Refer Thunder Security page to understand the basics of ThunderSecurity module and SecurityAgent plugin and its purpose and functionality. This page is intended to cover integration and validation of these modules in RPI CMF stack.


Code change to enable SecurityAgent plugin.

meta-layer path:
meta-cmf-raspberrypi/recipes-extended/rdkservices/rdkservices_git.bbappend.

diff --git a/recipes-extended/rdkservices/rdkservices_git.bbappend b/recipes-extended/rdkservices/rdkservices_git.bbappend
index 1ff7634..33a8145 100644
--- a/recipes-extended/rdkservices/rdkservices_git.bbappend
+++ b/recipes-extended/rdkservices/rdkservices_git.bbappend
@@ -20,7 +20,7 @@ CXXFLAGS += "-DENABLE_THERMAL_PROTECTION"
 CXXFLAGS += "-DPLATFORM_BROADCOM_REF"

 PACKAGECONFIG_remove = "controlservice hdmicec remoteactionmapping \
-                        securityagent opencdmi datacapture"
+                        opencdmi datacapture"
 # displayinfo is temporarily not supported for RPi until fixes are being in main branch
 PACKAGECONFIG_remove = "displayinfo"


Code changes to enable thundersecurity.
Meta layer path:

meta-cmf-raspberrypi/conf/distro/include/rdk-rpi.inc

Corresponding  patch file.

Patch :

diff --git a/conf/distro/include/rdk-rpi.inc b/conf/distro/include/rdk-rpi.inc
index ba9aeda..024c3a5 100644
--- a/conf/distro/include/rdk-rpi.inc
+++ b/conf/distro/include/rdk-rpi.inc
@@ -23,6 +23,8 @@ DISTRO_FEATURES_append = " ctrlm_voice_sdk"

 # Disable Thunder Security
 DISTRO_FEATURES_append = " thunder_security_disable"
+# Enables Thunder Security
+DISTRO_FEATURES_remove = " thunder_security_disable"

 DISTRO_FEATURES_append = " enable_icrypto_openssl"
 DISTRO_FEATURES_remove = "netflix_cryptanium"


RFC Support.
Thunder Security can be enabled/disabled using RFC Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.ThunderSecurity.Enable.

Set ThunderSecurity to true with below command.
tr181 -s -t boolean -v true Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.ThunderSecurity.Enable
Get the setted value with below command.
tr181 Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.Feature.ThunderSecurity.Enable

Note: RPI needs to be rebooted after changing the RFC value.

Ex:


From Wpeframework logs we could see  Security ENABLED, incoming requests need to be authorized!!! And ThunderSecurity value = true.

We can get Security token with running of WPEFrameworkSecurityUtility binary.

root@raspberrypi-rdk-mc:/usr/bin# ./WPEFrameworkSecurityUtility
{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo","success":true}

Ex:

To validate of SecurityAgent plugin need to use Security token with curl command as below.

curl command :
curl -H "Content-Type: application/json" -H "Authorization: Bearer  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo" -X POST   -d '{"jsonrpc": "2.0","id": 1234567890,"method": "SecurityAgent.1.validate","params": {"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo"}}' http://127.0.0.1:9998/jsonrpc
Response :
{"jsonrpc":"2.0","id":1234567890,"result":{"valid":true}}

Ex:

Here Manually changed the security token to wrong and expected result should be false.

Curl command :
root@raspberrypi-rdk-mc:~# curl -H "Content-Type: application/json" -H "Authorization: Bearer  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo" -X POST   -d '{"jsonrpc": "2.0","id": 1234567890,"method": "SecurityAgent.1.validate","params": {"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voK"}}' http://127.0.0.1:9998/jsonrpc
Response :
{"jsonrpc":"2.0","id":1234567890,"result":{"valid":false}}.


setCurrentResolution with Security token.

Curl command:
curl -H "Content-Type: application/json"  -H "Authorization: Bearer  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5voo" -X POST   -d '{"jsonrpc": "2.0","id": 42,"method": "org.rdk.DisplaySettings.1.setCurrentResolution","params": {"videoDisplay": "HDMI0","resolution": "1080p","persist": true}}' http://127.0.0.1:9998/jsonrpc
Response:
{"jsonrpc":"2.0","id":42,"result":{"success":true}}

Ex:

Here Manually changed the security token to wrong and expected result should be Request needs authorization. Missing or invalid token.

Curl command:

curl -H "Content-Type: application/json"  -H "Authorization: Bearer  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.aHR0cDovL2xvY2FsaG9zdA.aFpBz8A603aUJsQmITpNY64eqCcFZu08Sk0GUqz5" -X POST   -d '{"jsonrpc": "2.0","id": 42,"method": "org.rdk.DisplaySettings.1.setCurrentResolution","params": {"videoDisplay": "HDMI0","resolution": "1080p","persist": true}}' http://127.0.0.1:9998/jsonrpc

Response:
{"jsonrpc":"2.0","id":42,"error":{"code":-32604,"message":"Request needs authorization. Missing or invalid token."}}root@raspberrypi-rdk-mc:/usr/bin#

Ex: