Skip to end of metadata
Go to start of metadata

Refer Thunder Security page to understand the basics of ThunderSecurity module and SecurityAgent plugin and its purpose and functionality. This page is intended to cover integration and validation of these modules in RPI CMF stack.


Code change to enable SecurityAgent plugin.

meta-layer path:
meta-cmf-raspberrypi/recipes-extended/rdkservices/rdkservices_git.bbappend.

diff --git a/recipes-extended/rdkservices/rdkservices_git.bbappend b/recipes-extended/rdkservices/rdkservices_git.bbappend
index 1ff7634..33a8145 100644
--- a/recipes-extended/rdkservices/rdkservices_git.bbappend
+++ b/recipes-extended/rdkservices/rdkservices_git.bbappend
@@ -20,7 +20,7 @@ CXXFLAGS += "-DENABLE_THERMAL_PROTECTION"
 CXXFLAGS += "-DPLATFORM_BROADCOM_REF"

 PACKAGECONFIG_remove = "controlservice hdmicec remoteactionmapping \
-                        securityagent opencdmi datacapture"
+                        opencdmi datacapture"
 # displayinfo is temporarily not supported for RPi until fixes are being in main branch
 PACKAGECONFIG_remove = "displayinfo"


Code changes to enable thundersecurity.

meta-cmf-raspberrypi/conf/distro/include/rdk-rpi.inc:25:#DISTRO_FEATURES_append = " thunder_security_disable"
meta-cmf-raspberrypi/conf/machine/raspberrypi-rdk-ipmc.conf:26:#DISTRO_FEATURES_append = " thunder_security_disable"
meta-cmf-video-reference/conf/distro/include/reference.inc:27:#DISTRO_FEATURES_append = " thunder_security_disable"

Corresponding three patch files.

Patch :1

diff --git a/conf/distro/include/rdk-rpi.inc b/conf/distro/include/rdk-rpi.inc
index ba9aeda..d7568d1 100644
--- a/conf/distro/include/rdk-rpi.inc
+++ b/conf/distro/include/rdk-rpi.inc
@@ -22,7 +22,7 @@ DISTRO_FEATURES_append = " ctrlm"
 DISTRO_FEATURES_append = " ctrlm_voice_sdk"

 # Disable Thunder Security
-DISTRO_FEATURES_append = " thunder_security_disable"
+#DISTRO_FEATURES_append = " thunder_security_disable"

 DISTRO_FEATURES_append = " enable_icrypto_openssl"
 DISTRO_FEATURES_remove = "netflix_cryptanium"


Patch :2

diff --git a/conf/machine/raspberrypi-rdk-ipmc.conf b/conf/machine/raspberrypi-rdk-ipmc.conf
index 0e2bc6c..489c21c 100644
--- a/conf/machine/raspberrypi-rdk-ipmc.conf
+++ b/conf/machine/raspberrypi-rdk-ipmc.conf
@@ -23,7 +23,7 @@ DISTRO_FEATURES_append = " build_rne"
 DISTRO_FEATURES_append = " systemd-disable-getty"

 # Disable Thunder Security
-DISTRO_FEATURES_append = " thunder_security_disable"
+#DISTRO_FEATURES_append = " thunder_security_disable"

 # this can be removed if cc is open sourced
 CLOSEDCAPTION = ""


Patch :3
diff --git a/conf/distro/include/reference.inc b/conf/distro/include/reference.inc
index 9ca7fb7..3c6dda8 100644
--- a/conf/distro/include/reference.inc
+++ b/conf/distro/include/reference.inc
@@ -24,7 +24,7 @@ DISTRO_FEATURES_append = " opencdm"
 DISTRO_FEATURES_append = " clearkey"
 DISTRO_FEATURES_append = " refapp"
 DISTRO_FEATURES_append = " aamp"
-DISTRO_FEATURES_append = " thunder_security_disable"
+#DISTRO_FEATURES_append = " thunder_security_disable"
 DISTRO_FEATURES_remove = " rdkbrowser2"
 DISTRO_FEATURES_append = " enable_icrypto_openssl"
 DISTRO_FEATURES_append = " rdkshell"

After Building code with above changes, flash the MediaClient image to RPI board.


RFC Support.
Thunder Security can be enabled/disabled using RFC Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.ThunderSecurity.Enable.

Set ThunderSecurity to true with below command.
tr181 -s -t boolean -v true Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.ThunderSecurity.Enable
Get the setted value with below command.
tr181 Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.ThunderSecurity.Enable

Note: RPI needs to be rebooted after changing the RFC value.

Ex:


From Wpeframework logs we could see  Security ENABLED, incoming requests need to be authorized!!! And ThunderSecurity value = true.

We can get Security token with running of WPEFrameworkSecurityUtility binary.

root@raspberrypi-rdk-mc:/usr/bin# ./WPEFrameworkSecurityUtility
{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo","success":true}

Ex:

To validate of SecurityAgent plugin need to use Security token with curl command as below.

curl command :
curl -H "Content-Type: application/json" -H "Authorization: Bearer  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo" -X POST   -d '{"jsonrpc": "2.0","id": 1234567890,"method": "SecurityAgent.1.validate","params": {"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo"}}' http://127.0.0.1:9998/jsonrpc
Response :
{"jsonrpc":"2.0","id":1234567890,"result":{"valid":true}}

Ex:

Here Manually changed the security token to wrong and expected result should be false.

Curl command :
root@raspberrypi-rdk-mc:~# curl -H "Content-Type: application/json" -H "Authorization: Bearer  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo" -X POST   -d '{"jsonrpc": "2.0","id": 1234567890,"method": "SecurityAgent.1.validate","params": {"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voK"}}' http://127.0.0.1:9998/jsonrpc
Response :
{"jsonrpc":"2.0","id":1234567890,"result":{"valid":false}}.


setCurrentResolution with Security token.

Curl command:
curl -H "Content-Type: application/json"  -H "Authorization: Bearer  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo" -X POST   -d '{"jsonrpc": "2.0","id": 42,"method": "org.rdk.DisplaySettings.1.setCurrentResolution","params": {"videoDisplay": "HDMI0","resolution": "1080p","persist": true}}' http://127.0.0.1:9998/jsonrpc
Response:
{"jsonrpc":"2.0","id":42,"result":{"success":true}}

Ex:

Here Manually changed the security token to wrong and expected result should be Request needs authorization. Missing or invalid token.

Curl command:

curl -H "Content-Type: application/json"  -H "Authorization: Bearer  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5" -X POST   -d '{"jsonrpc": "2.0","id": 42,"method": "org.rdk.DisplaySettings.1.setCurrentResolution","params": {"videoDisplay": "HDMI0","resolution": "1080p","persist": true}}' http://127.0.0.1:9998/jsonrpc

Response:
{"jsonrpc":"2.0","id":42,"error":{"code":-32604,"message":"Request needs authorization. Missing or invalid token."}}root@raspberrypi-rdk-mc:/usr/bin#

Ex:





  • No labels