• State Not Answered
  • Replies 2 replies
  • Subscribers 87 subscribers
  • Views 969 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 220941
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

How do I implement security for the CLI?

ibeckermayer

We are using Nordic SDK version 15.2, and have successfully implemented many functions using the CLI API but are stuck on how to secure the CLI. We have a USB and RTT CLI set up that we only want to be available to authorized developers at our company. Additionally, we have a BLE CLI set up for which we want all of the commands to be available only to our authorized app developers, and a subset of those commands to be made available for third party app developers. 

My questions are 

1) is there sdk support for setting up this type of security for the CLI?

2) if not, can I please receive some guidance in how to wrap or extend the source code to implement this type of tiered security to the CLI?

Parents
  • 0

    Hi,

    So far we are not supporting this kind of security. However it's great idea, I will think about it a bit more.

    There is quite easy solution to provide basic security level. You can implement 2 commands like: cli_lock, cli_unlock where you will set a global variable for example: cli_lock_passwd with some password. As long as cli_lock_passwd will not have expected value NRF_CLI will not execute any other command than cli_unlock. It is possible to implement Tab function to not prompt any other command but cli_unlock.

    All you need to do is to add a global variable and modify 2 functions: cli_execute and cli_tab_handle.

    Problem with this solution is that as long as variable cli_lock_passwd is not securly stored some "hacker" can easly read/modify RAM and this variable. Or he can read Flash to find out expected password.

  • 0 in reply to Jakub Rzeszutko

    Hi Jakub,

    Thanks for the quick reply. The solution you suggested was my naive instinct, but as you point out it's not exactly secure. Keep in mind that at least for this chip, we do have the CryptoCell 310 hardware feature which allows for various cryptography protocols including SHA-256 and SRP. This is by no means my domain of expertise, however I'm delving in to how Linux-based OS's generally implement password security to see if I can imitate it.

    This is the type of feature we generally take for granted in modern computing, and it's interesting to me personally to dig in to how it's actually implemented. But it would be equally as awesome if Nordic implemented something similar to Linux security for the CLI in a future release of the SDK, as I'm sure there is a wide demand for it. 

    Appreciate the help and happy to collaborate on this further.

Reply
  • 0 in reply to Jakub Rzeszutko

    Hi Jakub,

    Thanks for the quick reply. The solution you suggested was my naive instinct, but as you point out it's not exactly secure. Keep in mind that at least for this chip, we do have the CryptoCell 310 hardware feature which allows for various cryptography protocols including SHA-256 and SRP. This is by no means my domain of expertise, however I'm delving in to how Linux-based OS's generally implement password security to see if I can imitate it.

    This is the type of feature we generally take for granted in modern computing, and it's interesting to me personally to dig in to how it's actually implemented. But it would be equally as awesome if Nordic implemented something similar to Linux security for the CLI in a future release of the SDK, as I'm sure there is a wide demand for it. 

    Appreciate the help and happy to collaborate on this further.

Children
No Data
Related
Terms of service