brianhansonxyz/clearpilot
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity

switch SSH keys to ed25519, encrypt with hardware serial instead of DongleId
Some checks failed
prebuilt / build prebuilt (push) Has been cancelled
Details
badges / create badges (push) Has been cancelled
Details

Browse Source 
- Generate new ed25519 keypair (replaces old RSA keys)
- Encrypt with device serial from /proc/cmdline (always available, no manager needed)
- Update decrypt/encrypt tools and provision.sh to use serial
- Remove dependency on DongleId param for SSH key provisioning

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Brian Hanson
2026-04-15 01:32:51 +00:00
parent 21f71cbc37
commit f46339c949
6 changed files with 31 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
system/clearpilot/dev/encrypt.sh
View File

@@ -1,17 +1,19 @@
#!/bin/bash #!/bin/bash
dongle_id=$(cat /data/params/d/DongleId) # Uses hardware serial as identity check and encryption key
if [[ ! $dongle_id == 90bb71* ]]; then serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
if [[ $serial != 3889765b ]]; then
echo "Wrong device (serial=$serial)"
exit 1 exit 1
fi fi
# Encrypt SSH keys if source files exist using the custom encrypt tool # Encrypt SSH keys if source files exist using the custom encrypt tool
if [ -f /data/openpilot/system/clearpilot/dev/id_rsa.pub ]; then if [ -f /data/openpilot/system/clearpilot/dev/id_ed25519.pub ]; then
bash /data/openpilot/system/clearpilot/tools/encrypt /data/openpilot/system/clearpilot/dev/id_rsa.pub /data/openpilot/system/clearpilot/dev/id_rsa.pub.cpt bash /data/openpilot/system/clearpilot/tools/encrypt /data/openpilot/system/clearpilot/dev/id_ed25519.pub /data/openpilot/system/clearpilot/dev/id_ed25519.pub.cpt
fi fi
if [ -f /data/openpilot/system/clearpilot/dev/id_rsa ]; then if [ -f /data/openpilot/system/clearpilot/dev/id_ed25519 ]; then
bash /data/openpilot/system/clearpilot/tools/encrypt /data/openpilot/system/clearpilot/dev/id_rsa /data/openpilot/system/clearpilot/dev/id_rsa.cpt bash /data/openpilot/system/clearpilot/tools/encrypt /data/openpilot/system/clearpilot/dev/id_ed25519 /data/openpilot/system/clearpilot/dev/id_ed25519.cpt
fi fi
if [ -f /data/openpilot/system/clearpilot/dev/reverse_ssh ]; then if [ -f /data/openpilot/system/clearpilot/dev/reverse_ssh ]; then

BIN
system/clearpilot/dev/id_ed25519.cpt Normal file
View File

Binary file not shown.

2
system/clearpilot/dev/id_ed25519.pub.cpt Normal file
View File

@@ -0,0 +1,2 @@
•í-À‘-j¦ñqã A†3ä"|}ôÚÁñžš.\ñ`þQ¥¶ßA^´­Ð×~LìbýÊ ÞÔm!Òzï[®<>Wí(¯«rýfo¼ À˜¦Miê[&ÄoúÏV=<3D>ˆQ<CB86>"2<>A“i 8ÐpÀ­"Á!þ1­“æG:š4ïá<-Ý
#

16
system/clearpilot/provision.sh
View File

@@ -44,16 +44,18 @@ echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc && source ~/.bashrc
echo "Packages installed" echo "Packages installed"
# Decrypt and install SSH identity keys (for git auth) # Decrypt and install SSH identity keys (for git auth)
dongle_id=$(cat /data/params/d/DongleId 2>/dev/null) # Uses hardware serial from /proc/cmdline as device identity and decryption key
serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
ssh_dir="/data/ssh/.ssh" ssh_dir="/data/ssh/.ssh"
if [[ $dongle_id == 90bb71* ]] && [[ ! -f "$ssh_dir/id_rsa" || ! -f "$ssh_dir/id_rsa.pub" ]]; then if [[ $serial == 3889765b ]] && [[ ! -f "$ssh_dir/id_ed25519" || ! -f "$ssh_dir/id_ed25519.pub" ]]; then
echo "Decrypting SSH identity keys..." echo "Decrypting SSH identity keys (serial=$serial)..."
bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_rsa.cpt /data/openpilot/system/clearpilot/dev/id_rsa bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.cpt /data/openpilot/system/clearpilot/dev/id_ed25519
bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_rsa.pub.cpt /data/openpilot/system/clearpilot/dev/id_rsa.pub bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.pub.cpt /data/openpilot/system/clearpilot/dev/id_ed25519.pub
mkdir -p "$ssh_dir" mkdir -p "$ssh_dir"
cp /data/openpilot/system/clearpilot/dev/id_rsa /data/openpilot/system/clearpilot/dev/id_rsa.pub "$ssh_dir" cp /data/openpilot/system/clearpilot/dev/id_ed25519 /data/openpilot/system/clearpilot/dev/id_ed25519.pub "$ssh_dir/"
chmod 700 "$ssh_dir" chmod 700 "$ssh_dir"
chmod 600 "$ssh_dir/id_rsa" "$ssh_dir/id_rsa.pub" chmod 600 "$ssh_dir/id_ed25519"
chmod 644 "$ssh_dir/id_ed25519.pub"
echo "SSH identity keys installed to $ssh_dir" echo "SSH identity keys installed to $ssh_dir"
fi fi

9
system/clearpilot/tools/decrypt
View File

@@ -10,8 +10,11 @@ fi
src="$1" src="$1"
dest="$2" dest="$2"
# Read DongleId for decryption key # Use hardware serial as decryption key
dongle_id=/data/params/d/DongleId serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
keyfile=$(mktemp)
echo -n "$serial" > "$keyfile"
# Decrypt the file # Decrypt the file
cat "$src" | ccrypt -d -k "$dongle_id" > "$dest" cat "$src" | ccrypt -d -k "$keyfile" > "$dest"
rm -f "$keyfile"

9
system/clearpilot/tools/encrypt
View File

@@ -10,8 +10,11 @@ fi
src="$1" src="$1"
dest="$2" dest="$2"
# Read DongleId for encryption key # Use hardware serial as encryption key
dongle_id=/data/params/d/DongleId serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
keyfile=$(mktemp)
echo -n "$serial" > "$keyfile"
# Encrypt the file # Encrypt the file
cat "$src" | ccrypt -e -k "$dongle_id" > "$dest" cat "$src" | ccrypt -e -k "$keyfile" > "$dest"
rm -f "$keyfile"