search

ros2 / sros2

tools to generate and distribute keys for SROS 2
Apache License 2.0
90 stars 46 forks source link

Bind security enclaves to `ros2cli` commands for debug purpose #293

Closed fujitatomoya closed 6 months ago

fujitatomoya commented 7 months ago

This is more like a question. As far as i check, i could not find any documentation.

Feature request

Feature description

with security enabled talker and listener, aligned with https://docs.ros.org/en/rolling/Tutorials/Advanced/Security/Security-Main.html

ros2 run demo_nodes_cpp talker --ros-args --enclave /talker_listener/talker
ros2 run demo_nodes_cpp listener --ros-args --enclave /talker_listener/listener

ros2cli is supposed to unable to see the node graph.

ros2 node list
<empty>

but especially during debugging, it would be nice to see the node graph and all commands even with security enabled endpoints.

e.g

ros2 node list --enclave <path to enclaves>
fujitatomoya commented 7 months ago

@clalancette @ruffsl any thoughts?

mikaelarguedas commented 7 months ago

Not really an answer to your request but a workaround.

I tend to use a blanked "root" or "admin" enclave for debugging purposes and give it access to all topics/services. And use that enclave for utilities like ros2 <verb>.

e.g. https://github.com/ros-swg/turtlebot3_demo/blob/2719e0f579029944a63fa6368486d9d6d2f2d09f/policies/tb3_gazebo_policy.xml#L44-L55

fujitatomoya commented 7 months ago

@mikaelarguedas thanks!

And use that enclave for utilities like ros2 .

this is the question here, can we use enclaves with ros2 <verb>? i do not see any docs around official pages.

MichaelOrlov commented 7 months ago

@mikaelarguedas @fujitatomoya A friendly ping to follow up on this issue. @mikaelarguedas Need more information about

this is the question here, can we use enclaves with ros2 ? i do not see any docs around official pages.

fujitatomoya commented 7 months ago

i guess i misunderstood https://github.com/ros2/sros2/issues/293#issuecomment-2060517077. what it means that we have empty security enclave for debugging purposes and expose topics/services to anyone. (no security at all.) at the production phase, we can start the application with secured enclaves to authenticate and protect the access.

that can be something as work-around, but it does not really make sense if the enclaves are integrated in the application.

i think correct way is, ros2 xxx commands should be issued with secured enclaves, and those enclaves are stored in the secured storage.

mikaelarguedas commented 6 months ago

hmmm weird it's not in the docs anymore :thinking:

You can override enclaves through the environment variable ROS_SECURITY_ENCLAVE_OVERRIDE

If we take your example:

You have a talker running with security enabled

ros2cli is supposed to unable to see the node graph.

If security is disabled in that environment the expected outcome is an empty graph:

root@22bc38f42b77:/# ros2 node list
root@22bc38f42b77:/#

If security is enabled and enforced the ros2 cli should fail with an error:

root@22bc38f42b77:/# ros2 daemon stop
root@22bc38f42b77:/# export ROS_SECURITY_KEYSTORE=~/sros2_demo/demo_keystore
root@22bc38f42b77:/# export ROS_SECURITY_ENABLE=true
root@22bc38f42b77:/# export ROS_SECURITY_STRATEGY=Enforce
root@22bc38f42b77:/# ros2 node list
[INFO] [1714897227.047192038] [rcl]: Found security directory: /root/sros2_demo/demo_keystore/enclaves
/opt/ros/jazzy/lib/python3.12/site-packages/rclpy/node.py:187: RuntimeWarning: Failed to fini rosout publisher: rcl node implementation is invalid, at ./src/rcl/node.c:390
  self.__node = _rclpy.Node(
error creating node: couldn't find all security files!, at ./src/participant.cpp:360, at ./src/rcl/node.c:252

If you override the enclave:

root@22bc38f42b77:/# export ROS_SECURITY_ENCLAVE_OVERRIDE=/talker_listener/listener  # Path relative to the keystore
root@22bc38f42b77:/# ros2 node list
/talker
root@22bc38f42b77:/# ros2 topic list
/chatter
/parameter_events
/rosout
root@22bc38f42b77:/# ros2 topic echo /chatter
[INFO] [1714897092.882384995] [rcl]: Found security directory: /root/sros2_demo/demo_keystore/enclaves/talker_listener/listener
data: 'Hello World: 257'
---
data: 'Hello World: 258'
---
mikaelarguedas commented 6 months ago

And so my initial comment was to suggest having a "debugging" enclave that has very wide permissions that is available only for people with rights to perform maintenance / debugging access and use that "debugging" enclave for your debugging tools

mikaelarguedas commented 6 months ago

I added an example to the tutorial in this overall fixup PR https://github.com/ros2/sros2/pull/295 @fujitatomoya LMKWYT

fujitatomoya commented 6 months ago

@mikaelarguedas thanks for the PR! i will definitely take a look and try.

fujitatomoya commented 6 months ago

@clalancette @mikaelarguedas PR is already merged, but found some problems. please see more details for https://github.com/ros2/sros2/pull/295#pullrequestreview-2041703763.