How do I implement security for the CLI?

RE: How do I implement security for the CLI?

ibeckermayer — Tue, 15 Jan 2019 23:14:59 GMT

Hi Jakub,

Thanks for the quick reply. The solution you suggested was my naive instinct, but as you point out it's not exactly secure. Keep in mind that at least for this chip, we do have the CryptoCell 310 hardware feature which allows for various cryptography protocols including SHA-256 and SRP. This is by no means my domain of expertise, however I'm delving in to how Linux-based OS's generally implement password security to see if I can imitate it.

This is the type of feature we generally take for granted in modern computing, and it's interesting to me personally to dig in to how it's actually implemented. But it would be equally as awesome if Nordic implemented something similar to Linux security for the CLI in a future release of the SDK, as I'm sure there is a wide demand for it.

Appreciate the help and happy to collaborate on this further.

RE: How do I implement security for the CLI?

Jakub Rzeszutko — Tue, 15 Jan 2019 07:49:27 GMT

Hi,

So far we are not supporting this kind of security. However it's great idea, I will think about it a bit more.

There is quite easy solution to provide basic security level. You can implement 2 commands like: cli_lock, cli_unlock where you will set a global variable for example: cli_lock_passwd with some password. As long as cli_lock_passwd will not have expected value NRF_CLI will not execute any other command than cli_unlock. It is possible to implement Tab function to not prompt any other command but cli_unlock.

All you need to do is to add a global variable and modify 2 functions: cli_execute and cli_tab_handle.

Problem with this solution is that as long as variable cli_lock_passwd is not securly stored some "hacker" can easly read/modify RAM and this variable. Or he can read Flash to find out expected password.