From 04b8d5c3341f4391ab6c5634d0402f565d792105 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Fri, 4 Mar 2022 17:59:18 +0100 Subject: [PATCH 01/20] add flags to allow the override of the keys used to sign and encrypt a binary for the boards that support the secure boot --- cli/arguments/arguments.go | 12 ++ cli/compile/compile.go | 19 ++- commands/compile/compile.go | 49 ++++++- rpc/cc/arduino/cli/commands/v1/compile.pb.go | 135 +++++++++++------- rpc/cc/arduino/cli/commands/v1/compile.proto | 7 + test/test_compile_part_4.py | 104 ++++++++++++++ .../boards.local.txt | 7 + .../platform.local.txt | 12 ++ 8 files changed, 292 insertions(+), 53 deletions(-) create mode 100644 test/testdata/platform_with_secure_boot/boards.local.txt create mode 100644 test/testdata/platform_with_secure_boot/platform.local.txt diff --git a/cli/arguments/arguments.go b/cli/arguments/arguments.go index 92a057986d2..cb165809e58 100644 --- a/cli/arguments/arguments.go +++ b/cli/arguments/arguments.go @@ -37,3 +37,15 @@ func CheckFlagsConflicts(command *cobra.Command, flagNames ...string) { feedback.Errorf(tr("Can't use %s flags at the same time.", "--"+strings.Join(flagNames, " "+tr("and")+" --"))) os.Exit(errorcodes.ErrBadArgument) } + +// CheckFlagsMandatory is a helper function useful to report errors when at least one flag is not used in a group of "required" flags +func CheckFlagsMandatory(command *cobra.Command, flagNames ...string) { + for _, flagName := range flagNames { + if command.Flag(flagName).Changed { + continue + } else { + feedback.Errorf(tr("Please use also %s flag when using %s flags at the same time.", "--"+flagName, "--"+strings.Join(flagNames, " "+tr("and")+" --"))) + os.Exit(errorcodes.ErrBadArgument) + } + } +} diff --git a/cli/compile/compile.go b/cli/compile/compile.go index db7025326ae..496a9b7cb52 100644 --- a/cli/compile/compile.go +++ b/cli/compile/compile.go @@ -53,6 +53,9 @@ var ( buildCachePath string // Builds of 'core.a' are saved into this path to be cached and reused. buildPath string // Path where to save compiled files. buildProperties []string // List of custom build properties separated by commas. Or can be used multiple times for multiple properties. + keysDir string // The path of the dir where to search for the custom keys to sign and encrypt a binary. Used only by the platforms that supports it + signKeyName string // The name of the custom signing key to use to sign a binary during the compile process. Used only by the platforms that supports it + encryptKeyName string // The name of the custom encryption key to use to encrypt a binary during the compile process. Used only by the platforms that supports it warnings string // Used to tell gcc which warning level to use. verbose bool // Turns on verbose mode. quiet bool // Suppresses almost every output. @@ -84,7 +87,8 @@ func NewCommand() *cobra.Command { " " + os.Args[0] + " compile -b arduino:avr:uno /home/user/Arduino/MySketch\n" + " " + os.Args[0] + ` compile -b arduino:avr:uno --build-property "build.extra_flags=\"-DMY_DEFINE=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n" + " " + os.Args[0] + ` compile -b arduino:avr:uno --build-property "build.extra_flags=-DPIN=2 \"-DMY_DEFINE=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n" + - " " + os.Args[0] + ` compile -b arduino:avr:uno --build-property build.extra_flags=-DPIN=2 --build-property "compiler.cpp.extra_flags=\"-DSSID=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n", + " " + os.Args[0] + ` compile -b arduino:avr:uno --build-property build.extra_flags=-DPIN=2 --build-property "compiler.cpp.extra_flags=\"-DSSID=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n" + + " " + os.Args[0] + ` compile -b arduino:mbed_portenta:envie_m7:security=sien --keys-input-dir /home/user/Arduino/keys --sign-key-name ecsdsa-p256-signing-key.pem --encrypt-key-name ecsdsa-p256-encrypt-key.pem /home/user/Arduino/MySketch` + "\n", Args: cobra.MaximumNArgs(1), Run: runCompileCommand, } @@ -100,6 +104,12 @@ func NewCommand() *cobra.Command { tr("List of custom build properties separated by commas. Or can be used multiple times for multiple properties.")) compileCommand.Flags().StringArrayVar(&buildProperties, "build-property", []string{}, tr("Override a build property with a custom value. Can be used multiple times for multiple properties.")) + compileCommand.Flags().StringVar(&keysDir, "keys-input-dir", "", + tr("The path of the dir where to search for the custom keys to sign and encrypt a binary. Used only by the platforms that supports it")) + compileCommand.Flags().StringVar(&signKeyName, "sign-key-name", "", + tr("The name of the custom signing key to use to sign a binary during the compile process. Used only by the platforms that supports it")) + compileCommand.Flags().StringVar(&encryptKeyName, "encrypt-key-name", "", + tr("The name of the custom encryption key to use to encrypt a binary during the compile process. Used only by the platforms that supports it")) compileCommand.Flags().StringVar(&warnings, "warnings", "none", tr(`Optional, can be: %s. Used to tell gcc which warning level to use (-W flag).`, "none, default, more, all")) compileCommand.Flags().BoolVarP(&verbose, "verbose", "v", false, tr("Optional, turns on verbose mode.")) @@ -142,6 +152,10 @@ func runCompileCommand(cmd *cobra.Command, args []string) { sketchPath := arguments.InitSketchPath(path) + if keysDir != "" || signKeyName != "" || encryptKeyName != "" { + arguments.CheckFlagsMandatory(cmd, "keys-input-dir", "sign-key-name", "encrypt-key-name") + } + var overrides map[string]string if sourceOverrides != "" { data, err := paths.New(sourceOverrides).ReadFile() @@ -198,6 +212,9 @@ func runCompileCommand(cmd *cobra.Command, args []string) { CreateCompilationDatabaseOnly: compilationDatabaseOnly, SourceOverride: overrides, Library: library, + Keysdir: keysDir, + Signkeyname: signKeyName, + Encryptkeyname: encryptKeyName, } compileStdOut := new(bytes.Buffer) compileStdErr := new(bytes.Buffer) diff --git a/commands/compile/compile.go b/commands/compile/compile.go index 0e99add55bc..79f8878bec5 100644 --- a/commands/compile/compile.go +++ b/commands/compile/compile.go @@ -118,13 +118,34 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream Package: fqbn.Package, PlatformArchitecture: fqbn.PlatformArch, }) - if targetPlatform == nil || pm.GetInstalledPlatformRelease(targetPlatform) == nil { + InstalledPlatformRelease := pm.GetInstalledPlatformRelease(targetPlatform) + if targetPlatform == nil || InstalledPlatformRelease == nil { return nil, &arduino.PlatformNotFoundError{ Platform: fmt.Sprintf("%s:%s", fqbn.Package, fqbn.PlatformArch), Cause: fmt.Errorf(tr("platform not installed")), } } + // At the current time we do not have a way of knowing if a board supports the secure boot or not, + // so, if the flags to override the default keys are used, we try override the corresponding property in the properties.txt nonetheless. + // It's not possible to use the default name for the keys since there could be more tools to sign and encrypt. + // So it's mandatory to use all the tree flags to sign and encrypt the binary + if req.Keysdir != "" && req.Signkeyname != "" && req.Encryptkeyname != "" { + keysDirPath := paths.New(req.Keysdir) + if !keysDirPath.IsDir() { + return nil, &arduino.NotFoundError{Message: tr("The path specified is not a directory: %s", keysDirPath), Cause: err} + } + signKeyPath := keysDirPath.Join(req.GetSignkeyname()) + if !signKeyPath.Exist() { + return nil, &arduino.NotFoundError{Message: tr("The path of the specified signing key do not exist: %s", signKeyPath), Cause: err} + } + encryptKeyPath := keysDirPath.Join(req.GetEncryptkeyname()) + if !encryptKeyPath.Exist() { + return nil, &arduino.NotFoundError{Message: tr("The path of the specified encription key do not exist: %s", encryptKeyPath), Cause: err} + } + ReplaceSecurityKeys(InstalledPlatformRelease.Properties, req.Keysdir, req.Signkeyname, req.Encryptkeyname) + } + builderCtx := &types.Context{} builderCtx.PackageManager = pm builderCtx.FQBN = fqbn @@ -296,3 +317,29 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream return r, nil } + +// ReplaceSecurityKeys function will override the properties representing the security keys specified in the platform.txt file of a platform with the ones provided by the user. +// The keys are stored in the keyDir +// signKeyName is the key used to sign a binary +// encryptKeyName is the key used to encrypt it +func ReplaceSecurityKeys(properties *properties.Map, keysDir, signKeyName, encryptKeyName string) { + toolsProps := properties.SubTree("tools").FirstLevelOf() + for toolName, toolProps := range toolsProps { + // switch o else o select + if toolProps.ContainsKey("keys.path") { + key := "tools." + toolName + ".keys.path" + properties.Set(key, keysDir) + logrus.Tracef("Overriding Property: %s: %s", key, keysDir) + } + if toolProps.ContainsKey("sign.name") { + key := "tools." + toolName + ".sign.name" + properties.Set(key, signKeyName) + logrus.Tracef("Overriding Property: %s: %s", key, signKeyName) + } + if toolProps.ContainsKey("encrypt.name") { + key := "tools." + toolName + ".encrypt.name" + properties.Set(key, encryptKeyName) + logrus.Tracef("Overriding Property: %s: %s", key, encryptKeyName) + } + } +} diff --git a/rpc/cc/arduino/cli/commands/v1/compile.pb.go b/rpc/cc/arduino/cli/commands/v1/compile.pb.go index e283180547a..a785f392474 100644 --- a/rpc/cc/arduino/cli/commands/v1/compile.pb.go +++ b/rpc/cc/arduino/cli/commands/v1/compile.pb.go @@ -97,6 +97,12 @@ type CompileRequest struct { ExportBinaries *wrapperspb.BoolValue `protobuf:"bytes,23,opt,name=export_binaries,json=exportBinaries,proto3" json:"export_binaries,omitempty"` // List of paths to library root folders Library []string `protobuf:"bytes,24,rep,name=library,proto3" json:"library,omitempty"` + // The dir where to search for the custom signing key name and the encrypt key name + Keysdir string `protobuf:"bytes,25,opt,name=keysdir,proto3" json:"keysdir,omitempty"` + // The name of the custom key to use for signing during the compile process + Signkeyname string `protobuf:"bytes,26,opt,name=signkeyname,proto3" json:"signkeyname,omitempty"` + // The name of the custom key to use for encrypting during the compile process + Encryptkeyname string `protobuf:"bytes,27,opt,name=encryptkeyname,proto3" json:"encryptkeyname,omitempty"` } func (x *CompileRequest) Reset() { @@ -278,6 +284,27 @@ func (x *CompileRequest) GetLibrary() []string { return nil } +func (x *CompileRequest) GetKeysdir() string { + if x != nil { + return x.Keysdir + } + return "" +} + +func (x *CompileRequest) GetSignkeyname() string { + if x != nil { + return x.Signkeyname + } + return "" +} + +func (x *CompileRequest) GetEncryptkeyname() string { + if x != nil { + return x.Encryptkeyname + } + return "" +} + type CompileResponse struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -466,7 +493,7 @@ var file_cc_arduino_cli_commands_v1_compile_proto_rawDesc = []byte{ 0x76, 0x31, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x24, 0x63, 0x63, 0x2f, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2f, 0x63, 0x6c, 0x69, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x6c, 0x69, 0x62, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x92, 0x07, 0x0a, 0x0e, 0x43, 0x6f, 0x6d, 0x70, 0x69, 0x6c, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xf6, 0x07, 0x0a, 0x0e, 0x43, 0x6f, 0x6d, 0x70, 0x69, 0x6c, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x40, 0x0a, 0x08, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, @@ -519,56 +546,62 @@ var file_cc_arduino_cli_commands_v1_compile_proto_rawDesc = []byte{ 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0e, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x42, 0x69, 0x6e, 0x61, 0x72, 0x69, 0x65, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x6c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x18, 0x18, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, - 0x6c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x1a, 0x41, 0x0a, 0x13, 0x53, 0x6f, 0x75, 0x72, 0x63, - 0x65, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, - 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, - 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x99, 0x04, 0x0a, 0x0f, 0x43, - 0x6f, 0x6d, 0x70, 0x69, 0x6c, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1d, - 0x0a, 0x0a, 0x6f, 0x75, 0x74, 0x5f, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x0c, 0x52, 0x09, 0x6f, 0x75, 0x74, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12, 0x1d, 0x0a, - 0x0a, 0x65, 0x72, 0x72, 0x5f, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x0c, 0x52, 0x09, 0x65, 0x72, 0x72, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12, 0x1d, 0x0a, 0x0a, - 0x62, 0x75, 0x69, 0x6c, 0x64, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x09, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x50, 0x61, 0x74, 0x68, 0x12, 0x4a, 0x0a, 0x0e, 0x75, - 0x73, 0x65, 0x64, 0x5f, 0x6c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x69, 0x65, 0x73, 0x18, 0x04, 0x20, - 0x03, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, - 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, - 0x2e, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x52, 0x0d, 0x75, 0x73, 0x65, 0x64, 0x4c, 0x69, - 0x62, 0x72, 0x61, 0x72, 0x69, 0x65, 0x73, 0x12, 0x6b, 0x0a, 0x18, 0x65, 0x78, 0x65, 0x63, 0x75, - 0x74, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x73, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x5f, 0x73, - 0x69, 0x7a, 0x65, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x63, 0x63, 0x2e, 0x61, - 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, - 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, - 0x65, 0x53, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x69, 0x7a, 0x65, 0x52, 0x16, 0x65, 0x78, - 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, - 0x53, 0x69, 0x7a, 0x65, 0x12, 0x54, 0x0a, 0x0e, 0x62, 0x6f, 0x61, 0x72, 0x64, 0x5f, 0x70, 0x6c, - 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x63, - 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, - 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, - 0x72, 0x6d, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x52, 0x0d, 0x62, 0x6f, 0x61, - 0x72, 0x64, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x12, 0x54, 0x0a, 0x0e, 0x62, 0x75, - 0x69, 0x6c, 0x64, 0x5f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x18, 0x07, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, - 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, 0x2e, - 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, - 0x65, 0x52, 0x0d, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, - 0x12, 0x44, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, 0x18, 0x08, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, - 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, 0x2e, - 0x54, 0x61, 0x73, 0x6b, 0x50, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, 0x52, 0x08, 0x70, 0x72, - 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, 0x22, 0x5a, 0x0a, 0x15, 0x45, 0x78, 0x65, 0x63, 0x75, 0x74, - 0x61, 0x62, 0x6c, 0x65, 0x53, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x69, 0x7a, 0x65, 0x12, - 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, - 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x03, 0x52, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x61, 0x78, 0x5f, 0x73, - 0x69, 0x7a, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x6d, 0x61, 0x78, 0x53, 0x69, - 0x7a, 0x65, 0x42, 0x48, 0x5a, 0x46, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, - 0x2f, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2f, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, - 0x2d, 0x63, 0x6c, 0x69, 0x2f, 0x72, 0x70, 0x63, 0x2f, 0x63, 0x63, 0x2f, 0x61, 0x72, 0x64, 0x75, - 0x69, 0x6e, 0x6f, 0x2f, 0x63, 0x6c, 0x69, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, - 0x2f, 0x76, 0x31, 0x3b, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, + 0x6c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x6b, 0x65, 0x79, 0x73, 0x64, + 0x69, 0x72, 0x18, 0x19, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x73, 0x64, 0x69, + 0x72, 0x12, 0x20, 0x0a, 0x0b, 0x73, 0x69, 0x67, 0x6e, 0x6b, 0x65, 0x79, 0x6e, 0x61, 0x6d, 0x65, + 0x18, 0x1a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x69, 0x67, 0x6e, 0x6b, 0x65, 0x79, 0x6e, + 0x61, 0x6d, 0x65, 0x12, 0x26, 0x0a, 0x0e, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x6b, 0x65, + 0x79, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x1b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x65, 0x6e, 0x63, + 0x72, 0x79, 0x70, 0x74, 0x6b, 0x65, 0x79, 0x6e, 0x61, 0x6d, 0x65, 0x1a, 0x41, 0x0a, 0x13, 0x53, + 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x45, 0x6e, 0x74, + 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x99, + 0x04, 0x0a, 0x0f, 0x43, 0x6f, 0x6d, 0x70, 0x69, 0x6c, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x6f, 0x75, 0x74, 0x5f, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x6f, 0x75, 0x74, 0x53, 0x74, 0x72, 0x65, 0x61, + 0x6d, 0x12, 0x1d, 0x0a, 0x0a, 0x65, 0x72, 0x72, 0x5f, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x65, 0x72, 0x72, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, + 0x12, 0x1d, 0x0a, 0x0a, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x03, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x50, 0x61, 0x74, 0x68, 0x12, + 0x4a, 0x0a, 0x0e, 0x75, 0x73, 0x65, 0x64, 0x5f, 0x6c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x69, 0x65, + 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, + 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, + 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x52, 0x0d, 0x75, 0x73, + 0x65, 0x64, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x69, 0x65, 0x73, 0x12, 0x6b, 0x0a, 0x18, 0x65, + 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x73, 0x65, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x73, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x31, 0x2e, + 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, + 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x65, 0x63, 0x75, + 0x74, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x69, 0x7a, 0x65, + 0x52, 0x16, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x65, 0x63, 0x74, + 0x69, 0x6f, 0x6e, 0x73, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x54, 0x0a, 0x0e, 0x62, 0x6f, 0x61, 0x72, + 0x64, 0x5f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x2d, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, + 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x6c, + 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x52, + 0x0d, 0x62, 0x6f, 0x61, 0x72, 0x64, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x12, 0x54, + 0x0a, 0x0e, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x5f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, + 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, + 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, + 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x52, 0x65, 0x66, 0x65, + 0x72, 0x65, 0x6e, 0x63, 0x65, 0x52, 0x0d, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x50, 0x6c, 0x61, 0x74, + 0x66, 0x6f, 0x72, 0x6d, 0x12, 0x44, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, + 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, + 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, + 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x61, 0x73, 0x6b, 0x50, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, + 0x52, 0x08, 0x70, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, 0x22, 0x5a, 0x0a, 0x15, 0x45, 0x78, + 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x53, + 0x69, 0x7a, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x6d, + 0x61, 0x78, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x6d, + 0x61, 0x78, 0x53, 0x69, 0x7a, 0x65, 0x42, 0x48, 0x5a, 0x46, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2f, 0x61, 0x72, 0x64, + 0x75, 0x69, 0x6e, 0x6f, 0x2d, 0x63, 0x6c, 0x69, 0x2f, 0x72, 0x70, 0x63, 0x2f, 0x63, 0x63, 0x2f, + 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2f, 0x63, 0x6c, 0x69, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, + 0x61, 0x6e, 0x64, 0x73, 0x2f, 0x76, 0x31, 0x3b, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, + 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/rpc/cc/arduino/cli/commands/v1/compile.proto b/rpc/cc/arduino/cli/commands/v1/compile.proto index 2288675cb4e..f51ba3f9d0b 100644 --- a/rpc/cc/arduino/cli/commands/v1/compile.proto +++ b/rpc/cc/arduino/cli/commands/v1/compile.proto @@ -80,6 +80,13 @@ message CompileRequest { google.protobuf.BoolValue export_binaries = 23; // List of paths to library root folders repeated string library = 24; + // The dir where to search for the custom signing key name and the encrypt key + // name + string keysdir = 25; + // The name of the custom key to use for signing during the compile process + string signkeyname = 26; + // The name of the custom key to use for encrypting during the compile process + string encryptkeyname = 27; } message CompileResponse { diff --git a/test/test_compile_part_4.py b/test/test_compile_part_4.py index d2c16a64869..cab03875102 100644 --- a/test/test_compile_part_4.py +++ b/test/test_compile_part_4.py @@ -415,3 +415,107 @@ def test_compile_with_known_platform_not_installed(run_command, data_dir): assert "Error during build: Platform 'arduino:avr' not found: platform not installed" in res.stderr # Verifies command to fix error is shown to user assert "Try running `arduino-cli core install arduino:avr`" in res.stderr + + +def test_compile_with_fake_secure_boot_core(run_command, data_dir): + assert run_command(["update"]) + + assert run_command(["core", "install", "arduino:avr@1.8.3"]) + + sketch_name = "SketchSimple" + sketch_path = Path(data_dir, sketch_name) + fqbn = "arduino:avr:uno" + + assert run_command(["sketch", "new", sketch_path]) + + # Verifies compilation works + assert run_command(["compile", "--clean", "-b", fqbn, sketch_path]) + + # Overrides default platform adding secure_boot support using platform.local.txt + avr_platform_path = Path(data_dir, "packages", "arduino", "hardware", "avr", "1.8.3", "platform.local.txt") + test_platform_name = "platform_with_secure_boot" + shutil.copyfile( + Path(__file__).parent / "testdata" / test_platform_name / "platform.local.txt", + avr_platform_path, + ) + + # Overrides default board adding secure boot support using board.local.txt + avr_board_path = Path(data_dir, "packages", "arduino", "hardware", "avr", "1.8.3", "boards.local.txt") + shutil.copyfile( + Path(__file__).parent / "testdata" / test_platform_name / "boards.local.txt", + avr_board_path, + ) + + # Verifies compilation works with secure boot disabled + res = run_command(["compile", "--clean", "-b", fqbn + ":security=none", sketch_path, "-v"]) + assert res.ok + assert "echo exit" in res.stdout + + # Verifies compilation works with secure boot enabled + res = run_command(["compile", "--clean", "-b", fqbn + ":security=sien", sketch_path, "-v"]) + assert res.ok + assert "Default_Keys/default-signing-key.pem" in res.stdout + assert "Default_Keys/default-encrypt-key.pem" in res.stdout + + # Verifies compilation does not work with secure boot enabled and using only one flag + res = run_command( + [ + "compile", + "--clean", + "-b", + fqbn + ":security=sien", + sketch_path, + "--keys-input-dir", + data_dir, + "-v", + ] + ) + assert res.failed + assert "Please use also --sign-key-name flag when using --keys-input-dir" in res.stderr + + # Verifies compilation does not work with secure boot enabled and when a key does not exist + res = run_command( + [ + "compile", + "--clean", + "-b", + fqbn + ":security=sien", + sketch_path, + "--keys-input-dir", + data_dir, + "--sign-key-name", + "non_existing_signing_key.pem", + "--encrypt-key-name", + "non_existing_enctyption_key.pem", + "-v", + ] + ) + assert res.failed + assert "Error during build: The path of the specified signing key do not exist:" in res.stderr + + # Verifies compilation works with secure boot enabled and when overriding the sign key and encryption key used + keys_dir = Path(data_dir, "keys_dir") + keys_dir.mkdir() + sign_key_path = Path(keys_dir, "my-sign-key.pem") + sign_key_path.touch() + encrypt_key_path = Path(keys_dir, "my-encrypt-key.pem") + encrypt_key_path.touch() + res = run_command( + [ + "compile", + "--clean", + "-b", + fqbn + ":security=sien", + sketch_path, + "--keys-input-dir", + keys_dir, + "--sign-key-name", + "my-sign-key.pem", + "--encrypt-key-name", + "my-encrypt-key.pem", + "-v", + ] + ) + assert res.ok + assert "my-sign-key.pem" in res.stdout + assert "my-encrypt-key.pem" in res.stdout diff --git a/test/testdata/platform_with_secure_boot/boards.local.txt b/test/testdata/platform_with_secure_boot/boards.local.txt new file mode 100644 index 00000000000..1ceaf17801e --- /dev/null +++ b/test/testdata/platform_with_secure_boot/boards.local.txt @@ -0,0 +1,7 @@ +menu.security=Security setting + +uno.menu.security.none=None +uno.menu.security.sien=Signature + Encryption + +uno.menu.security.sien.build.postbuild.cmd="{tools.imgtool.cmd}" {tools.imgtool.build.pattern} +uno.menu.security.none.build.postbuild.cmd="{tools.imgtool.cmd}" exit diff --git a/test/testdata/platform_with_secure_boot/platform.local.txt b/test/testdata/platform_with_secure_boot/platform.local.txt new file mode 100644 index 00000000000..34648422103 --- /dev/null +++ b/test/testdata/platform_with_secure_boot/platform.local.txt @@ -0,0 +1,12 @@ +## Create output secure image (bin file) +recipe.hooks.objcopy.postobjcopy.1.pattern={build.postbuild.cmd} +# +# IMGTOOL +# + +tools.imgtool.cmd=echo +tools.imgtool.keys.path={runtime.hardware.path}/Default_Keys +tools.imgtool.sign.name=default-signing-key.pem +tools.imgtool.encrypt.name=default-encrypt-key.pem + +tools.imgtool.build.pattern=sign --key "{tools.imgtool.keys.path}/{tools.imgtool.sign.name}" --encrypt "{tools.imgtool.keys.path}/{tools.imgtool.encrypt.name}" "{build.path}/{build.project_name}.bin" "{build.path}/{build.project_name}.bin" --align {build.alignment} --max-align {build.alignment} --version {build.version} --header-size {build.header_size} --pad-header --slot-size {build.slot_size} \ No newline at end of file From 3a8972f00a5ee256b1a246f9dbcc28e781ac40ae Mon Sep 17 00:00:00 2001 From: umbynos Date: Mon, 7 Mar 2022 16:09:51 +0100 Subject: [PATCH 02/20] add integration test for ReplaceSecurityKeys() function --- commands/compile/compile_test.go | 70 ++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 commands/compile/compile_test.go diff --git a/commands/compile/compile_test.go b/commands/compile/compile_test.go new file mode 100644 index 00000000000..c2a9a1a304b --- /dev/null +++ b/commands/compile/compile_test.go @@ -0,0 +1,70 @@ +// This file is part of arduino-cli. +// +// Copyright 2020 ARDUINO SA (http://www.arduino.cc/) +// +// This software is released under the GNU General Public License version 3, +// which covers the main part of arduino-cli. +// The terms of this license can be found at: +// https://www.gnu.org/licenses/gpl-3.0.en.html +// +// You can be released from the requirements of the above licenses by purchasing +// a commercial license. Buying such a license is mandatory if you want to +// modify or otherwise use the software for commercial activities involving the +// Arduino software without disclosing the source code of your own applications. +// To purchase a commercial license, send an email to license@arduino.cc. + +package compile + +import ( + "testing" + + properties "github.com/arduino/go-properties-orderedmap" + "github.com/stretchr/testify/require" +) + +func TestReplaceSecurityKeys(t *testing.T) { + propsWithDefaultKeys := properties.NewFromHashmap(map[string]string{ + "tools.toolname.keys.path": "/default-keys-path", + "tools.toolname.sign.name": "default-signing-key.pem", + "tools.toolname.encrypt.name": "default-encrypt-key.pem", + }) + newKeysPath := "/new-keys-path" + newSignKeyName := "new-signing-key.pem" + newEncryptKeyName := "new-encrypt-key.pem" + goldProps := properties.NewFromHashmap(map[string]string{ + "tools.toolname.keys.path": newKeysPath, + "tools.toolname.sign.name": newSignKeyName, + "tools.toolname.encrypt.name": newEncryptKeyName, + }) + + ReplaceSecurityKeys(propsWithDefaultKeys, newKeysPath, newSignKeyName, newEncryptKeyName) + require.True(t, goldProps.Equals(propsWithDefaultKeys)) +} + +func TestReplaceSecurityKeysEmpty(t *testing.T) { + propsWithNoKeys := properties.NewFromHashmap(map[string]string{}) + goldProps := properties.NewFromHashmap(map[string]string{}) + newKeysPath := "/new-keys-path" + newSignKeyName := "new-signing-key.pem" + newEncryptKeyName := "new-encrypt-key.pem" + + // No error should be returned since the properties map is empty + ReplaceSecurityKeys(propsWithNoKeys, newKeysPath, newSignKeyName, newEncryptKeyName) + require.True(t, goldProps.Equals(propsWithNoKeys)) +} + +func TestReplaceSecurityKeysNothingToReplace(t *testing.T) { + propsWithDifferentKeys := properties.NewFromHashmap(map[string]string{ + "tools.openocd.path": "{runtime.tools.openocd.path}", + "tools.openocd.cmd": "bin/openocd", + "tools.openocd.cmd.windows": "bin/openocd.exe", + }) + goldProps := propsWithDifferentKeys.Clone() + newKeysPath := "/new-keys-path" + newSignKeyName := "new-signing-key.pem" + newEncryptKeyName := "new-encrypt-key.pem" + + // No error should be returned since there are no keys in the properties map + ReplaceSecurityKeys(propsWithDifferentKeys, newKeysPath, newSignKeyName, newEncryptKeyName) + require.True(t, goldProps.Equals(propsWithDifferentKeys)) +} From 35294ce80ecc2e37e61967138fe4d4c446c30b79 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Tue, 8 Mar 2022 15:00:15 +0100 Subject: [PATCH 03/20] fix regression introduced: target platform could be nil so using before checking is not a good idea --- commands/compile/compile.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/commands/compile/compile.go b/commands/compile/compile.go index 79f8878bec5..7124da52f4a 100644 --- a/commands/compile/compile.go +++ b/commands/compile/compile.go @@ -118,8 +118,7 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream Package: fqbn.Package, PlatformArchitecture: fqbn.PlatformArch, }) - InstalledPlatformRelease := pm.GetInstalledPlatformRelease(targetPlatform) - if targetPlatform == nil || InstalledPlatformRelease == nil { + if targetPlatform == nil || pm.GetInstalledPlatformRelease(targetPlatform) == nil { return nil, &arduino.PlatformNotFoundError{ Platform: fmt.Sprintf("%s:%s", fqbn.Package, fqbn.PlatformArch), Cause: fmt.Errorf(tr("platform not installed")), @@ -143,6 +142,7 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream if !encryptKeyPath.Exist() { return nil, &arduino.NotFoundError{Message: tr("The path of the specified encription key do not exist: %s", encryptKeyPath), Cause: err} } + InstalledPlatformRelease := pm.GetInstalledPlatformRelease(targetPlatform) ReplaceSecurityKeys(InstalledPlatformRelease.Properties, req.Keysdir, req.Signkeyname, req.Encryptkeyname) } From 50cc3586546f13afb7ca001cb8680384e8678b1b Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Wed, 9 Mar 2022 15:09:04 +0100 Subject: [PATCH 04/20] apply suggestions from code review --- cli/compile/compile.go | 22 ++-- commands/compile/compile.go | 25 ++-- rpc/cc/arduino/cli/commands/v1/compile.pb.go | 131 ++++++++++--------- rpc/cc/arduino/cli/commands/v1/compile.proto | 10 +- test/test_compile_part_4.py | 10 +- 5 files changed, 99 insertions(+), 99 deletions(-) diff --git a/cli/compile/compile.go b/cli/compile/compile.go index 496a9b7cb52..8cf72c2472a 100644 --- a/cli/compile/compile.go +++ b/cli/compile/compile.go @@ -53,7 +53,7 @@ var ( buildCachePath string // Builds of 'core.a' are saved into this path to be cached and reused. buildPath string // Path where to save compiled files. buildProperties []string // List of custom build properties separated by commas. Or can be used multiple times for multiple properties. - keysDir string // The path of the dir where to search for the custom keys to sign and encrypt a binary. Used only by the platforms that supports it + keysPath string // The path of the dir where to search for the custom keys to sign and encrypt a binary. Used only by the platforms that supports it signKeyName string // The name of the custom signing key to use to sign a binary during the compile process. Used only by the platforms that supports it encryptKeyName string // The name of the custom encryption key to use to encrypt a binary during the compile process. Used only by the platforms that supports it warnings string // Used to tell gcc which warning level to use. @@ -88,7 +88,7 @@ func NewCommand() *cobra.Command { " " + os.Args[0] + ` compile -b arduino:avr:uno --build-property "build.extra_flags=\"-DMY_DEFINE=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n" + " " + os.Args[0] + ` compile -b arduino:avr:uno --build-property "build.extra_flags=-DPIN=2 \"-DMY_DEFINE=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n" + " " + os.Args[0] + ` compile -b arduino:avr:uno --build-property build.extra_flags=-DPIN=2 --build-property "compiler.cpp.extra_flags=\"-DSSID=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n" + - " " + os.Args[0] + ` compile -b arduino:mbed_portenta:envie_m7:security=sien --keys-input-dir /home/user/Arduino/keys --sign-key-name ecsdsa-p256-signing-key.pem --encrypt-key-name ecsdsa-p256-encrypt-key.pem /home/user/Arduino/MySketch` + "\n", + " " + os.Args[0] + ` compile -b arduino:mbed_portenta:envie_m7:security=sien --keys-input-path /home/user/Arduino/keys --sign-key-name ecsdsa-p256-signing-key.pem --encrypt-key-name ecsdsa-p256-encrypt-key.pem /home/user/Arduino/MySketch` + "\n", Args: cobra.MaximumNArgs(1), Run: runCompileCommand, } @@ -104,12 +104,12 @@ func NewCommand() *cobra.Command { tr("List of custom build properties separated by commas. Or can be used multiple times for multiple properties.")) compileCommand.Flags().StringArrayVar(&buildProperties, "build-property", []string{}, tr("Override a build property with a custom value. Can be used multiple times for multiple properties.")) - compileCommand.Flags().StringVar(&keysDir, "keys-input-dir", "", - tr("The path of the dir where to search for the custom keys to sign and encrypt a binary. Used only by the platforms that supports it")) + compileCommand.Flags().StringVar(&keysPath, "keys-input-path", "", + tr("The path of the dir to search for the custom keys to sign and encrypt a binary. Used only by the platforms that support it")) compileCommand.Flags().StringVar(&signKeyName, "sign-key-name", "", - tr("The name of the custom signing key to use to sign a binary during the compile process. Used only by the platforms that supports it")) + tr("The name of the custom signing key to use to sign a binary during the compile process. Used only by the platforms that support it")) compileCommand.Flags().StringVar(&encryptKeyName, "encrypt-key-name", "", - tr("The name of the custom encryption key to use to encrypt a binary during the compile process. Used only by the platforms that supports it")) + tr("The name of the custom encryption key to use to encrypt a binary during the compile process. Used only by the platforms that support it")) compileCommand.Flags().StringVar(&warnings, "warnings", "none", tr(`Optional, can be: %s. Used to tell gcc which warning level to use (-W flag).`, "none, default, more, all")) compileCommand.Flags().BoolVarP(&verbose, "verbose", "v", false, tr("Optional, turns on verbose mode.")) @@ -152,8 +152,8 @@ func runCompileCommand(cmd *cobra.Command, args []string) { sketchPath := arguments.InitSketchPath(path) - if keysDir != "" || signKeyName != "" || encryptKeyName != "" { - arguments.CheckFlagsMandatory(cmd, "keys-input-dir", "sign-key-name", "encrypt-key-name") + if keysPath != "" || signKeyName != "" || encryptKeyName != "" { + arguments.CheckFlagsMandatory(cmd, "keys-input-path", "sign-key-name", "encrypt-key-name") } var overrides map[string]string @@ -212,9 +212,9 @@ func runCompileCommand(cmd *cobra.Command, args []string) { CreateCompilationDatabaseOnly: compilationDatabaseOnly, SourceOverride: overrides, Library: library, - Keysdir: keysDir, - Signkeyname: signKeyName, - Encryptkeyname: encryptKeyName, + KeysPath: keysPath, + SignKeyName: signKeyName, + EncryptKeyName: encryptKeyName, } compileStdOut := new(bytes.Buffer) compileStdErr := new(bytes.Buffer) diff --git a/commands/compile/compile.go b/commands/compile/compile.go index 7124da52f4a..8ee591ae35e 100644 --- a/commands/compile/compile.go +++ b/commands/compile/compile.go @@ -126,24 +126,24 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream } // At the current time we do not have a way of knowing if a board supports the secure boot or not, - // so, if the flags to override the default keys are used, we try override the corresponding property in the properties.txt nonetheless. + // so, if the flags to override the default keys are used, we try override the corresponding platform property nonetheless. // It's not possible to use the default name for the keys since there could be more tools to sign and encrypt. // So it's mandatory to use all the tree flags to sign and encrypt the binary - if req.Keysdir != "" && req.Signkeyname != "" && req.Encryptkeyname != "" { - keysDirPath := paths.New(req.Keysdir) + if req.KeysPath != "" && req.SignKeyName != "" && req.EncryptKeyName != "" { + keysDirPath := paths.New(req.KeysPath) if !keysDirPath.IsDir() { return nil, &arduino.NotFoundError{Message: tr("The path specified is not a directory: %s", keysDirPath), Cause: err} } - signKeyPath := keysDirPath.Join(req.GetSignkeyname()) + signKeyPath := keysDirPath.Join(req.GetSignKeyName()) if !signKeyPath.Exist() { - return nil, &arduino.NotFoundError{Message: tr("The path of the specified signing key do not exist: %s", signKeyPath), Cause: err} + return nil, &arduino.NotFoundError{Message: tr("The path of the specified signing key does not exist: %s", signKeyPath), Cause: err} } - encryptKeyPath := keysDirPath.Join(req.GetEncryptkeyname()) + encryptKeyPath := keysDirPath.Join(req.GetEncryptKeyName()) if !encryptKeyPath.Exist() { - return nil, &arduino.NotFoundError{Message: tr("The path of the specified encription key do not exist: %s", encryptKeyPath), Cause: err} + return nil, &arduino.NotFoundError{Message: tr("The path of the specified encryption key does not exist: %s", encryptKeyPath), Cause: err} } InstalledPlatformRelease := pm.GetInstalledPlatformRelease(targetPlatform) - ReplaceSecurityKeys(InstalledPlatformRelease.Properties, req.Keysdir, req.Signkeyname, req.Encryptkeyname) + ReplaceSecurityKeys(InstalledPlatformRelease.Properties, req.KeysPath, req.SignKeyName, req.EncryptKeyName) } builderCtx := &types.Context{} @@ -319,17 +319,16 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream } // ReplaceSecurityKeys function will override the properties representing the security keys specified in the platform.txt file of a platform with the ones provided by the user. -// The keys are stored in the keyDir +// The keys are stored in the keyPath // signKeyName is the key used to sign a binary // encryptKeyName is the key used to encrypt it -func ReplaceSecurityKeys(properties *properties.Map, keysDir, signKeyName, encryptKeyName string) { +func ReplaceSecurityKeys(properties *properties.Map, keysPath, signKeyName, encryptKeyName string) { toolsProps := properties.SubTree("tools").FirstLevelOf() for toolName, toolProps := range toolsProps { - // switch o else o select if toolProps.ContainsKey("keys.path") { key := "tools." + toolName + ".keys.path" - properties.Set(key, keysDir) - logrus.Tracef("Overriding Property: %s: %s", key, keysDir) + properties.Set(key, keysPath) + logrus.Tracef("Overriding Property: %s: %s", key, keysPath) } if toolProps.ContainsKey("sign.name") { key := "tools." + toolName + ".sign.name" diff --git a/rpc/cc/arduino/cli/commands/v1/compile.pb.go b/rpc/cc/arduino/cli/commands/v1/compile.pb.go index a785f392474..68b31b18f8c 100644 --- a/rpc/cc/arduino/cli/commands/v1/compile.pb.go +++ b/rpc/cc/arduino/cli/commands/v1/compile.pb.go @@ -97,12 +97,13 @@ type CompileRequest struct { ExportBinaries *wrapperspb.BoolValue `protobuf:"bytes,23,opt,name=export_binaries,json=exportBinaries,proto3" json:"export_binaries,omitempty"` // List of paths to library root folders Library []string `protobuf:"bytes,24,rep,name=library,proto3" json:"library,omitempty"` - // The dir where to search for the custom signing key name and the encrypt key name - Keysdir string `protobuf:"bytes,25,opt,name=keysdir,proto3" json:"keysdir,omitempty"` + // The path where to search for the custom signing key name and the encrypt key + // name + KeysPath string `protobuf:"bytes,25,opt,name=keys_path,json=keysPath,proto3" json:"keys_path,omitempty"` // The name of the custom key to use for signing during the compile process - Signkeyname string `protobuf:"bytes,26,opt,name=signkeyname,proto3" json:"signkeyname,omitempty"` + SignKeyName string `protobuf:"bytes,26,opt,name=sign_key_name,json=signKeyName,proto3" json:"sign_key_name,omitempty"` // The name of the custom key to use for encrypting during the compile process - Encryptkeyname string `protobuf:"bytes,27,opt,name=encryptkeyname,proto3" json:"encryptkeyname,omitempty"` + EncryptKeyName string `protobuf:"bytes,27,opt,name=encrypt_key_name,json=encryptKeyName,proto3" json:"encrypt_key_name,omitempty"` } func (x *CompileRequest) Reset() { @@ -284,23 +285,23 @@ func (x *CompileRequest) GetLibrary() []string { return nil } -func (x *CompileRequest) GetKeysdir() string { +func (x *CompileRequest) GetKeysPath() string { if x != nil { - return x.Keysdir + return x.KeysPath } return "" } -func (x *CompileRequest) GetSignkeyname() string { +func (x *CompileRequest) GetSignKeyName() string { if x != nil { - return x.Signkeyname + return x.SignKeyName } return "" } -func (x *CompileRequest) GetEncryptkeyname() string { +func (x *CompileRequest) GetEncryptKeyName() string { if x != nil { - return x.Encryptkeyname + return x.EncryptKeyName } return "" } @@ -493,7 +494,7 @@ var file_cc_arduino_cli_commands_v1_compile_proto_rawDesc = []byte{ 0x76, 0x31, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x24, 0x63, 0x63, 0x2f, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2f, 0x63, 0x6c, 0x69, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x6c, 0x69, 0x62, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xf6, 0x07, 0x0a, 0x0e, 0x43, 0x6f, 0x6d, 0x70, 0x69, 0x6c, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xfd, 0x07, 0x0a, 0x0e, 0x43, 0x6f, 0x6d, 0x70, 0x69, 0x6c, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x40, 0x0a, 0x08, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, @@ -546,62 +547,62 @@ var file_cc_arduino_cli_commands_v1_compile_proto_rawDesc = []byte{ 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0e, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x42, 0x69, 0x6e, 0x61, 0x72, 0x69, 0x65, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x6c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x18, 0x18, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, - 0x6c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x6b, 0x65, 0x79, 0x73, 0x64, - 0x69, 0x72, 0x18, 0x19, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x73, 0x64, 0x69, - 0x72, 0x12, 0x20, 0x0a, 0x0b, 0x73, 0x69, 0x67, 0x6e, 0x6b, 0x65, 0x79, 0x6e, 0x61, 0x6d, 0x65, - 0x18, 0x1a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x69, 0x67, 0x6e, 0x6b, 0x65, 0x79, 0x6e, - 0x61, 0x6d, 0x65, 0x12, 0x26, 0x0a, 0x0e, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x6b, 0x65, - 0x79, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x1b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x65, 0x6e, 0x63, - 0x72, 0x79, 0x70, 0x74, 0x6b, 0x65, 0x79, 0x6e, 0x61, 0x6d, 0x65, 0x1a, 0x41, 0x0a, 0x13, 0x53, - 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x45, 0x6e, 0x74, - 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x99, - 0x04, 0x0a, 0x0f, 0x43, 0x6f, 0x6d, 0x70, 0x69, 0x6c, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x6f, 0x75, 0x74, 0x5f, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x6f, 0x75, 0x74, 0x53, 0x74, 0x72, 0x65, 0x61, - 0x6d, 0x12, 0x1d, 0x0a, 0x0a, 0x65, 0x72, 0x72, 0x5f, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x65, 0x72, 0x72, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, - 0x12, 0x1d, 0x0a, 0x0a, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x03, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x50, 0x61, 0x74, 0x68, 0x12, - 0x4a, 0x0a, 0x0e, 0x75, 0x73, 0x65, 0x64, 0x5f, 0x6c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x69, 0x65, - 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, + 0x6c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x12, 0x1b, 0x0a, 0x09, 0x6b, 0x65, 0x79, 0x73, 0x5f, + 0x70, 0x61, 0x74, 0x68, 0x18, 0x19, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6b, 0x65, 0x79, 0x73, + 0x50, 0x61, 0x74, 0x68, 0x12, 0x22, 0x0a, 0x0d, 0x73, 0x69, 0x67, 0x6e, 0x5f, 0x6b, 0x65, 0x79, + 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x1a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x69, 0x67, + 0x6e, 0x4b, 0x65, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x28, 0x0a, 0x10, 0x65, 0x6e, 0x63, 0x72, + 0x79, 0x70, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x1b, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x0e, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x4b, 0x65, 0x79, 0x4e, 0x61, + 0x6d, 0x65, 0x1a, 0x41, 0x0a, 0x13, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4f, 0x76, 0x65, 0x72, + 0x72, 0x69, 0x64, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, + 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, + 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x99, 0x04, 0x0a, 0x0f, 0x43, 0x6f, 0x6d, 0x70, 0x69, 0x6c, + 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x6f, 0x75, 0x74, + 0x5f, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x6f, + 0x75, 0x74, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12, 0x1d, 0x0a, 0x0a, 0x65, 0x72, 0x72, 0x5f, + 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x65, 0x72, + 0x72, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12, 0x1d, 0x0a, 0x0a, 0x62, 0x75, 0x69, 0x6c, 0x64, + 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x62, 0x75, 0x69, + 0x6c, 0x64, 0x50, 0x61, 0x74, 0x68, 0x12, 0x4a, 0x0a, 0x0e, 0x75, 0x73, 0x65, 0x64, 0x5f, 0x6c, + 0x69, 0x62, 0x72, 0x61, 0x72, 0x69, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, + 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, + 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x62, 0x72, + 0x61, 0x72, 0x79, 0x52, 0x0d, 0x75, 0x73, 0x65, 0x64, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x69, + 0x65, 0x73, 0x12, 0x6b, 0x0a, 0x18, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, + 0x5f, 0x73, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x05, + 0x20, 0x03, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, + 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, + 0x31, 0x2e, 0x45, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x65, 0x63, 0x74, + 0x69, 0x6f, 0x6e, 0x53, 0x69, 0x7a, 0x65, 0x52, 0x16, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, + 0x62, 0x6c, 0x65, 0x53, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x53, 0x69, 0x7a, 0x65, 0x12, + 0x54, 0x0a, 0x0e, 0x62, 0x6f, 0x61, 0x72, 0x64, 0x5f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, + 0x6d, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, - 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x52, 0x0d, 0x75, 0x73, - 0x65, 0x64, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x69, 0x65, 0x73, 0x12, 0x6b, 0x0a, 0x18, 0x65, - 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x73, 0x65, 0x63, 0x74, 0x69, 0x6f, - 0x6e, 0x73, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x31, 0x2e, + 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x52, 0x65, 0x66, + 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x52, 0x0d, 0x62, 0x6f, 0x61, 0x72, 0x64, 0x50, 0x6c, 0x61, + 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x12, 0x54, 0x0a, 0x0e, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x5f, 0x70, + 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, - 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x65, 0x63, 0x75, - 0x74, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x69, 0x7a, 0x65, - 0x52, 0x16, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x65, 0x63, 0x74, - 0x69, 0x6f, 0x6e, 0x73, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x54, 0x0a, 0x0e, 0x62, 0x6f, 0x61, 0x72, - 0x64, 0x5f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x2d, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, - 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x6c, - 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x52, - 0x0d, 0x62, 0x6f, 0x61, 0x72, 0x64, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x12, 0x54, - 0x0a, 0x0e, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x5f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, - 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, - 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, - 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x52, 0x65, 0x66, 0x65, - 0x72, 0x65, 0x6e, 0x63, 0x65, 0x52, 0x0d, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x50, 0x6c, 0x61, 0x74, - 0x66, 0x6f, 0x72, 0x6d, 0x12, 0x44, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, - 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, - 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, - 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x61, 0x73, 0x6b, 0x50, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, - 0x52, 0x08, 0x70, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, 0x22, 0x5a, 0x0a, 0x15, 0x45, 0x78, - 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x53, - 0x69, 0x7a, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x6d, - 0x61, 0x78, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x6d, - 0x61, 0x78, 0x53, 0x69, 0x7a, 0x65, 0x42, 0x48, 0x5a, 0x46, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2f, 0x61, 0x72, 0x64, - 0x75, 0x69, 0x6e, 0x6f, 0x2d, 0x63, 0x6c, 0x69, 0x2f, 0x72, 0x70, 0x63, 0x2f, 0x63, 0x63, 0x2f, - 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2f, 0x63, 0x6c, 0x69, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, - 0x61, 0x6e, 0x64, 0x73, 0x2f, 0x76, 0x31, 0x3b, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, - 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x6c, 0x61, 0x74, 0x66, + 0x6f, 0x72, 0x6d, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x52, 0x0d, 0x62, 0x75, + 0x69, 0x6c, 0x64, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x12, 0x44, 0x0a, 0x08, 0x70, + 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, + 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, + 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x61, 0x73, 0x6b, 0x50, + 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, + 0x73, 0x22, 0x5a, 0x0a, 0x15, 0x45, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x53, + 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, + 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, + 0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x73, 0x69, + 0x7a, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x61, 0x78, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x03, + 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x6d, 0x61, 0x78, 0x53, 0x69, 0x7a, 0x65, 0x42, 0x48, 0x5a, + 0x46, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x72, 0x64, 0x75, + 0x69, 0x6e, 0x6f, 0x2f, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2d, 0x63, 0x6c, 0x69, 0x2f, + 0x72, 0x70, 0x63, 0x2f, 0x63, 0x63, 0x2f, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2f, 0x63, + 0x6c, 0x69, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2f, 0x76, 0x31, 0x3b, 0x63, + 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/rpc/cc/arduino/cli/commands/v1/compile.proto b/rpc/cc/arduino/cli/commands/v1/compile.proto index f51ba3f9d0b..4d17c0fc4a1 100644 --- a/rpc/cc/arduino/cli/commands/v1/compile.proto +++ b/rpc/cc/arduino/cli/commands/v1/compile.proto @@ -80,13 +80,13 @@ message CompileRequest { google.protobuf.BoolValue export_binaries = 23; // List of paths to library root folders repeated string library = 24; - // The dir where to search for the custom signing key name and the encrypt key - // name - string keysdir = 25; + // The path where to search for the custom signing key name and the encrypt + // key name + string keys_path = 25; // The name of the custom key to use for signing during the compile process - string signkeyname = 26; + string sign_key_name = 26; // The name of the custom key to use for encrypting during the compile process - string encryptkeyname = 27; + string encrypt_key_name = 27; } message CompileResponse { diff --git a/test/test_compile_part_4.py b/test/test_compile_part_4.py index cab03875102..646b4523742 100644 --- a/test/test_compile_part_4.py +++ b/test/test_compile_part_4.py @@ -465,13 +465,13 @@ def test_compile_with_fake_secure_boot_core(run_command, data_dir): "-b", fqbn + ":security=sien", sketch_path, - "--keys-input-dir", + "--keys-input-path", data_dir, "-v", ] ) assert res.failed - assert "Please use also --sign-key-name flag when using --keys-input-dir" in res.stderr + assert "Please use also --sign-key-name flag when using --keys-input-path" in res.stderr # Verifies compilation does not work with secure boot enabled and when a key does not exist res = run_command( @@ -481,7 +481,7 @@ def test_compile_with_fake_secure_boot_core(run_command, data_dir): "-b", fqbn + ":security=sien", sketch_path, - "--keys-input-dir", + "--keys-input-path", data_dir, "--sign-key-name", "non_existing_signing_key.pem", @@ -491,7 +491,7 @@ def test_compile_with_fake_secure_boot_core(run_command, data_dir): ] ) assert res.failed - assert "Error during build: The path of the specified signing key do not exist:" in res.stderr + assert "Error during build: The path of the specified signing key does not exist:" in res.stderr # Verifies compilation works with secure boot enabled and when overriding the sign key and encryption key used keys_dir = Path(data_dir, "keys_dir") @@ -507,7 +507,7 @@ def test_compile_with_fake_secure_boot_core(run_command, data_dir): "-b", fqbn + ":security=sien", sketch_path, - "--keys-input-dir", + "--keys-input-path", keys_dir, "--sign-key-name", "my-sign-key.pem", From 04a41e777fd9d21bb2d24b28dfb6450004dba457 Mon Sep 17 00:00:00 2001 From: umbynos Date: Thu, 10 Mar 2022 18:02:36 +0100 Subject: [PATCH 05/20] rename of some flags (done to accommodate the proposed changes in platform.txt) --- cli/compile/compile.go | 24 ++-- commands/compile/compile.go | 28 ++-- rpc/cc/arduino/cli/commands/v1/compile.pb.go | 130 +++++++++---------- rpc/cc/arduino/cli/commands/v1/compile.proto | 6 +- test/test_compile_part_4.py | 16 +-- 5 files changed, 102 insertions(+), 102 deletions(-) diff --git a/cli/compile/compile.go b/cli/compile/compile.go index 8cf72c2472a..763c4c59782 100644 --- a/cli/compile/compile.go +++ b/cli/compile/compile.go @@ -53,9 +53,9 @@ var ( buildCachePath string // Builds of 'core.a' are saved into this path to be cached and reused. buildPath string // Path where to save compiled files. buildProperties []string // List of custom build properties separated by commas. Or can be used multiple times for multiple properties. - keysPath string // The path of the dir where to search for the custom keys to sign and encrypt a binary. Used only by the platforms that supports it - signKeyName string // The name of the custom signing key to use to sign a binary during the compile process. Used only by the platforms that supports it - encryptKeyName string // The name of the custom encryption key to use to encrypt a binary during the compile process. Used only by the platforms that supports it + keysKeychain string // The path of the dir where to search for the custom keys to sign and encrypt a binary. Used only by the platforms that supports it + signKey string // The name of the custom signing key to use to sign a binary during the compile process. Used only by the platforms that supports it + encryptKey string // The name of the custom encryption key to use to encrypt a binary during the compile process. Used only by the platforms that supports it warnings string // Used to tell gcc which warning level to use. verbose bool // Turns on verbose mode. quiet bool // Suppresses almost every output. @@ -88,7 +88,7 @@ func NewCommand() *cobra.Command { " " + os.Args[0] + ` compile -b arduino:avr:uno --build-property "build.extra_flags=\"-DMY_DEFINE=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n" + " " + os.Args[0] + ` compile -b arduino:avr:uno --build-property "build.extra_flags=-DPIN=2 \"-DMY_DEFINE=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n" + " " + os.Args[0] + ` compile -b arduino:avr:uno --build-property build.extra_flags=-DPIN=2 --build-property "compiler.cpp.extra_flags=\"-DSSID=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n" + - " " + os.Args[0] + ` compile -b arduino:mbed_portenta:envie_m7:security=sien --keys-input-path /home/user/Arduino/keys --sign-key-name ecsdsa-p256-signing-key.pem --encrypt-key-name ecsdsa-p256-encrypt-key.pem /home/user/Arduino/MySketch` + "\n", + " " + os.Args[0] + ` compile -b arduino:mbed_portenta:envie_m7:security=sien --keys-keychain /home/user/Arduino/keys --sign-key ecsdsa-p256-signing-key.pem --encrypt-key ecsdsa-p256-encrypt-key.pem /home/user/Arduino/MySketch` + "\n", Args: cobra.MaximumNArgs(1), Run: runCompileCommand, } @@ -104,11 +104,11 @@ func NewCommand() *cobra.Command { tr("List of custom build properties separated by commas. Or can be used multiple times for multiple properties.")) compileCommand.Flags().StringArrayVar(&buildProperties, "build-property", []string{}, tr("Override a build property with a custom value. Can be used multiple times for multiple properties.")) - compileCommand.Flags().StringVar(&keysPath, "keys-input-path", "", + compileCommand.Flags().StringVar(&keysKeychain, "keys-keychain", "", tr("The path of the dir to search for the custom keys to sign and encrypt a binary. Used only by the platforms that support it")) - compileCommand.Flags().StringVar(&signKeyName, "sign-key-name", "", + compileCommand.Flags().StringVar(&signKey, "sign-key", "", tr("The name of the custom signing key to use to sign a binary during the compile process. Used only by the platforms that support it")) - compileCommand.Flags().StringVar(&encryptKeyName, "encrypt-key-name", "", + compileCommand.Flags().StringVar(&encryptKey, "encrypt-key", "", tr("The name of the custom encryption key to use to encrypt a binary during the compile process. Used only by the platforms that support it")) compileCommand.Flags().StringVar(&warnings, "warnings", "none", tr(`Optional, can be: %s. Used to tell gcc which warning level to use (-W flag).`, "none, default, more, all")) @@ -152,8 +152,8 @@ func runCompileCommand(cmd *cobra.Command, args []string) { sketchPath := arguments.InitSketchPath(path) - if keysPath != "" || signKeyName != "" || encryptKeyName != "" { - arguments.CheckFlagsMandatory(cmd, "keys-input-path", "sign-key-name", "encrypt-key-name") + if keysKeychain != "" || signKey != "" || encryptKey != "" { + arguments.CheckFlagsMandatory(cmd, "keys-keychain", "sign-key", "encrypt-key") } var overrides map[string]string @@ -212,9 +212,9 @@ func runCompileCommand(cmd *cobra.Command, args []string) { CreateCompilationDatabaseOnly: compilationDatabaseOnly, SourceOverride: overrides, Library: library, - KeysPath: keysPath, - SignKeyName: signKeyName, - EncryptKeyName: encryptKeyName, + KeysKeychain: keysKeychain, + SignKey: signKey, + EncryptKey: encryptKey, } compileStdOut := new(bytes.Buffer) compileStdErr := new(bytes.Buffer) diff --git a/commands/compile/compile.go b/commands/compile/compile.go index 8ee591ae35e..2f0d5b85b9b 100644 --- a/commands/compile/compile.go +++ b/commands/compile/compile.go @@ -129,21 +129,21 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream // so, if the flags to override the default keys are used, we try override the corresponding platform property nonetheless. // It's not possible to use the default name for the keys since there could be more tools to sign and encrypt. // So it's mandatory to use all the tree flags to sign and encrypt the binary - if req.KeysPath != "" && req.SignKeyName != "" && req.EncryptKeyName != "" { - keysDirPath := paths.New(req.KeysPath) + if req.KeysKeychain != "" && req.SignKey != "" && req.EncryptKey != "" { + keysDirPath := paths.New(req.KeysKeychain) if !keysDirPath.IsDir() { return nil, &arduino.NotFoundError{Message: tr("The path specified is not a directory: %s", keysDirPath), Cause: err} } - signKeyPath := keysDirPath.Join(req.GetSignKeyName()) + signKeyPath := keysDirPath.Join(req.GetSignKey()) if !signKeyPath.Exist() { return nil, &arduino.NotFoundError{Message: tr("The path of the specified signing key does not exist: %s", signKeyPath), Cause: err} } - encryptKeyPath := keysDirPath.Join(req.GetEncryptKeyName()) + encryptKeyPath := keysDirPath.Join(req.GetEncryptKey()) if !encryptKeyPath.Exist() { return nil, &arduino.NotFoundError{Message: tr("The path of the specified encryption key does not exist: %s", encryptKeyPath), Cause: err} } InstalledPlatformRelease := pm.GetInstalledPlatformRelease(targetPlatform) - ReplaceSecurityKeys(InstalledPlatformRelease.Properties, req.KeysPath, req.SignKeyName, req.EncryptKeyName) + ReplaceSecurityKeys(InstalledPlatformRelease.Properties, req.KeysKeychain, req.SignKey, req.EncryptKey) } builderCtx := &types.Context{} @@ -320,25 +320,25 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream // ReplaceSecurityKeys function will override the properties representing the security keys specified in the platform.txt file of a platform with the ones provided by the user. // The keys are stored in the keyPath -// signKeyName is the key used to sign a binary -// encryptKeyName is the key used to encrypt it -func ReplaceSecurityKeys(properties *properties.Map, keysPath, signKeyName, encryptKeyName string) { +// signKey is the key used to sign a binary +// encryptKey is the key used to encrypt it +func ReplaceSecurityKeys(properties *properties.Map, keysKKeysKeychain, signKey, encryptKey string) { toolsProps := properties.SubTree("tools").FirstLevelOf() for toolName, toolProps := range toolsProps { if toolProps.ContainsKey("keys.path") { key := "tools." + toolName + ".keys.path" - properties.Set(key, keysPath) - logrus.Tracef("Overriding Property: %s: %s", key, keysPath) + properties.Set(key, keysKKeysKeychain) + logrus.Tracef("Overriding Property: %s: %s", key, keysKKeysKeychain) } if toolProps.ContainsKey("sign.name") { key := "tools." + toolName + ".sign.name" - properties.Set(key, signKeyName) - logrus.Tracef("Overriding Property: %s: %s", key, signKeyName) + properties.Set(key, signKey) + logrus.Tracef("Overriding Property: %s: %s", key, signKey) } if toolProps.ContainsKey("encrypt.name") { key := "tools." + toolName + ".encrypt.name" - properties.Set(key, encryptKeyName) - logrus.Tracef("Overriding Property: %s: %s", key, encryptKeyName) + properties.Set(key, encryptKey) + logrus.Tracef("Overriding Property: %s: %s", key, encryptKey) } } } diff --git a/rpc/cc/arduino/cli/commands/v1/compile.pb.go b/rpc/cc/arduino/cli/commands/v1/compile.pb.go index 68b31b18f8c..dad0be067ec 100644 --- a/rpc/cc/arduino/cli/commands/v1/compile.pb.go +++ b/rpc/cc/arduino/cli/commands/v1/compile.pb.go @@ -97,13 +97,13 @@ type CompileRequest struct { ExportBinaries *wrapperspb.BoolValue `protobuf:"bytes,23,opt,name=export_binaries,json=exportBinaries,proto3" json:"export_binaries,omitempty"` // List of paths to library root folders Library []string `protobuf:"bytes,24,rep,name=library,proto3" json:"library,omitempty"` - // The path where to search for the custom signing key name and the encrypt key - // name - KeysPath string `protobuf:"bytes,25,opt,name=keys_path,json=keysPath,proto3" json:"keys_path,omitempty"` + // The path where to search for the custom signing key name and the encrypt + // key name + KeysKeychain string `protobuf:"bytes,25,opt,name=keys_keychain,json=keysKeychain,proto3" json:"keys_keychain,omitempty"` // The name of the custom key to use for signing during the compile process - SignKeyName string `protobuf:"bytes,26,opt,name=sign_key_name,json=signKeyName,proto3" json:"sign_key_name,omitempty"` + SignKey string `protobuf:"bytes,26,opt,name=sign_key,json=signKey,proto3" json:"sign_key,omitempty"` // The name of the custom key to use for encrypting during the compile process - EncryptKeyName string `protobuf:"bytes,27,opt,name=encrypt_key_name,json=encryptKeyName,proto3" json:"encrypt_key_name,omitempty"` + EncryptKey string `protobuf:"bytes,27,opt,name=encrypt_key,json=encryptKey,proto3" json:"encrypt_key,omitempty"` } func (x *CompileRequest) Reset() { @@ -285,23 +285,23 @@ func (x *CompileRequest) GetLibrary() []string { return nil } -func (x *CompileRequest) GetKeysPath() string { +func (x *CompileRequest) GetKeysKeychain() string { if x != nil { - return x.KeysPath + return x.KeysKeychain } return "" } -func (x *CompileRequest) GetSignKeyName() string { +func (x *CompileRequest) GetSignKey() string { if x != nil { - return x.SignKeyName + return x.SignKey } return "" } -func (x *CompileRequest) GetEncryptKeyName() string { +func (x *CompileRequest) GetEncryptKey() string { if x != nil { - return x.EncryptKeyName + return x.EncryptKey } return "" } @@ -494,7 +494,7 @@ var file_cc_arduino_cli_commands_v1_compile_proto_rawDesc = []byte{ 0x76, 0x31, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x24, 0x63, 0x63, 0x2f, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2f, 0x63, 0x6c, 0x69, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x6c, 0x69, 0x62, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xfd, 0x07, 0x0a, 0x0e, 0x43, 0x6f, 0x6d, 0x70, 0x69, 0x6c, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xf3, 0x07, 0x0a, 0x0e, 0x43, 0x6f, 0x6d, 0x70, 0x69, 0x6c, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x40, 0x0a, 0x08, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, @@ -547,62 +547,62 @@ var file_cc_arduino_cli_commands_v1_compile_proto_rawDesc = []byte{ 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0e, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x42, 0x69, 0x6e, 0x61, 0x72, 0x69, 0x65, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x6c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x18, 0x18, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, - 0x6c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x12, 0x1b, 0x0a, 0x09, 0x6b, 0x65, 0x79, 0x73, 0x5f, - 0x70, 0x61, 0x74, 0x68, 0x18, 0x19, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6b, 0x65, 0x79, 0x73, - 0x50, 0x61, 0x74, 0x68, 0x12, 0x22, 0x0a, 0x0d, 0x73, 0x69, 0x67, 0x6e, 0x5f, 0x6b, 0x65, 0x79, - 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x1a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x69, 0x67, - 0x6e, 0x4b, 0x65, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x28, 0x0a, 0x10, 0x65, 0x6e, 0x63, 0x72, - 0x79, 0x70, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x1b, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0e, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x4b, 0x65, 0x79, 0x4e, 0x61, - 0x6d, 0x65, 0x1a, 0x41, 0x0a, 0x13, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4f, 0x76, 0x65, 0x72, - 0x72, 0x69, 0x64, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, - 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, - 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x99, 0x04, 0x0a, 0x0f, 0x43, 0x6f, 0x6d, 0x70, 0x69, 0x6c, - 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x6f, 0x75, 0x74, - 0x5f, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x6f, - 0x75, 0x74, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12, 0x1d, 0x0a, 0x0a, 0x65, 0x72, 0x72, 0x5f, - 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x65, 0x72, - 0x72, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12, 0x1d, 0x0a, 0x0a, 0x62, 0x75, 0x69, 0x6c, 0x64, - 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x62, 0x75, 0x69, - 0x6c, 0x64, 0x50, 0x61, 0x74, 0x68, 0x12, 0x4a, 0x0a, 0x0e, 0x75, 0x73, 0x65, 0x64, 0x5f, 0x6c, - 0x69, 0x62, 0x72, 0x61, 0x72, 0x69, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, - 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, - 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x62, 0x72, - 0x61, 0x72, 0x79, 0x52, 0x0d, 0x75, 0x73, 0x65, 0x64, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x69, - 0x65, 0x73, 0x12, 0x6b, 0x0a, 0x18, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, - 0x5f, 0x73, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x05, - 0x20, 0x03, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, + 0x6c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x12, 0x23, 0x0a, 0x0d, 0x6b, 0x65, 0x79, 0x73, 0x5f, + 0x6b, 0x65, 0x79, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x18, 0x19, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, + 0x6b, 0x65, 0x79, 0x73, 0x4b, 0x65, 0x79, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x12, 0x19, 0x0a, 0x08, + 0x73, 0x69, 0x67, 0x6e, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x1a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, + 0x73, 0x69, 0x67, 0x6e, 0x4b, 0x65, 0x79, 0x12, 0x1f, 0x0a, 0x0b, 0x65, 0x6e, 0x63, 0x72, 0x79, + 0x70, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x1b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x65, 0x6e, + 0x63, 0x72, 0x79, 0x70, 0x74, 0x4b, 0x65, 0x79, 0x1a, 0x41, 0x0a, 0x13, 0x53, 0x6f, 0x75, 0x72, + 0x63, 0x65, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, + 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, + 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x99, 0x04, 0x0a, 0x0f, + 0x43, 0x6f, 0x6d, 0x70, 0x69, 0x6c, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, + 0x1d, 0x0a, 0x0a, 0x6f, 0x75, 0x74, 0x5f, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x0c, 0x52, 0x09, 0x6f, 0x75, 0x74, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12, 0x1d, + 0x0a, 0x0a, 0x65, 0x72, 0x72, 0x5f, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x0c, 0x52, 0x09, 0x65, 0x72, 0x72, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12, 0x1d, 0x0a, + 0x0a, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x03, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x09, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x50, 0x61, 0x74, 0x68, 0x12, 0x4a, 0x0a, 0x0e, + 0x75, 0x73, 0x65, 0x64, 0x5f, 0x6c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x69, 0x65, 0x73, 0x18, 0x04, + 0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, - 0x31, 0x2e, 0x45, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x65, 0x63, 0x74, - 0x69, 0x6f, 0x6e, 0x53, 0x69, 0x7a, 0x65, 0x52, 0x16, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, - 0x62, 0x6c, 0x65, 0x53, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x53, 0x69, 0x7a, 0x65, 0x12, - 0x54, 0x0a, 0x0e, 0x62, 0x6f, 0x61, 0x72, 0x64, 0x5f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, - 0x6d, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, - 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, - 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x52, 0x65, 0x66, - 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x52, 0x0d, 0x62, 0x6f, 0x61, 0x72, 0x64, 0x50, 0x6c, 0x61, - 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x12, 0x54, 0x0a, 0x0e, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x5f, 0x70, - 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, + 0x31, 0x2e, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x52, 0x0d, 0x75, 0x73, 0x65, 0x64, 0x4c, + 0x69, 0x62, 0x72, 0x61, 0x72, 0x69, 0x65, 0x73, 0x12, 0x6b, 0x0a, 0x18, 0x65, 0x78, 0x65, 0x63, + 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x73, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x5f, + 0x73, 0x69, 0x7a, 0x65, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x63, 0x63, 0x2e, + 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, + 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, + 0x6c, 0x65, 0x53, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x69, 0x7a, 0x65, 0x52, 0x16, 0x65, + 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x73, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x54, 0x0a, 0x0e, 0x62, 0x6f, 0x61, 0x72, 0x64, 0x5f, 0x70, + 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x6c, 0x61, 0x74, 0x66, - 0x6f, 0x72, 0x6d, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x52, 0x0d, 0x62, 0x75, - 0x69, 0x6c, 0x64, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x12, 0x44, 0x0a, 0x08, 0x70, - 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, - 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, - 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x61, 0x73, 0x6b, 0x50, - 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, - 0x73, 0x22, 0x5a, 0x0a, 0x15, 0x45, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x53, - 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, - 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, - 0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x73, 0x69, - 0x7a, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x61, 0x78, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x03, - 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x6d, 0x61, 0x78, 0x53, 0x69, 0x7a, 0x65, 0x42, 0x48, 0x5a, - 0x46, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x72, 0x64, 0x75, - 0x69, 0x6e, 0x6f, 0x2f, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2d, 0x63, 0x6c, 0x69, 0x2f, - 0x72, 0x70, 0x63, 0x2f, 0x63, 0x63, 0x2f, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2f, 0x63, - 0x6c, 0x69, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2f, 0x76, 0x31, 0x3b, 0x63, - 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x6f, 0x72, 0x6d, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x52, 0x0d, 0x62, 0x6f, + 0x61, 0x72, 0x64, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x12, 0x54, 0x0a, 0x0e, 0x62, + 0x75, 0x69, 0x6c, 0x64, 0x5f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x18, 0x07, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, + 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, + 0x2e, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, + 0x63, 0x65, 0x52, 0x0d, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, + 0x6d, 0x12, 0x44, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, 0x18, 0x08, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x63, 0x63, 0x2e, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, + 0x2e, 0x63, 0x6c, 0x69, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x2e, 0x76, 0x31, + 0x2e, 0x54, 0x61, 0x73, 0x6b, 0x50, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, 0x52, 0x08, 0x70, + 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, 0x22, 0x5a, 0x0a, 0x15, 0x45, 0x78, 0x65, 0x63, 0x75, + 0x74, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x69, 0x7a, 0x65, + 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, + 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x03, 0x52, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x61, 0x78, 0x5f, + 0x73, 0x69, 0x7a, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x6d, 0x61, 0x78, 0x53, + 0x69, 0x7a, 0x65, 0x42, 0x48, 0x5a, 0x46, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, + 0x6d, 0x2f, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, 0x6f, 0x2f, 0x61, 0x72, 0x64, 0x75, 0x69, 0x6e, + 0x6f, 0x2d, 0x63, 0x6c, 0x69, 0x2f, 0x72, 0x70, 0x63, 0x2f, 0x63, 0x63, 0x2f, 0x61, 0x72, 0x64, + 0x75, 0x69, 0x6e, 0x6f, 0x2f, 0x63, 0x6c, 0x69, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, + 0x73, 0x2f, 0x76, 0x31, 0x3b, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x62, 0x06, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/rpc/cc/arduino/cli/commands/v1/compile.proto b/rpc/cc/arduino/cli/commands/v1/compile.proto index 4d17c0fc4a1..2164aec36d8 100644 --- a/rpc/cc/arduino/cli/commands/v1/compile.proto +++ b/rpc/cc/arduino/cli/commands/v1/compile.proto @@ -82,11 +82,11 @@ message CompileRequest { repeated string library = 24; // The path where to search for the custom signing key name and the encrypt // key name - string keys_path = 25; + string keys_keychain = 25; // The name of the custom key to use for signing during the compile process - string sign_key_name = 26; + string sign_key = 26; // The name of the custom key to use for encrypting during the compile process - string encrypt_key_name = 27; + string encrypt_key = 27; } message CompileResponse { diff --git a/test/test_compile_part_4.py b/test/test_compile_part_4.py index 646b4523742..93edf5d4c2d 100644 --- a/test/test_compile_part_4.py +++ b/test/test_compile_part_4.py @@ -465,13 +465,13 @@ def test_compile_with_fake_secure_boot_core(run_command, data_dir): "-b", fqbn + ":security=sien", sketch_path, - "--keys-input-path", + "--keys-keychain", data_dir, "-v", ] ) assert res.failed - assert "Please use also --sign-key-name flag when using --keys-input-path" in res.stderr + assert "Please use also --sign-key flag when using --keys-keychain" in res.stderr # Verifies compilation does not work with secure boot enabled and when a key does not exist res = run_command( @@ -481,11 +481,11 @@ def test_compile_with_fake_secure_boot_core(run_command, data_dir): "-b", fqbn + ":security=sien", sketch_path, - "--keys-input-path", + "--keys-keychain", data_dir, - "--sign-key-name", + "--sign-key", "non_existing_signing_key.pem", - "--encrypt-key-name", + "--encrypt-key", "non_existing_enctyption_key.pem", "-v", ] @@ -507,11 +507,11 @@ def test_compile_with_fake_secure_boot_core(run_command, data_dir): "-b", fqbn + ":security=sien", sketch_path, - "--keys-input-path", + "--keys-keychain", keys_dir, - "--sign-key-name", + "--sign-key", "my-sign-key.pem", - "--encrypt-key-name", + "--encrypt-key", "my-encrypt-key.pem", "-v", ] From e96fc18cbd93011bda69d7c668bb79ddc5a739bb Mon Sep 17 00:00:00 2001 From: umbynos Date: Thu, 10 Mar 2022 19:03:57 +0100 Subject: [PATCH 06/20] change approach: override keys using `builderCtx.CustomBuildProperties` --- commands/compile/compile.go | 30 +------- commands/compile/compile_test.go | 70 ------------------- .../boards.local.txt | 5 ++ .../platform.local.txt | 6 +- 4 files changed, 9 insertions(+), 102 deletions(-) delete mode 100644 commands/compile/compile_test.go diff --git a/commands/compile/compile.go b/commands/compile/compile.go index 2f0d5b85b9b..d503db96791 100644 --- a/commands/compile/compile.go +++ b/commands/compile/compile.go @@ -129,6 +129,7 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream // so, if the flags to override the default keys are used, we try override the corresponding platform property nonetheless. // It's not possible to use the default name for the keys since there could be more tools to sign and encrypt. // So it's mandatory to use all the tree flags to sign and encrypt the binary + securityKeysOverride := []string{} if req.KeysKeychain != "" && req.SignKey != "" && req.EncryptKey != "" { keysDirPath := paths.New(req.KeysKeychain) if !keysDirPath.IsDir() { @@ -142,8 +143,7 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream if !encryptKeyPath.Exist() { return nil, &arduino.NotFoundError{Message: tr("The path of the specified encryption key does not exist: %s", encryptKeyPath), Cause: err} } - InstalledPlatformRelease := pm.GetInstalledPlatformRelease(targetPlatform) - ReplaceSecurityKeys(InstalledPlatformRelease.Properties, req.KeysKeychain, req.SignKey, req.EncryptKey) + securityKeysOverride = append(securityKeysOverride, "build.keys.keychain="+req.KeysKeychain, "build.keys.sign_key="+req.GetSignKey(), "build.keys.encrypt_key="+req.EncryptKey) } builderCtx := &types.Context{} @@ -186,6 +186,7 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream builderCtx.WarningsLevel = req.GetWarnings() builderCtx.CustomBuildProperties = append(req.GetBuildProperties(), "build.warn_data_percentage=75") + builderCtx.CustomBuildProperties = append(req.GetBuildProperties(), securityKeysOverride...) if req.GetBuildCachePath() != "" { builderCtx.BuildCachePath = paths.New(req.GetBuildCachePath()) @@ -317,28 +318,3 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream return r, nil } - -// ReplaceSecurityKeys function will override the properties representing the security keys specified in the platform.txt file of a platform with the ones provided by the user. -// The keys are stored in the keyPath -// signKey is the key used to sign a binary -// encryptKey is the key used to encrypt it -func ReplaceSecurityKeys(properties *properties.Map, keysKKeysKeychain, signKey, encryptKey string) { - toolsProps := properties.SubTree("tools").FirstLevelOf() - for toolName, toolProps := range toolsProps { - if toolProps.ContainsKey("keys.path") { - key := "tools." + toolName + ".keys.path" - properties.Set(key, keysKKeysKeychain) - logrus.Tracef("Overriding Property: %s: %s", key, keysKKeysKeychain) - } - if toolProps.ContainsKey("sign.name") { - key := "tools." + toolName + ".sign.name" - properties.Set(key, signKey) - logrus.Tracef("Overriding Property: %s: %s", key, signKey) - } - if toolProps.ContainsKey("encrypt.name") { - key := "tools." + toolName + ".encrypt.name" - properties.Set(key, encryptKey) - logrus.Tracef("Overriding Property: %s: %s", key, encryptKey) - } - } -} diff --git a/commands/compile/compile_test.go b/commands/compile/compile_test.go deleted file mode 100644 index c2a9a1a304b..00000000000 --- a/commands/compile/compile_test.go +++ /dev/null @@ -1,70 +0,0 @@ -// This file is part of arduino-cli. -// -// Copyright 2020 ARDUINO SA (http://www.arduino.cc/) -// -// This software is released under the GNU General Public License version 3, -// which covers the main part of arduino-cli. -// The terms of this license can be found at: -// https://www.gnu.org/licenses/gpl-3.0.en.html -// -// You can be released from the requirements of the above licenses by purchasing -// a commercial license. Buying such a license is mandatory if you want to -// modify or otherwise use the software for commercial activities involving the -// Arduino software without disclosing the source code of your own applications. -// To purchase a commercial license, send an email to license@arduino.cc. - -package compile - -import ( - "testing" - - properties "github.com/arduino/go-properties-orderedmap" - "github.com/stretchr/testify/require" -) - -func TestReplaceSecurityKeys(t *testing.T) { - propsWithDefaultKeys := properties.NewFromHashmap(map[string]string{ - "tools.toolname.keys.path": "/default-keys-path", - "tools.toolname.sign.name": "default-signing-key.pem", - "tools.toolname.encrypt.name": "default-encrypt-key.pem", - }) - newKeysPath := "/new-keys-path" - newSignKeyName := "new-signing-key.pem" - newEncryptKeyName := "new-encrypt-key.pem" - goldProps := properties.NewFromHashmap(map[string]string{ - "tools.toolname.keys.path": newKeysPath, - "tools.toolname.sign.name": newSignKeyName, - "tools.toolname.encrypt.name": newEncryptKeyName, - }) - - ReplaceSecurityKeys(propsWithDefaultKeys, newKeysPath, newSignKeyName, newEncryptKeyName) - require.True(t, goldProps.Equals(propsWithDefaultKeys)) -} - -func TestReplaceSecurityKeysEmpty(t *testing.T) { - propsWithNoKeys := properties.NewFromHashmap(map[string]string{}) - goldProps := properties.NewFromHashmap(map[string]string{}) - newKeysPath := "/new-keys-path" - newSignKeyName := "new-signing-key.pem" - newEncryptKeyName := "new-encrypt-key.pem" - - // No error should be returned since the properties map is empty - ReplaceSecurityKeys(propsWithNoKeys, newKeysPath, newSignKeyName, newEncryptKeyName) - require.True(t, goldProps.Equals(propsWithNoKeys)) -} - -func TestReplaceSecurityKeysNothingToReplace(t *testing.T) { - propsWithDifferentKeys := properties.NewFromHashmap(map[string]string{ - "tools.openocd.path": "{runtime.tools.openocd.path}", - "tools.openocd.cmd": "bin/openocd", - "tools.openocd.cmd.windows": "bin/openocd.exe", - }) - goldProps := propsWithDifferentKeys.Clone() - newKeysPath := "/new-keys-path" - newSignKeyName := "new-signing-key.pem" - newEncryptKeyName := "new-encrypt-key.pem" - - // No error should be returned since there are no keys in the properties map - ReplaceSecurityKeys(propsWithDifferentKeys, newKeysPath, newSignKeyName, newEncryptKeyName) - require.True(t, goldProps.Equals(propsWithDifferentKeys)) -} diff --git a/test/testdata/platform_with_secure_boot/boards.local.txt b/test/testdata/platform_with_secure_boot/boards.local.txt index 1ceaf17801e..da2417bd54a 100644 --- a/test/testdata/platform_with_secure_boot/boards.local.txt +++ b/test/testdata/platform_with_secure_boot/boards.local.txt @@ -5,3 +5,8 @@ uno.menu.security.sien=Signature + Encryption uno.menu.security.sien.build.postbuild.cmd="{tools.imgtool.cmd}" {tools.imgtool.build.pattern} uno.menu.security.none.build.postbuild.cmd="{tools.imgtool.cmd}" exit + +uno.menu.security.sien.build.keys.type=public_keys +uno.menu.security.sien.build.keys.keychain={runtime.hardware.path}/Default_Keys +uno.menu.security.sien.build.keys.sign_key=default-signing-key.pem +uno.menu.security.sien.build.keys.encrypt_key=default-encrypt-key.pem diff --git a/test/testdata/platform_with_secure_boot/platform.local.txt b/test/testdata/platform_with_secure_boot/platform.local.txt index 34648422103..29e21920e55 100644 --- a/test/testdata/platform_with_secure_boot/platform.local.txt +++ b/test/testdata/platform_with_secure_boot/platform.local.txt @@ -5,8 +5,4 @@ recipe.hooks.objcopy.postobjcopy.1.pattern={build.postbuild.cmd} # tools.imgtool.cmd=echo -tools.imgtool.keys.path={runtime.hardware.path}/Default_Keys -tools.imgtool.sign.name=default-signing-key.pem -tools.imgtool.encrypt.name=default-encrypt-key.pem - -tools.imgtool.build.pattern=sign --key "{tools.imgtool.keys.path}/{tools.imgtool.sign.name}" --encrypt "{tools.imgtool.keys.path}/{tools.imgtool.encrypt.name}" "{build.path}/{build.project_name}.bin" "{build.path}/{build.project_name}.bin" --align {build.alignment} --max-align {build.alignment} --version {build.version} --header-size {build.header_size} --pad-header --slot-size {build.slot_size} \ No newline at end of file +tools.imgtool.build.pattern=sign --key "{build.keys.keychain}/{build.keys.sign_key}" --encrypt "{build.keys.keychain}/{build.keys.encrypt_key}" "{build.path}/{build.project_name}.bin" "{build.path}/{build.project_name}.bin" --align {build.alignment} --max-align {build.alignment} --version {build.version} --header-size {build.header_size} --pad-header --slot-size {build.slot_size} \ No newline at end of file From 900c0e180d79baafcb922abf5b2a435b94f02903 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Fri, 11 Mar 2022 17:39:01 +0100 Subject: [PATCH 07/20] add check in the builder regarding the usage of "build.keys.type" properties --- legacy/builder/setup_build_properties.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/legacy/builder/setup_build_properties.go b/legacy/builder/setup_build_properties.go index e102baea351..8e521cb1f54 100644 --- a/legacy/builder/setup_build_properties.go +++ b/legacy/builder/setup_build_properties.go @@ -26,6 +26,7 @@ import ( "github.com/arduino/arduino-cli/legacy/builder/types" properties "github.com/arduino/go-properties-orderedmap" timeutils "github.com/arduino/go-timeutils" + "github.com/pkg/errors" ) type SetupBuildProperties struct{} @@ -126,6 +127,17 @@ func (s *SetupBuildProperties) Run(ctx *types.Context) error { buildProperties.Merge(ctx.PackageManager.CustomGlobalProperties) + // we check if the properties referring to secure boot have been set correctly. + if buildProperties.ContainsKey("build.keys.type") { + if buildProperties.Get("build.keys.type") == "public_keys" { + if !buildProperties.ContainsKey("build.keys.keychain") || !buildProperties.ContainsKey("build.keys.sign_key") || !buildProperties.ContainsKey("build.keys.encrypt_key") { + return errors.Errorf("%s core does not specify correctly default sign and encryption keys", ctx.BuildCore) + } + } else { + return errors.New("\"build.keys.type\" key only supports \"public_keys\" value for now") + } + } + ctx.BuildProperties = buildProperties return nil From 87a19ea89fab7ba8c49f1fb1fe463f099b4b59f9 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Mon, 14 Mar 2022 18:04:10 +0100 Subject: [PATCH 08/20] add secure boot to the platform specifications --- docs/platform-specification.md | 56 +++++++++++++++++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/docs/platform-specification.md b/docs/platform-specification.md index cc71d6810c0..653999206cc 100644 --- a/docs/platform-specification.md +++ b/docs/platform-specification.md @@ -768,6 +768,60 @@ All the tools launched to compile or upload a sketch will have the following env contain multiple space-delimited entries like `"arduino-cli/0.21.0 ArduinoIDE/2.0.0-rc1"` if this information is available. +### Secure Boot + +Some boards supports the secure boot. Basically the compiled sketch can be signed and encrypted with a [tool](#tools) +before being flashed to the target board. The bootloader of the board is then responsible for starting the compiled +sketch if the matching keys are used. + +To be able to correctly carry out all the operations at the end of the build we can leverage the +[post build hooks](#pre-and-post-build-hooks-since-arduino-ide-165) to sign and encrypt a binary by using +`recipe.hooks.objcopy.postobjcopy.NUMBER.pattern` key in [`platform.txt`](#platformtxt). The security keys used are +defined in the boards file, this way there could be different keys for different boards. + +``` +[...] +## Create output secure image (bin file) +recipe.hooks.objcopy.postobjcopy.1.pattern={build.postbuild.cmd} +# +# IMGTOOL +# + +tools.imgtool.cmd=imgtool +tools.imgtool.build.pattern=sign --key "{build.keys.keychain}/{build.keys.sign_key}" --encrypt "{build.keys.keychain}/{build.keys.encrypt_key}" "{build.path}/{build.project_name}.bin" "{build.path}/{build.project_name}.bin" --align {build.alignment} --max-align {build.alignment} --version {build.version} --header-size {build.header_size} --pad-header --slot-size {build.slot_size} +[...] + +``` + +By having only `tools.TOOL_NAME.cmd` and `tools.TOOL_NAME.build.pattern`, we can customize the behavior with a +[custom board option](#custom-board-options). Then in the [`boards.txt`](#boardstxt) we can define the new option to use +a different `postbuild.cmd`: + +``` +[...] +menu.security=Security setting + +envie_m7.menu.security.none=None +envie_m7.menu.security.sien=Signature + Encryption + +envie_m7.menu.security.sien.build.postbuild.cmd="{tools.imgtool.cmd}" {tools.imgtool.build.pattern} +envie_m7.menu.security.none.build.postbuild.cmd="{tools.imgtool.cmd}" exit + +envie_m7.menu.security.sien.build.keys.type=public_keys +envie_m7.menu.security.sien.build.keys.keychain={runtime.hardware.path}/Default_Keys +envie_m7.menu.security.sien.build.keys.sign_key=default-signing-key.pem +envie_m7.menu.security.sien.build.keys.encrypt_key=default-encrypt-key.pem +[...] +``` + +The currently we support the secure boot only with `build.keys.type=public_keys` but in the future other ways can be +added. The security keys can be added with: + +- `keys.keychain` indicates the path of the dir where to search for the custom keys to sign and encrypt a binary. +- `keys.sign_key` indicates the name of the custom signing key to use to sign a binary during the compile process. +- `keys.encrypt_key` indicates the name of the custom encryption key to use to encrypt a binary during the compile + process. + ### Pluggable discovery Discovery tools are a special kind of tool used to find supported boards. A platform must declare one or more Pluggable @@ -1294,7 +1348,7 @@ It can sometimes be useful to provide user selectable configuration options for could be provided in two or more variants with different microcontrollers, or may have different crystal speed based on the board model, and so on... -When using Arduino CLI, the option can be selected via the FQBN. +When using Arduino CLI, the option can be selected via the FQBN, or using the `--board-options` flag In the Arduino IDE the options add extra menu items under the "Tools" menu. From dd05e7d25cb41e83f413af0e775062f3a007ffcd Mon Sep 17 00:00:00 2001 From: Umberto Baldi <34278123+umbynos@users.noreply.github.com> Date: Tue, 15 Mar 2022 10:46:15 +0100 Subject: [PATCH 09/20] Apply suggestions from code review Co-authored-by: per1234 --- cli/compile/compile.go | 9 ++++----- commands/compile/compile.go | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/cli/compile/compile.go b/cli/compile/compile.go index 763c4c59782..867f451482b 100644 --- a/cli/compile/compile.go +++ b/cli/compile/compile.go @@ -87,8 +87,7 @@ func NewCommand() *cobra.Command { " " + os.Args[0] + " compile -b arduino:avr:uno /home/user/Arduino/MySketch\n" + " " + os.Args[0] + ` compile -b arduino:avr:uno --build-property "build.extra_flags=\"-DMY_DEFINE=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n" + " " + os.Args[0] + ` compile -b arduino:avr:uno --build-property "build.extra_flags=-DPIN=2 \"-DMY_DEFINE=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n" + - " " + os.Args[0] + ` compile -b arduino:avr:uno --build-property build.extra_flags=-DPIN=2 --build-property "compiler.cpp.extra_flags=\"-DSSID=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n" + - " " + os.Args[0] + ` compile -b arduino:mbed_portenta:envie_m7:security=sien --keys-keychain /home/user/Arduino/keys --sign-key ecsdsa-p256-signing-key.pem --encrypt-key ecsdsa-p256-encrypt-key.pem /home/user/Arduino/MySketch` + "\n", + " " + os.Args[0] + ` compile -b arduino:avr:uno --build-property build.extra_flags=-DPIN=2 --build-property "compiler.cpp.extra_flags=\"-DSSID=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n", Args: cobra.MaximumNArgs(1), Run: runCompileCommand, } @@ -105,11 +104,11 @@ func NewCommand() *cobra.Command { compileCommand.Flags().StringArrayVar(&buildProperties, "build-property", []string{}, tr("Override a build property with a custom value. Can be used multiple times for multiple properties.")) compileCommand.Flags().StringVar(&keysKeychain, "keys-keychain", "", - tr("The path of the dir to search for the custom keys to sign and encrypt a binary. Used only by the platforms that support it")) + tr("The path of the dir to search for the custom keys to sign and encrypt a binary. Used only by the platforms that support it.")) compileCommand.Flags().StringVar(&signKey, "sign-key", "", - tr("The name of the custom signing key to use to sign a binary during the compile process. Used only by the platforms that support it")) + tr("The name of the custom signing key to use to sign a binary during the compile process. Used only by the platforms that support it.")) compileCommand.Flags().StringVar(&encryptKey, "encrypt-key", "", - tr("The name of the custom encryption key to use to encrypt a binary during the compile process. Used only by the platforms that support it")) + tr("The name of the custom encryption key to use to encrypt a binary during the compile process. Used only by the platforms that support it.")) compileCommand.Flags().StringVar(&warnings, "warnings", "none", tr(`Optional, can be: %s. Used to tell gcc which warning level to use (-W flag).`, "none, default, more, all")) compileCommand.Flags().BoolVarP(&verbose, "verbose", "v", false, tr("Optional, turns on verbose mode.")) diff --git a/commands/compile/compile.go b/commands/compile/compile.go index d503db96791..3231b62670b 100644 --- a/commands/compile/compile.go +++ b/commands/compile/compile.go @@ -128,7 +128,7 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream // At the current time we do not have a way of knowing if a board supports the secure boot or not, // so, if the flags to override the default keys are used, we try override the corresponding platform property nonetheless. // It's not possible to use the default name for the keys since there could be more tools to sign and encrypt. - // So it's mandatory to use all the tree flags to sign and encrypt the binary + // So it's mandatory to use all three flags to sign and encrypt the binary securityKeysOverride := []string{} if req.KeysKeychain != "" && req.SignKey != "" && req.EncryptKey != "" { keysDirPath := paths.New(req.KeysKeychain) From 583dd9c64a51d6aa2e250bee26cb94c612fecc49 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Wed, 16 Mar 2022 12:03:43 +0100 Subject: [PATCH 10/20] modify the check on in the builder regarding the usage of "build.keys" properties: The "build.keys.type" is no longer mandatory, and the default is "public_keys" We also check if the secureboot keys are all defined or none of them is. --- legacy/builder/setup_build_properties.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/legacy/builder/setup_build_properties.go b/legacy/builder/setup_build_properties.go index 8e521cb1f54..8488f137010 100644 --- a/legacy/builder/setup_build_properties.go +++ b/legacy/builder/setup_build_properties.go @@ -127,15 +127,15 @@ func (s *SetupBuildProperties) Run(ctx *types.Context) error { buildProperties.Merge(ctx.PackageManager.CustomGlobalProperties) - // we check if the properties referring to secure boot have been set correctly. - if buildProperties.ContainsKey("build.keys.type") { - if buildProperties.Get("build.keys.type") == "public_keys" { - if !buildProperties.ContainsKey("build.keys.keychain") || !buildProperties.ContainsKey("build.keys.sign_key") || !buildProperties.ContainsKey("build.keys.encrypt_key") { - return errors.Errorf("%s core does not specify correctly default sign and encryption keys", ctx.BuildCore) - } - } else { - return errors.New("\"build.keys.type\" key only supports \"public_keys\" value for now") - } + if !buildProperties.ContainsKey("build.keys.type") { + buildProperties.Set("build.keys.type", "public_keys") // The default is "pubblic_keys" for now + } + keychainProp := buildProperties.ContainsKey("build.keys.keychain") + signProp := buildProperties.ContainsKey("build.keys.sign_key") + encryptProp := buildProperties.ContainsKey("build.keys.encrypt_key") + // we verify that all the properties for the secure boot keys are defined or nono of them is defined. + if !(keychainProp || signProp || encryptProp) && (keychainProp && signProp && encryptProp) { + return errors.Errorf("%s core does not specify correctly default sign and encryption keys", ctx.BuildCore) } ctx.BuildProperties = buildProperties From 33e4c0d64b610f342f5175bdeaba16193c204239 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Wed, 16 Mar 2022 14:31:24 +0100 Subject: [PATCH 11/20] remove check on the flags specifying the keys, it's the tool responsibility to check if they are valid --- commands/compile/compile.go | 12 ------------ test/test_compile_part_4.py | 20 -------------------- 2 files changed, 32 deletions(-) diff --git a/commands/compile/compile.go b/commands/compile/compile.go index 3231b62670b..84fddd78470 100644 --- a/commands/compile/compile.go +++ b/commands/compile/compile.go @@ -131,18 +131,6 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream // So it's mandatory to use all three flags to sign and encrypt the binary securityKeysOverride := []string{} if req.KeysKeychain != "" && req.SignKey != "" && req.EncryptKey != "" { - keysDirPath := paths.New(req.KeysKeychain) - if !keysDirPath.IsDir() { - return nil, &arduino.NotFoundError{Message: tr("The path specified is not a directory: %s", keysDirPath), Cause: err} - } - signKeyPath := keysDirPath.Join(req.GetSignKey()) - if !signKeyPath.Exist() { - return nil, &arduino.NotFoundError{Message: tr("The path of the specified signing key does not exist: %s", signKeyPath), Cause: err} - } - encryptKeyPath := keysDirPath.Join(req.GetEncryptKey()) - if !encryptKeyPath.Exist() { - return nil, &arduino.NotFoundError{Message: tr("The path of the specified encryption key does not exist: %s", encryptKeyPath), Cause: err} - } securityKeysOverride = append(securityKeysOverride, "build.keys.keychain="+req.KeysKeychain, "build.keys.sign_key="+req.GetSignKey(), "build.keys.encrypt_key="+req.EncryptKey) } diff --git a/test/test_compile_part_4.py b/test/test_compile_part_4.py index 93edf5d4c2d..881ca65b82a 100644 --- a/test/test_compile_part_4.py +++ b/test/test_compile_part_4.py @@ -473,26 +473,6 @@ def test_compile_with_fake_secure_boot_core(run_command, data_dir): assert res.failed assert "Please use also --sign-key flag when using --keys-keychain" in res.stderr - # Verifies compilation does not work with secure boot enabled and when a key does not exist - res = run_command( - [ - "compile", - "--clean", - "-b", - fqbn + ":security=sien", - sketch_path, - "--keys-keychain", - data_dir, - "--sign-key", - "non_existing_signing_key.pem", - "--encrypt-key", - "non_existing_enctyption_key.pem", - "-v", - ] - ) - assert res.failed - assert "Error during build: The path of the specified signing key does not exist:" in res.stderr - # Verifies compilation works with secure boot enabled and when overriding the sign key and encryption key used keys_dir = Path(data_dir, "keys_dir") keys_dir.mkdir() From 6262cfa7cc49e717232442fac4a7ca9f349206e8 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Wed, 16 Mar 2022 15:48:45 +0100 Subject: [PATCH 12/20] move content to a guides section --- docs/guides/secure-boot.md | 54 ++++++++++++++++++++++++++++++++++ docs/platform-specification.md | 54 ---------------------------------- 2 files changed, 54 insertions(+), 54 deletions(-) create mode 100644 docs/guides/secure-boot.md diff --git a/docs/guides/secure-boot.md b/docs/guides/secure-boot.md new file mode 100644 index 00000000000..019d6d72647 --- /dev/null +++ b/docs/guides/secure-boot.md @@ -0,0 +1,54 @@ +### Secure Boot + +Some boards supports the secure boot. Basically the compiled sketch can be signed and encrypted with a +[tool](../platform-specification.md#tools) before being flashed to the target board. The bootloader of the board is then +responsible for starting the compiled sketch if the matching keys are used. + +To be able to correctly carry out all the operations at the end of the build we can leverage the +[post build hooks](../platform-specification.md#pre-and-post-build-hooks-since-arduino-ide-165) to sign and encrypt a +binary by using `recipe.hooks.objcopy.postobjcopy.NUMBER.pattern` key in +[`platform.txt`](../platform-specification.md#platformtxt). The security keys used are defined in the boards file, this +way there could be different keys for different boards. + +``` +[...] +## Create output secure image (bin file) +recipe.hooks.objcopy.postobjcopy.1.pattern={build.postbuild.cmd} +# +# IMGTOOL +# + +tools.imgtool.cmd=imgtool +tools.imgtool.build.pattern=sign --key "{build.keys.keychain}/{build.keys.sign_key}" --encrypt "{build.keys.keychain}/{build.keys.encrypt_key}" "{build.path}/{build.project_name}.bin" "{build.path}/{build.project_name}.bin" --align {build.alignment} --max-align {build.alignment} --version {build.version} --header-size {build.header_size} --pad-header --slot-size {build.slot_size} +[...] + +``` + +By having only `tools.TOOL_NAME.cmd` and `tools.TOOL_NAME.build.pattern`, we can customize the behavior with a +[custom board option](../platform-specification.md#custom-board-options). Then in the +[`boards.txt`](../platform-specification.md#boardstxt) we can define the new option to use a different `postbuild.cmd`: + +``` +[...] +menu.security=Security setting + +envie_m7.menu.security.none=None +envie_m7.menu.security.sien=Signature + Encryption + +envie_m7.menu.security.sien.build.postbuild.cmd="{tools.imgtool.cmd}" {tools.imgtool.build.pattern} +envie_m7.menu.security.none.build.postbuild.cmd="{tools.imgtool.cmd}" exit + +envie_m7.menu.security.sien.build.keys.type=public_keys +envie_m7.menu.security.sien.build.keys.keychain={runtime.hardware.path}/Default_Keys +envie_m7.menu.security.sien.build.keys.sign_key=default-signing-key.pem +envie_m7.menu.security.sien.build.keys.encrypt_key=default-encrypt-key.pem +[...] +``` + +Currently we support the secure boot only with `build.keys.type=public_keys` but in the future other ways can be added. +The security keys can be added with: + +- `keys.keychain` indicates the path of the dir where to search for the custom keys to sign and encrypt a binary. +- `keys.sign_key` indicates the name of the custom signing key to use to sign a binary during the compile process. +- `keys.encrypt_key` indicates the name of the custom encryption key to use to encrypt a binary during the compile + process. diff --git a/docs/platform-specification.md b/docs/platform-specification.md index 653999206cc..4c8e2f643ba 100644 --- a/docs/platform-specification.md +++ b/docs/platform-specification.md @@ -768,60 +768,6 @@ All the tools launched to compile or upload a sketch will have the following env contain multiple space-delimited entries like `"arduino-cli/0.21.0 ArduinoIDE/2.0.0-rc1"` if this information is available. -### Secure Boot - -Some boards supports the secure boot. Basically the compiled sketch can be signed and encrypted with a [tool](#tools) -before being flashed to the target board. The bootloader of the board is then responsible for starting the compiled -sketch if the matching keys are used. - -To be able to correctly carry out all the operations at the end of the build we can leverage the -[post build hooks](#pre-and-post-build-hooks-since-arduino-ide-165) to sign and encrypt a binary by using -`recipe.hooks.objcopy.postobjcopy.NUMBER.pattern` key in [`platform.txt`](#platformtxt). The security keys used are -defined in the boards file, this way there could be different keys for different boards. - -``` -[...] -## Create output secure image (bin file) -recipe.hooks.objcopy.postobjcopy.1.pattern={build.postbuild.cmd} -# -# IMGTOOL -# - -tools.imgtool.cmd=imgtool -tools.imgtool.build.pattern=sign --key "{build.keys.keychain}/{build.keys.sign_key}" --encrypt "{build.keys.keychain}/{build.keys.encrypt_key}" "{build.path}/{build.project_name}.bin" "{build.path}/{build.project_name}.bin" --align {build.alignment} --max-align {build.alignment} --version {build.version} --header-size {build.header_size} --pad-header --slot-size {build.slot_size} -[...] - -``` - -By having only `tools.TOOL_NAME.cmd` and `tools.TOOL_NAME.build.pattern`, we can customize the behavior with a -[custom board option](#custom-board-options). Then in the [`boards.txt`](#boardstxt) we can define the new option to use -a different `postbuild.cmd`: - -``` -[...] -menu.security=Security setting - -envie_m7.menu.security.none=None -envie_m7.menu.security.sien=Signature + Encryption - -envie_m7.menu.security.sien.build.postbuild.cmd="{tools.imgtool.cmd}" {tools.imgtool.build.pattern} -envie_m7.menu.security.none.build.postbuild.cmd="{tools.imgtool.cmd}" exit - -envie_m7.menu.security.sien.build.keys.type=public_keys -envie_m7.menu.security.sien.build.keys.keychain={runtime.hardware.path}/Default_Keys -envie_m7.menu.security.sien.build.keys.sign_key=default-signing-key.pem -envie_m7.menu.security.sien.build.keys.encrypt_key=default-encrypt-key.pem -[...] -``` - -The currently we support the secure boot only with `build.keys.type=public_keys` but in the future other ways can be -added. The security keys can be added with: - -- `keys.keychain` indicates the path of the dir where to search for the custom keys to sign and encrypt a binary. -- `keys.sign_key` indicates the name of the custom signing key to use to sign a binary during the compile process. -- `keys.encrypt_key` indicates the name of the custom encryption key to use to encrypt a binary during the compile - process. - ### Pluggable discovery Discovery tools are a special kind of tool used to find supported boards. A platform must declare one or more Pluggable From 2ed700259289eda2f4bdeb56ff6b5055066b00e3 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Wed, 16 Mar 2022 16:07:30 +0100 Subject: [PATCH 13/20] add specifications regarding `build.keys` properties --- docs/platform-specification.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/platform-specification.md b/docs/platform-specification.md index 4c8e2f643ba..cc32999fd75 100644 --- a/docs/platform-specification.md +++ b/docs/platform-specification.md @@ -155,6 +155,16 @@ the name of the architecture is set as well. There are some other **{build.xxx}** properties available, that are explained in the boards.txt section of this guide. +Some of them allows to specify trusted security credentials (sign and encryption keys) that can be used for the secure +boot: + +- `build.keys.keychain`: for the directory containing the keys +- `build.keys.sign_key`: for the signing key +- `build.keys.encrypt_key`: for the encryption key + +These properties can be overwritten respectively with `--keys-keychain`, `--sign-key`, `--encrypt-key` +[compile](commands/arduino-cli_compile.md) flags in the Arduino CLI. + #### Recipes to compile source code We said that the Arduino development software determines a list of files to compile. Each file can be source code From 06f4bebb020516ba53ef96f90e3e25accb9a9925 Mon Sep 17 00:00:00 2001 From: Umberto Baldi <34278123+umbynos@users.noreply.github.com> Date: Thu, 17 Mar 2022 10:56:08 +0100 Subject: [PATCH 14/20] Apply suggestions from code review Co-authored-by: per1234 --- docs/guides/secure-boot.md | 25 ++++++++++--------- docs/platform-specification.md | 4 +-- legacy/builder/setup_build_properties.go | 5 +--- .../boards.local.txt | 1 - 4 files changed, 16 insertions(+), 19 deletions(-) diff --git a/docs/guides/secure-boot.md b/docs/guides/secure-boot.md index 019d6d72647..994d9b091fe 100644 --- a/docs/guides/secure-boot.md +++ b/docs/guides/secure-boot.md @@ -1,23 +1,26 @@ ### Secure Boot -Some boards supports the secure boot. Basically the compiled sketch can be signed and encrypted with a -[tool](../platform-specification.md#tools) before being flashed to the target board. The bootloader of the board is then -responsible for starting the compiled sketch if the matching keys are used. +A "secure boot" capability may be offered by Arduino boards platforms. + +The compiled sketch is signed and encrypted by a [tool](../platform-specification.md#tools) before being flashed to the +target board. The bootloader of the board is then responsible for starting the compiled sketch only if the matching keys +are used. To be able to correctly carry out all the operations at the end of the build we can leverage the [post build hooks](../platform-specification.md#pre-and-post-build-hooks-since-arduino-ide-165) to sign and encrypt a binary by using `recipe.hooks.objcopy.postobjcopy.NUMBER.pattern` key in -[`platform.txt`](../platform-specification.md#platformtxt). The security keys used are defined in the boards file, this -way there could be different keys for different boards. +[`platform.txt`](../platform-specification.md#platformtxt). The security keys used are defined in the +[`boards.txt`](../platform-specification.md#boardstxt) file, this way there could be different keys for different +boards. ``` [...] -## Create output secure image (bin file) +## Create secure image (bin file) recipe.hooks.objcopy.postobjcopy.1.pattern={build.postbuild.cmd} + # # IMGTOOL # - tools.imgtool.cmd=imgtool tools.imgtool.build.pattern=sign --key "{build.keys.keychain}/{build.keys.sign_key}" --encrypt "{build.keys.keychain}/{build.keys.encrypt_key}" "{build.path}/{build.project_name}.bin" "{build.path}/{build.project_name}.bin" --align {build.alignment} --max-align {build.alignment} --version {build.version} --header-size {build.header_size} --pad-header --slot-size {build.slot_size} [...] @@ -38,17 +41,15 @@ envie_m7.menu.security.sien=Signature + Encryption envie_m7.menu.security.sien.build.postbuild.cmd="{tools.imgtool.cmd}" {tools.imgtool.build.pattern} envie_m7.menu.security.none.build.postbuild.cmd="{tools.imgtool.cmd}" exit -envie_m7.menu.security.sien.build.keys.type=public_keys envie_m7.menu.security.sien.build.keys.keychain={runtime.hardware.path}/Default_Keys envie_m7.menu.security.sien.build.keys.sign_key=default-signing-key.pem envie_m7.menu.security.sien.build.keys.encrypt_key=default-encrypt-key.pem [...] ``` -Currently we support the secure boot only with `build.keys.type=public_keys` but in the future other ways can be added. The security keys can be added with: -- `keys.keychain` indicates the path of the dir where to search for the custom keys to sign and encrypt a binary. -- `keys.sign_key` indicates the name of the custom signing key to use to sign a binary during the compile process. -- `keys.encrypt_key` indicates the name of the custom encryption key to use to encrypt a binary during the compile +- `build.keys.keychain` indicates the path of the dir where to search for the custom keys to sign and encrypt a binary. +- `build.keys.sign_key` indicates the name of the custom signing key to use to sign a binary during the compile process. +- `build.keys.encrypt_key` indicates the name of the custom encryption key to use to encrypt a binary during the compile process. diff --git a/docs/platform-specification.md b/docs/platform-specification.md index cc32999fd75..1c9fe429af0 100644 --- a/docs/platform-specification.md +++ b/docs/platform-specification.md @@ -155,8 +155,8 @@ the name of the architecture is set as well. There are some other **{build.xxx}** properties available, that are explained in the boards.txt section of this guide. -Some of them allows to specify trusted security credentials (sign and encryption keys) that can be used for the secure -boot: +Some of them allow specifying trusted security credentials (signing and encryption keys) that can be used by a +["secure boot" system](guides/secure-boot.md): - `build.keys.keychain`: for the directory containing the keys - `build.keys.sign_key`: for the signing key diff --git a/legacy/builder/setup_build_properties.go b/legacy/builder/setup_build_properties.go index 8488f137010..259a95ca28e 100644 --- a/legacy/builder/setup_build_properties.go +++ b/legacy/builder/setup_build_properties.go @@ -127,13 +127,10 @@ func (s *SetupBuildProperties) Run(ctx *types.Context) error { buildProperties.Merge(ctx.PackageManager.CustomGlobalProperties) - if !buildProperties.ContainsKey("build.keys.type") { - buildProperties.Set("build.keys.type", "public_keys") // The default is "pubblic_keys" for now - } keychainProp := buildProperties.ContainsKey("build.keys.keychain") signProp := buildProperties.ContainsKey("build.keys.sign_key") encryptProp := buildProperties.ContainsKey("build.keys.encrypt_key") - // we verify that all the properties for the secure boot keys are defined or nono of them is defined. + // we verify that all the properties for the secure boot keys are defined or none of them is defined. if !(keychainProp || signProp || encryptProp) && (keychainProp && signProp && encryptProp) { return errors.Errorf("%s core does not specify correctly default sign and encryption keys", ctx.BuildCore) } diff --git a/test/testdata/platform_with_secure_boot/boards.local.txt b/test/testdata/platform_with_secure_boot/boards.local.txt index da2417bd54a..dbff007c4ec 100644 --- a/test/testdata/platform_with_secure_boot/boards.local.txt +++ b/test/testdata/platform_with_secure_boot/boards.local.txt @@ -6,7 +6,6 @@ uno.menu.security.sien=Signature + Encryption uno.menu.security.sien.build.postbuild.cmd="{tools.imgtool.cmd}" {tools.imgtool.build.pattern} uno.menu.security.none.build.postbuild.cmd="{tools.imgtool.cmd}" exit -uno.menu.security.sien.build.keys.type=public_keys uno.menu.security.sien.build.keys.keychain={runtime.hardware.path}/Default_Keys uno.menu.security.sien.build.keys.sign_key=default-signing-key.pem uno.menu.security.sien.build.keys.encrypt_key=default-encrypt-key.pem From c18bbca33dc273f0847c3b8b3a424bffc1570ea3 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Thu, 17 Mar 2022 11:26:50 +0100 Subject: [PATCH 15/20] add link to external resource to provide a quick explanation of the reason for an Arduino boards platform developer to add a "secure boot" capability --- docs/guides/secure-boot.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/guides/secure-boot.md b/docs/guides/secure-boot.md index 994d9b091fe..1eb9de56408 100644 --- a/docs/guides/secure-boot.md +++ b/docs/guides/secure-boot.md @@ -1,6 +1,7 @@ ### Secure Boot -A "secure boot" capability may be offered by Arduino boards platforms. +A ["secure boot"](https://www.keyfactor.com/blog/what-is-secure-boot-its-where-iot-security-starts/) capability may be +offered by Arduino boards platforms. The compiled sketch is signed and encrypted by a [tool](../platform-specification.md#tools) before being flashed to the target board. The bootloader of the board is then responsible for starting the compiled sketch only if the matching keys From 35105095a88f33491eaf0ade1f776af736102893 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Thu, 17 Mar 2022 14:44:15 +0100 Subject: [PATCH 16/20] change `tools.imgtool.build.pattern` to `tools.imgtool.flags` The property had the same form as the special `tools.TOOL_NAME.ACTION.pattern` properties However, there is not a `build` action, the form of the property gives the impression that it is one that has special treatment by the build system. It looks like the convention is `*.flags` --- docs/guides/secure-boot.md | 6 +++--- test/testdata/platform_with_secure_boot/boards.local.txt | 2 +- test/testdata/platform_with_secure_boot/platform.local.txt | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/guides/secure-boot.md b/docs/guides/secure-boot.md index 1eb9de56408..baf4e2a7b43 100644 --- a/docs/guides/secure-boot.md +++ b/docs/guides/secure-boot.md @@ -23,12 +23,12 @@ recipe.hooks.objcopy.postobjcopy.1.pattern={build.postbuild.cmd} # IMGTOOL # tools.imgtool.cmd=imgtool -tools.imgtool.build.pattern=sign --key "{build.keys.keychain}/{build.keys.sign_key}" --encrypt "{build.keys.keychain}/{build.keys.encrypt_key}" "{build.path}/{build.project_name}.bin" "{build.path}/{build.project_name}.bin" --align {build.alignment} --max-align {build.alignment} --version {build.version} --header-size {build.header_size} --pad-header --slot-size {build.slot_size} +tools.imgtool.flags=sign --key "{build.keys.keychain}/{build.keys.sign_key}" --encrypt "{build.keys.keychain}/{build.keys.encrypt_key}" "{build.path}/{build.project_name}.bin" "{build.path}/{build.project_name}.bin" --align {build.alignment} --max-align {build.alignment} --version {build.version} --header-size {build.header_size} --pad-header --slot-size {build.slot_size} [...] ``` -By having only `tools.TOOL_NAME.cmd` and `tools.TOOL_NAME.build.pattern`, we can customize the behavior with a +By having only `tools.TOOL_NAME.cmd` and `tools.TOOL_NAME.falgs`, we can customize the behavior with a [custom board option](../platform-specification.md#custom-board-options). Then in the [`boards.txt`](../platform-specification.md#boardstxt) we can define the new option to use a different `postbuild.cmd`: @@ -39,7 +39,7 @@ menu.security=Security setting envie_m7.menu.security.none=None envie_m7.menu.security.sien=Signature + Encryption -envie_m7.menu.security.sien.build.postbuild.cmd="{tools.imgtool.cmd}" {tools.imgtool.build.pattern} +envie_m7.menu.security.sien.build.postbuild.cmd="{tools.imgtool.cmd}" {tools.imgtool.flags} envie_m7.menu.security.none.build.postbuild.cmd="{tools.imgtool.cmd}" exit envie_m7.menu.security.sien.build.keys.keychain={runtime.hardware.path}/Default_Keys diff --git a/test/testdata/platform_with_secure_boot/boards.local.txt b/test/testdata/platform_with_secure_boot/boards.local.txt index dbff007c4ec..e1d30e681b6 100644 --- a/test/testdata/platform_with_secure_boot/boards.local.txt +++ b/test/testdata/platform_with_secure_boot/boards.local.txt @@ -3,7 +3,7 @@ menu.security=Security setting uno.menu.security.none=None uno.menu.security.sien=Signature + Encryption -uno.menu.security.sien.build.postbuild.cmd="{tools.imgtool.cmd}" {tools.imgtool.build.pattern} +uno.menu.security.sien.build.postbuild.cmd="{tools.imgtool.cmd}" {tools.imgtool.flags} uno.menu.security.none.build.postbuild.cmd="{tools.imgtool.cmd}" exit uno.menu.security.sien.build.keys.keychain={runtime.hardware.path}/Default_Keys diff --git a/test/testdata/platform_with_secure_boot/platform.local.txt b/test/testdata/platform_with_secure_boot/platform.local.txt index 29e21920e55..320de131bf0 100644 --- a/test/testdata/platform_with_secure_boot/platform.local.txt +++ b/test/testdata/platform_with_secure_boot/platform.local.txt @@ -5,4 +5,4 @@ recipe.hooks.objcopy.postobjcopy.1.pattern={build.postbuild.cmd} # tools.imgtool.cmd=echo -tools.imgtool.build.pattern=sign --key "{build.keys.keychain}/{build.keys.sign_key}" --encrypt "{build.keys.keychain}/{build.keys.encrypt_key}" "{build.path}/{build.project_name}.bin" "{build.path}/{build.project_name}.bin" --align {build.alignment} --max-align {build.alignment} --version {build.version} --header-size {build.header_size} --pad-header --slot-size {build.slot_size} \ No newline at end of file +tools.imgtool.flags=sign --key "{build.keys.keychain}/{build.keys.sign_key}" --encrypt "{build.keys.keychain}/{build.keys.encrypt_key}" "{build.path}/{build.project_name}.bin" "{build.path}/{build.project_name}.bin" --align {build.alignment} --max-align {build.alignment} --version {build.version} --header-size {build.header_size} --pad-header --slot-size {build.slot_size} \ No newline at end of file From 1d2e03eec4f1ae40c7b40eef1ca38fab0b7190f3 Mon Sep 17 00:00:00 2001 From: Umberto Baldi Date: Thu, 17 Mar 2022 15:13:33 +0100 Subject: [PATCH 17/20] add small section explaining why is recommended to use these prop names --- docs/guides/secure-boot.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/guides/secure-boot.md b/docs/guides/secure-boot.md index baf4e2a7b43..8118ad89ad6 100644 --- a/docs/guides/secure-boot.md +++ b/docs/guides/secure-boot.md @@ -54,3 +54,13 @@ The security keys can be added with: - `build.keys.sign_key` indicates the name of the custom signing key to use to sign a binary during the compile process. - `build.keys.encrypt_key` indicates the name of the custom encryption key to use to encrypt a binary during the compile process. + +It's suggested to use the property names mentioned before, because they can be overridden respectively with +`--keys-keychain`, `--sign-key` and ``--encrypt-key` Arduino CLI [compile flags](../commands/arduino-cli_compile.md). + +For example, by using the following command, the sketch is compiled and the resulting binary is signed and encrypted +with the specified keys located in `/home/user/Arduino/keys` directory: + +``` +arduino-cli compile -b arduino:mbed_portenta:envie_m7:security=sien --keys-keychain /home/user/Arduino/keys --sign-key ecsdsa-p256-signing-key.pem --encrypt-key ecsdsa-p256-encrypt-key.pem /home/user/Arduino/MySketch +``` From 47c39174e5a8fb21c65e68ea582e65d6cec46188 Mon Sep 17 00:00:00 2001 From: Umberto Baldi <34278123+umbynos@users.noreply.github.com> Date: Fri, 18 Mar 2022 09:45:38 +0100 Subject: [PATCH 18/20] Apply suggestions from code review Co-authored-by: per1234 --- docs/guides/secure-boot.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/guides/secure-boot.md b/docs/guides/secure-boot.md index 8118ad89ad6..4ccd56f9d1f 100644 --- a/docs/guides/secure-boot.md +++ b/docs/guides/secure-boot.md @@ -1,4 +1,4 @@ -### Secure Boot +# Secure Boot A ["secure boot"](https://www.keyfactor.com/blog/what-is-secure-boot-its-where-iot-security-starts/) capability may be offered by Arduino boards platforms. @@ -28,9 +28,10 @@ tools.imgtool.flags=sign --key "{build.keys.keychain}/{build.keys.sign_key}" --e ``` -By having only `tools.TOOL_NAME.cmd` and `tools.TOOL_NAME.falgs`, we can customize the behavior with a +By having only `tools.TOOL_NAME.cmd` and `tools.TOOL_NAME.flags`, we can customize the behavior with a [custom board option](../platform-specification.md#custom-board-options). Then in the -[`boards.txt`](../platform-specification.md#boardstxt) we can define the new option to use a different `postbuild.cmd`: +[`boards.txt`](../platform-specification.md#boardstxt) we can define the new option to use a different +`build.postbuild.cmd`: ``` [...] @@ -56,7 +57,7 @@ The security keys can be added with: process. It's suggested to use the property names mentioned before, because they can be overridden respectively with -`--keys-keychain`, `--sign-key` and ``--encrypt-key` Arduino CLI [compile flags](../commands/arduino-cli_compile.md). +`--keys-keychain`, `--sign-key` and `--encrypt-key` Arduino CLI [compile flags](../commands/arduino-cli_compile.md). For example, by using the following command, the sketch is compiled and the resulting binary is signed and encrypted with the specified keys located in `/home/user/Arduino/keys` directory: From d480ae503b21388a3cf58e6d55d86d34e8e93d5b Mon Sep 17 00:00:00 2001 From: umbynos Date: Wed, 23 Mar 2022 17:48:19 +0100 Subject: [PATCH 19/20] Correct error message --- cli/arguments/arguments.go | 2 +- test/test_compile_part_4.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cli/arguments/arguments.go b/cli/arguments/arguments.go index cb165809e58..1b9dfe92b3c 100644 --- a/cli/arguments/arguments.go +++ b/cli/arguments/arguments.go @@ -44,7 +44,7 @@ func CheckFlagsMandatory(command *cobra.Command, flagNames ...string) { if command.Flag(flagName).Changed { continue } else { - feedback.Errorf(tr("Please use also %s flag when using %s flags at the same time.", "--"+flagName, "--"+strings.Join(flagNames, " "+tr("and")+" --"))) + feedback.Errorf(tr("Flag %[1]s is mandatory when used in conjunction with flag %[2]s.", "--"+flagName, "--"+strings.Join(flagNames, " "+tr("and")+" --"))) os.Exit(errorcodes.ErrBadArgument) } } diff --git a/test/test_compile_part_4.py b/test/test_compile_part_4.py index 881ca65b82a..bdc85d8cb9e 100644 --- a/test/test_compile_part_4.py +++ b/test/test_compile_part_4.py @@ -471,7 +471,7 @@ def test_compile_with_fake_secure_boot_core(run_command, data_dir): ] ) assert res.failed - assert "Please use also --sign-key flag when using --keys-keychain" in res.stderr + assert "Flag --sign-key is mandatory when used in conjunction with flag --keys-keychain" in res.stderr # Verifies compilation works with secure boot enabled and when overriding the sign key and encryption key used keys_dir = Path(data_dir, "keys_dir") From c40e6cbc5113301611604329c539556a41191487 Mon Sep 17 00:00:00 2001 From: Umberto Baldi <34278123+umbynos@users.noreply.github.com> Date: Thu, 24 Mar 2022 10:10:47 +0100 Subject: [PATCH 20/20] Apply suggestions from code review Co-authored-by: per1234 --- docs/platform-specification.md | 4 ++++ legacy/builder/setup_build_properties.go | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/platform-specification.md b/docs/platform-specification.md index 1c9fe429af0..b097dc4cfe6 100644 --- a/docs/platform-specification.md +++ b/docs/platform-specification.md @@ -155,6 +155,8 @@ the name of the architecture is set as well. There are some other **{build.xxx}** properties available, that are explained in the boards.txt section of this guide. +#### Security credential properties + Some of them allow specifying trusted security credentials (signing and encryption keys) that can be used by a ["secure boot" system](guides/secure-boot.md): @@ -162,6 +164,8 @@ Some of them allow specifying trusted security credentials (signing and encrypti - `build.keys.sign_key`: for the signing key - `build.keys.encrypt_key`: for the encryption key +If any of these properties are defined, the others are required. + These properties can be overwritten respectively with `--keys-keychain`, `--sign-key`, `--encrypt-key` [compile](commands/arduino-cli_compile.md) flags in the Arduino CLI. diff --git a/legacy/builder/setup_build_properties.go b/legacy/builder/setup_build_properties.go index 259a95ca28e..309a371752a 100644 --- a/legacy/builder/setup_build_properties.go +++ b/legacy/builder/setup_build_properties.go @@ -131,8 +131,8 @@ func (s *SetupBuildProperties) Run(ctx *types.Context) error { signProp := buildProperties.ContainsKey("build.keys.sign_key") encryptProp := buildProperties.ContainsKey("build.keys.encrypt_key") // we verify that all the properties for the secure boot keys are defined or none of them is defined. - if !(keychainProp || signProp || encryptProp) && (keychainProp && signProp && encryptProp) { - return errors.Errorf("%s core does not specify correctly default sign and encryption keys", ctx.BuildCore) + if (keychainProp || signProp || encryptProp) && !(keychainProp && signProp && encryptProp) { + return errors.Errorf("%s platform does not specify correctly default sign and encryption keys", targetPlatform.Platform) } ctx.BuildProperties = buildProperties