From f46339c94966fb4654e054a263d8abaa36a20ef0 Mon Sep 17 00:00:00 2001 From: Brian Hanson Date: Wed, 15 Apr 2026 01:32:51 +0000 Subject: [PATCH] switch SSH keys to ed25519, encrypt with hardware serial instead of DongleId - Generate new ed25519 keypair (replaces old RSA keys) - Encrypt with device serial from /proc/cmdline (always available, no manager needed) - Update decrypt/encrypt tools and provision.sh to use serial - Remove dependency on DongleId param for SSH key provisioning Co-Authored-By: Claude Opus 4.6 (1M context) --- system/clearpilot/dev/encrypt.sh | 14 ++++++++------ system/clearpilot/dev/id_ed25519.cpt | Bin 0 -> 443 bytes system/clearpilot/dev/id_ed25519.pub.cpt | 2 ++ system/clearpilot/provision.sh | 16 +++++++++------- system/clearpilot/tools/decrypt | 9 ++++++--- system/clearpilot/tools/encrypt | 9 ++++++--- 6 files changed, 31 insertions(+), 19 deletions(-) create mode 100644 system/clearpilot/dev/id_ed25519.cpt create mode 100644 system/clearpilot/dev/id_ed25519.pub.cpt diff --git a/system/clearpilot/dev/encrypt.sh b/system/clearpilot/dev/encrypt.sh index 970de21..c391125 100755 --- a/system/clearpilot/dev/encrypt.sh +++ b/system/clearpilot/dev/encrypt.sh @@ -1,17 +1,19 @@ #!/bin/bash -dongle_id=$(cat /data/params/d/DongleId) -if [[ ! $dongle_id == 90bb71* ]]; then +# Uses hardware serial as identity check and encryption key +serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline) +if [[ $serial != 3889765b ]]; then + echo "Wrong device (serial=$serial)" exit 1 fi # Encrypt SSH keys if source files exist using the custom encrypt tool -if [ -f /data/openpilot/system/clearpilot/dev/id_rsa.pub ]; then - bash /data/openpilot/system/clearpilot/tools/encrypt /data/openpilot/system/clearpilot/dev/id_rsa.pub /data/openpilot/system/clearpilot/dev/id_rsa.pub.cpt +if [ -f /data/openpilot/system/clearpilot/dev/id_ed25519.pub ]; then + bash /data/openpilot/system/clearpilot/tools/encrypt /data/openpilot/system/clearpilot/dev/id_ed25519.pub /data/openpilot/system/clearpilot/dev/id_ed25519.pub.cpt fi -if [ -f /data/openpilot/system/clearpilot/dev/id_rsa ]; then - bash /data/openpilot/system/clearpilot/tools/encrypt /data/openpilot/system/clearpilot/dev/id_rsa /data/openpilot/system/clearpilot/dev/id_rsa.cpt +if [ -f /data/openpilot/system/clearpilot/dev/id_ed25519 ]; then + bash /data/openpilot/system/clearpilot/tools/encrypt /data/openpilot/system/clearpilot/dev/id_ed25519 /data/openpilot/system/clearpilot/dev/id_ed25519.cpt fi if [ -f /data/openpilot/system/clearpilot/dev/reverse_ssh ]; then diff --git a/system/clearpilot/dev/id_ed25519.cpt b/system/clearpilot/dev/id_ed25519.cpt new file mode 100644 index 0000000000000000000000000000000000000000..ea4672b028434ef773409ecb7877e28df339fa2b GIT binary patch literal 443 zcmV;s0Yv^=r0yd!v)tu{^xwxn&0KYHL+whQW5`uPyt68zb`o4&zKE8Se7xXS_0h{FFq+1aV(rbwDPl(C@fuNqR-Pyr8 zjR!+*J9HrFb?o07zDz*tyA>Wp8R=;4Be#W$4;I6&bg|5?Q;&#@QZKeRB?YrQarTR78?203bJ8ONOX6qBpNN8@Q$Z*w^Z zgN9)z77%4#10-p1YKwL)0aRs5+MYL+s*P|NWVWD9Dp+fCm~)+Ofs`=D> ~/.bashrc && source ~/.bashrc echo "Packages installed" # Decrypt and install SSH identity keys (for git auth) -dongle_id=$(cat /data/params/d/DongleId 2>/dev/null) +# Uses hardware serial from /proc/cmdline as device identity and decryption key +serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline) ssh_dir="/data/ssh/.ssh" -if [[ $dongle_id == 90bb71* ]] && [[ ! -f "$ssh_dir/id_rsa" || ! -f "$ssh_dir/id_rsa.pub" ]]; then - echo "Decrypting SSH identity keys..." - bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_rsa.cpt /data/openpilot/system/clearpilot/dev/id_rsa - bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_rsa.pub.cpt /data/openpilot/system/clearpilot/dev/id_rsa.pub +if [[ $serial == 3889765b ]] && [[ ! -f "$ssh_dir/id_ed25519" || ! -f "$ssh_dir/id_ed25519.pub" ]]; then + echo "Decrypting SSH identity keys (serial=$serial)..." + bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.cpt /data/openpilot/system/clearpilot/dev/id_ed25519 + bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.pub.cpt /data/openpilot/system/clearpilot/dev/id_ed25519.pub mkdir -p "$ssh_dir" - cp /data/openpilot/system/clearpilot/dev/id_rsa /data/openpilot/system/clearpilot/dev/id_rsa.pub "$ssh_dir" + cp /data/openpilot/system/clearpilot/dev/id_ed25519 /data/openpilot/system/clearpilot/dev/id_ed25519.pub "$ssh_dir/" chmod 700 "$ssh_dir" - chmod 600 "$ssh_dir/id_rsa" "$ssh_dir/id_rsa.pub" + chmod 600 "$ssh_dir/id_ed25519" + chmod 644 "$ssh_dir/id_ed25519.pub" echo "SSH identity keys installed to $ssh_dir" fi diff --git a/system/clearpilot/tools/decrypt b/system/clearpilot/tools/decrypt index a736b82..836cb95 100755 --- a/system/clearpilot/tools/decrypt +++ b/system/clearpilot/tools/decrypt @@ -10,8 +10,11 @@ fi src="$1" dest="$2" -# Read DongleId for decryption key -dongle_id=/data/params/d/DongleId +# Use hardware serial as decryption key +serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline) +keyfile=$(mktemp) +echo -n "$serial" > "$keyfile" # Decrypt the file -cat "$src" | ccrypt -d -k "$dongle_id" > "$dest" +cat "$src" | ccrypt -d -k "$keyfile" > "$dest" +rm -f "$keyfile" diff --git a/system/clearpilot/tools/encrypt b/system/clearpilot/tools/encrypt index 9496892..49b112e 100755 --- a/system/clearpilot/tools/encrypt +++ b/system/clearpilot/tools/encrypt @@ -10,8 +10,11 @@ fi src="$1" dest="$2" -# Read DongleId for encryption key -dongle_id=/data/params/d/DongleId +# Use hardware serial as encryption key +serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline) +keyfile=$(mktemp) +echo -n "$serial" > "$keyfile" # Encrypt the file -cat "$src" | ccrypt -e -k "$dongle_id" > "$dest" +cat "$src" | ccrypt -e -k "$keyfile" > "$dest" +rm -f "$keyfile"