @raiden00pl for the 13.x I think we can change to encryption algo to https://github.com/open-quantum-safe Seems like even our friends are already using it: https://github.com/open-quantum-safe/liboqs |
|
@acassis or @Abhishekmishra2808 could you attach your sim tests to the testing section of this? I unfortunately don't have time to test ATM but the previous testing info seems to have been totally removed. |
| The ``/etc/passwd`` file is auto-generated at build time when | ||
| ``CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE`` is set. Enable the option and set | ||
| credentials via ``make menuconfig``: | ||
|
|
||
| nsh> cat /etc/passwd | ||
| admin:8Tv+Hbmr3pLVb5HHZgd26D:0:0:/ | ||
| * ``CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE=y`` | ||
| * ``CONFIG_BOARD_ETC_ROMFS_PASSWD_USER`` (default: ``admin``) | ||
| * ``CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD`` (required, build fails if empty) |
There was a problem hiding this comment.
You need to include:
CONFIG_NSH_CONSOLE_LOGIN=y
otherwise the login will not be required
There was a problem hiding this comment.
Addressed this in the latest commit. :-)
|
@Abhishekmishra2808 I noticed that sim:login is not working. You need to update it to include BOARD_ETC_ROMFS_PASSWD_ENABLE Also during the building you should detect if CONFIG_BOARD_ETC_ROMFS_PASSWD_PASSWORD == "" and generate a build fault requesting the user to fine a password |
|
I found another "errors" trying to define the password with:
What I tested and worked:
|
@Abhishekmishra2808 I suggest you to check during the build if the password is empty "" or the password is less than 8 characters, to improve security |
Abhishekmishra2808
dismissed stale reviews from xiaoxiang781216, acassis, and cederom
via
3412e4a
Abhishekmishra2808
force-pushed
the
Issue-16822
branch
from
3412e4a to
0cccb7e
Compare
|
Hi @Abhishekmishra2808, please rebase first |
Add tools/mkpasswd.c, a self-contained C99 host tool that generates a single /etc/passwd entry at build time. The tool is invoked by the board ROMFS build step when CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE is set. The TEA encryption algorithm and custom base64 encoding match the runtime implementations in: libs/libc/misc/lib_tea_encrypt.c apps/fsutils/passwd/passwd_encrypt.c so passwords generated at build time are directly usable by the NuttX login subsystem without any runtime re-hashing. The plaintext password is never stored in the firmware image. Changes: - tools/mkpasswd.c: new C host tool (pure C99, no external dependencies) - tools/Makefile.host: add mkpasswd build rule - tools/.gitignore: exclude compiled mkpasswd binary - .gitignore: exclude etctmp/ (generated at build time, not to be committed) Signed-off-by: Abhishek Mishra <mishra.abhishek2808@gmail.com>
…ation Fixes apache#16822 Introduce CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE (and companion options BOARD_ETC_ROMFS_PASSWD_USER/PASSWORD/UID/GID/HOME) in boards/Kconfig to control build-time /etc/passwd generation. Placing the option under boards/ reflects that this is board-level functionality, not scheduler functionality. When BOARD_ETC_ROMFS_PASSWD_ENABLE=y the ROMFS build step calls tools/mkpasswd to hash the configured plaintext password with TEA and write the result into etctmp/<mountpoint>/passwd before genromfs packs it into the ROMFS image. The build fails if the password is left empty, preventing firmware from shipping without credentials (CWE-798). Changes: - boards/Kconfig: new CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE option and companion BOARD_ETC_ROMFS_PASSWD_{USER,PASSWORD,UID,GID,HOME} options; depends on ETC_ROMFS - boards/Board.mk: invoke tools/mkpasswd under BOARD_ETC_ROMFS_PASSWD_ENABLE - cmake/nuttx_add_romfs.cmake: same guard for CMake builds - boards/sim/sim/sim/src/{Makefile,CMakeLists.txt,etc/passwd}: remove static passwd file; let the build step generate it instead - boards/risc-v/esp32c3-legacy/.../Make.defs,etc/passwd: same cleanup Signed-off-by: Abhishek Mishra <mishra.abhishek2808@gmail.com>
Add a central reference section in Documentation/components/tools/index.rst that describes the build-time /etc/passwd generation mechanism: - why it is needed (avoids hard-coded default password, CWE-798) - how it works: tools/mkpasswd hashes the plaintext password with TEA, identical to the runtime algorithm in lib_tea_encrypt.c; the plaintext is never stored in firmware - the Kconfig options to enable and configure it (CONFIG_BOARD_ETC_ROMFS_PASSWD_ENABLE and companion options) - the /etc/passwd file format - step-by-step verification instructions Update board-level documentation to reference the central section instead of duplicating the explanation, and update all CONFIG_ names to the new BOARD_ETC_ROMFS_PASSWD_* naming: - Documentation/platforms/sim/sim/boards/sim/index.rst - Documentation/platforms/renesas/rx65n/boards/rx65n-grrose/index.rst - Documentation/platforms/risc-v/esp32c3-legacy/boards/esp32c3-legacy-devkit/ROMFS.txt Signed-off-by: Abhishek Mishra <mishra.abhishek2808@gmail.com>
Enable build-time /etc/passwd generation in sim:login by setting\nBOARD_ETC_ROMFS_PASSWD_* defaults in the login defconfig.\n\nAdd password validation for build-time generation:\n- reject empty and quoted-empty passwords\n- enforce minimum length of 8 characters\n- preserve special characters when invoking tools/mkpasswd\n\nApply the same minimum-length validation in the CMake ROMFS path\nand in tools/mkpasswd argument validation.\n\nUpdate Kconfig and documentation to describe the required login\nsetting and password constraints. Signed-off-by: Abhishek Mishra <mishra.abhishek2808@gmail.com>
Abhishekmishra2808
force-pushed
the
Issue-16822
branch
from
0cccb7e to
9bc112a
Compare
|
hey @simbit18 , |
| #define DEFAULT_KEY1 0x12345678u | ||
| #define DEFAULT_KEY2 0x9abcdef0u | ||
| #define DEFAULT_KEY3 0x12345678u | ||
| #define DEFAULT_KEY4 0x9abcdef0u |
There was a problem hiding this comment.
@Abhishekmishra2808 please use the CONFIG_FSUTILS_PASSWD_KEY1-4 instead.
Also warn the user if these default values are used, so they need to change it.
@also we need to avoid "make savedefconfig" to save these CONFIG_FSUTILS_PASSWD_KEYx otherwise the users can leak their password without been aware of it.
@raiden00pl @simbit18 @xiaoxiang781216 what do you think?
8 participants
Summary
This PR introduces build-time generation of the
/etc/passwdfile for the ROMFS image when authentication is enabled.Instead of relying on a static
etc/passwdfile embedded in the source tree, the passwd entry is now generated during the build using the configuration values:CONFIG_ETC_ROMFS_PASSWD_USERCONFIG_ETC_ROMFS_PASSWD_PASSWORDCONFIG_ETC_ROMFS_PASSWD_UIDCONFIG_ETC_ROMFS_PASSWD_GIDCONFIG_ETC_ROMFS_PASSWD_HOMEThe generated passwd entry is written into the ROMFS staging directory and included in the firmware image.
Behavior
Authentication disabled
Authentication enabled
/etc/passwdautomatically.Password missing
CONFIG_ETC_ROMFS_GENPASSWD=ybut the password is empty, the build fails with an explicit error.This ensures that credentials are always explicitly configured when authentication is enabled and prevents firmware images from being built with empty passwords.
Security Improvement
Previously
/etc/passwdcould be included as a static file in the ROMFS source tree.With this change, the credentials are generated at build time and must be explicitly configured, avoiding implicit or default credentials in firmware images.
Testing
Generated passwd entry
Plaintext password check
Build failure when password is empty