switch SSH keys to ed25519, encrypt with hardware serial instead of DongleId

- Generate new ed25519 keypair (replaces old RSA keys) - Encrypt with device serial from /proc/cmdline (always available, no manager needed) - Update decrypt/encrypt tools and provision.sh to use serial - Remove dependency on DongleId param for SSH key provisioning Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 01:32:51 +00:00
parent 21f71cbc37
commit f46339c949
6 changed files with 31 additions and 19 deletions
--- a/system/clearpilot/dev/encrypt.sh
+++ b/system/clearpilot/dev/encrypt.sh
@@ -1,17 +1,19 @@
 #!/bin/bash

-dongle_id=$(cat /data/params/d/DongleId)
-if [[ ! $dongle_id == 90bb71* ]]; then
+# Uses hardware serial as identity check and encryption key
+serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
+if [[ $serial != 3889765b ]]; then
+    echo "Wrong device (serial=$serial)"
    exit 1
 fi

 # Encrypt SSH keys if source files exist using the custom encrypt tool
-if [ -f /data/openpilot/system/clearpilot/dev/id_rsa.pub ]; then
-   bash /data/openpilot/system/clearpilot/tools/encrypt /data/openpilot/system/clearpilot/dev/id_rsa.pub /data/openpilot/system/clearpilot/dev/id_rsa.pub.cpt
+if [ -f /data/openpilot/system/clearpilot/dev/id_ed25519.pub ]; then
+   bash /data/openpilot/system/clearpilot/tools/encrypt /data/openpilot/system/clearpilot/dev/id_ed25519.pub /data/openpilot/system/clearpilot/dev/id_ed25519.pub.cpt
 fi

-if [ -f /data/openpilot/system/clearpilot/dev/id_rsa ]; then
-   bash /data/openpilot/system/clearpilot/tools/encrypt /data/openpilot/system/clearpilot/dev/id_rsa /data/openpilot/system/clearpilot/dev/id_rsa.cpt
+if [ -f /data/openpilot/system/clearpilot/dev/id_ed25519 ]; then
+   bash /data/openpilot/system/clearpilot/tools/encrypt /data/openpilot/system/clearpilot/dev/id_ed25519 /data/openpilot/system/clearpilot/dev/id_ed25519.cpt
 fi

 if [ -f /data/openpilot/system/clearpilot/dev/reverse_ssh ]; then
--- a/system/clearpilot/dev/id_ed25519.cpt
+++ b/system/clearpilot/dev/id_ed25519.cpt
--- a/system/clearpilot/dev/id_ed25519.pub.cpt
+++ b/system/clearpilot/dev/id_ed25519.pub.cpt
@@ -0,0 +1,2 @@
+•í-À‘-j¦ñqã	A†3ä"|}ôÚÁñžš.\ñ`þQ¥¶ßA^´Ð×~LìbýÊ	ÞÔm!Òzï[®<>Wí(¯«rýfo¼À˜¦Miê[&ÄoúÏV=<3D>ˆQ<CB86>"2<>A“i8ÐpÀ"Á!þ1“æ–G:š4ïá<-Ý
+#
--- a/system/clearpilot/provision.sh
+++ b/system/clearpilot/provision.sh
@@ -44,16 +44,18 @@ echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc && source ~/.bashrc
 echo "Packages installed"

 # Decrypt and install SSH identity keys (for git auth)
-dongle_id=$(cat /data/params/d/DongleId 2>/dev/null)
+# Uses hardware serial from /proc/cmdline as device identity and decryption key
+serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
 ssh_dir="/data/ssh/.ssh"
-if [[ $dongle_id == 90bb71* ]] && [[ ! -f "$ssh_dir/id_rsa" || ! -f "$ssh_dir/id_rsa.pub" ]]; then
-    echo "Decrypting SSH identity keys..."
-    bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_rsa.cpt /data/openpilot/system/clearpilot/dev/id_rsa
-    bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_rsa.pub.cpt /data/openpilot/system/clearpilot/dev/id_rsa.pub
+if [[ $serial == 3889765b ]] && [[ ! -f "$ssh_dir/id_ed25519" || ! -f "$ssh_dir/id_ed25519.pub" ]]; then
+    echo "Decrypting SSH identity keys (serial=$serial)..."
+    bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.cpt /data/openpilot/system/clearpilot/dev/id_ed25519
+    bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.pub.cpt /data/openpilot/system/clearpilot/dev/id_ed25519.pub
    mkdir -p "$ssh_dir"
-    cp /data/openpilot/system/clearpilot/dev/id_rsa /data/openpilot/system/clearpilot/dev/id_rsa.pub "$ssh_dir"
+    cp /data/openpilot/system/clearpilot/dev/id_ed25519 /data/openpilot/system/clearpilot/dev/id_ed25519.pub "$ssh_dir/"
    chmod 700 "$ssh_dir"
-    chmod 600 "$ssh_dir/id_rsa" "$ssh_dir/id_rsa.pub"
+    chmod 600 "$ssh_dir/id_ed25519"
+    chmod 644 "$ssh_dir/id_ed25519.pub"
    echo "SSH identity keys installed to $ssh_dir"
 fi

--- a/system/clearpilot/tools/decrypt
+++ b/system/clearpilot/tools/decrypt
@@ -10,8 +10,11 @@ fi
 src="$1"
 dest="$2"

-# Read DongleId for decryption key
-dongle_id=/data/params/d/DongleId
+# Use hardware serial as decryption key
+serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
+keyfile=$(mktemp)
+echo -n "$serial" > "$keyfile"

 # Decrypt the file
-cat "$src" | ccrypt -d -k "$dongle_id" > "$dest"
+cat "$src" | ccrypt -d -k "$keyfile" > "$dest"
+rm -f "$keyfile"
--- a/system/clearpilot/tools/encrypt
+++ b/system/clearpilot/tools/encrypt
@@ -10,8 +10,11 @@ fi
 src="$1"
 dest="$2"

-# Read DongleId for encryption key
-dongle_id=/data/params/d/DongleId
+# Use hardware serial as encryption key
+serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
+keyfile=$(mktemp)
+echo -n "$serial" > "$keyfile"

 # Encrypt the file
-cat "$src" | ccrypt -e -k "$dongle_id" > "$dest"
+cat "$src" | ccrypt -e -k "$keyfile" > "$dest"
+rm -f "$keyfile"