feat(connd): wifi profile encryption

Cargo.toml

@@ -96,6 +96,7 @@ camino = "1.1.6"
 cc = "1.2.16"
 chacha20poly1305 = "0.10.1"
 chrono = "0.4.40"
+ciborium = "0.2.2"
 clap = { version = "4.5", features = ["derive", "env"] }
 clap-num = "1.2.0"
 clap-stdin = { version = "0.6.0", default-features = false }
@@ -110,6 +111,7 @@ derive_more = { version = "2.1.0", default-features = false, features = [
 	"from",
 ] }
 ed25519-dalek = { version = "2.1.1", default-features = false, features = ["std"] }
+escargot = "0.5.15"
 eyre = "0.6.12"
 flume = "0.11.1"
 ftdi-embedded-hal = { version = "0.22.0", features = ["libftd2xx", "libftd2xx-static"] }
@@ -167,6 +169,7 @@ tracing-journald = "0.3.0"
 tracing-opentelemetry = { version = "0.28", default-features = false }
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 url = "2.5.4"
+uuid = "1.18.1"
 wiremock = "0.6.4"
 zbus = { version = "4.4.0", default-features = false, features = ["tokio"] }
 zbus_systemd = "0.25600.0"

orb-connd/Cargo.toml

@@ -17,8 +17,11 @@ base64.workspace = true
 bon.workspace = true
 chacha20poly1305.workspace = true
 chrono.workspace = true
+ciborium.workspace = true
+clap = { workspace = true, features = ["derive"] }
 color-eyre.workspace = true
 dashmap.workspace = true
+uuid = { workspace = true, features = ["v4"] }
 derive_more = { workspace = true, default-features = false, features = ["display"] }
 dogstatsd = "0.11"
 flume.workspace = true
@@ -32,6 +35,7 @@ orb-connd-dbus.workspace = true
 orb-info = { workspace = true, features = ["orb-os-release", "async"] }
 orb-secure-storage-ca = { workspace = true, default-features = false, features = [
 	"backend-in-memory",
+	"backend-optee",
 ] }
 orb-telemetry.workspace = true
 p256.workspace = true
@@ -50,15 +54,20 @@ tokio-util = { workspace = true, features = ["codec"] }
 tracing-subscriber.workspace = true
 tracing.workspace = true
 zbus.workspace = true
+uzers = "0.12.0"
 
 [dev-dependencies]
 async-tempfile.workspace = true
+escargot.workspace = true
 test-utils.workspace = true
 nix = { workspace = true, features = ["socket"] }
 test-with.workspace = true
 mockall.workspace = true
 tokio-stream = { workspace = true, features = ["fs"] }
 
+[package.metadata.orb]
+unsupported_targets = ["aarch64-apple-darwin", "x86_64-apple-darwin"]
+
 [package.metadata.deb]
 maintainer-scripts = "debian/"
 assets = [

orb-connd/src/main_daemon.rs → orb-connd/src/connectivity_daemon.rs

@@ -1,5 +1,7 @@
 use crate::modem_manager::ModemManager;
 use crate::network_manager::NetworkManager;
+use crate::profile_store::ProfileStore;
+use crate::secure_storage::SecureStorage;
 use crate::service::ConndService;
 use crate::statsd::StatsdClient;
 use crate::{telemetry, OrbCapabilities, Tasks};
@@ -9,7 +11,7 @@ use std::time::Duration;
 use std::{path::Path, sync::Arc};
 use tokio::{task, time};
 use tracing::error;
-use tracing::{info, warn};
+use tracing::info;
 
 #[bon::builder(finish_fn = run)]
 pub async fn program(
@@ -21,6 +23,7 @@ pub async fn program(
     statsd_client: impl StatsdClient,
     modem_manager: impl ModemManager,
     connect_timeout: Duration,
+    secure_storage: SecureStorage,
 ) -> Result<Tasks> {
     let sysfs = sysfs.as_ref().to_path_buf();
     let modem_manager: Arc<dyn ModemManager> = Arc::new(modem_manager);
@@ -32,27 +35,18 @@ pub async fn program(
         os_release.orb_os_platform_type, os_release.release_type, cap
     );
 
+    let profile_store = ProfileStore::new(secure_storage);
+
     let connd = ConndService::new(
         session_bus.clone(),
         network_manager.clone(),
         os_release.release_type,
         cap,
         connect_timeout,
-    );
-
-    connd.setup_default_profiles().await?;
-
-    if let Err(e) = connd.import_wpa_conf(&usr_persistent).await {
-        warn!("failed to import legacy wpa config {e}");
-    }
-
-    if let Err(e) = connd.ensure_networking_enabled().await {
-        warn!("failed to ensure networking is enabled {e}");
-    }
-
-    if let Err(e) = connd.ensure_nm_state_below_max_size(usr_persistent).await {
-        warn!("failed to ensure nm state below max size: {e}");
-    }
+        &usr_persistent,
+        profile_store,
+    )
+    .await?;
 
     let mut tasks = vec![connd.spawn()];
 

orb-connd/src/lib.rs

@@ -1,27 +1,18 @@
-use color_eyre::{
-    eyre::{self, Context, OptionExt},
-    Result,
-};
+use color_eyre::Result;
 use derive_more::Display;
-use num_derive::{FromPrimitive, ToPrimitive};
-use num_traits::FromPrimitive as _;
-use orb_secure_storage_ca::in_memory::InMemoryBackend;
-use std::env::VarError;
 use std::path::Path;
-use std::str::FromStr;
 use tokio::{fs, task::JoinHandle};
 
-pub mod key_material;
-pub mod main_daemon;
+pub mod connectivity_daemon;
 pub mod modem_manager;
 pub mod network_manager;
+pub mod profile_store;
+pub mod secure_storage;
 pub mod service;
 pub mod statsd;
 pub mod telemetry;
 pub mod wpa_ctrl;
 
-mod profile_store;
-mod secure_storage;
 mod utils;
 
 pub(crate) type Tasks = Vec<JoinHandle<Result<()>>>;
@@ -42,48 +33,3 @@ impl OrbCapabilities {
         }
     }
 }
-
-pub const ENV_FORK_MARKER: &str = "ORB_CONND_FORK_MARKER";
-
-// TODO: Instead of toplevel enum, use inventory crate to register entry points and an
-// init() hook at entry point of program.
-/// The complete set of worker entrypoints that could be executed instead of the regular `main`.
-#[derive(Debug, FromPrimitive, ToPrimitive)]
-#[repr(u8)]
-pub enum EntryPoint {
-    SecureStorage = 1,
-}
-
-impl EntryPoint {
-    pub fn run(self) -> Result<()> {
-        let rt = tokio::runtime::Builder::new_current_thread().build()?;
-        // TODO(@vmenge): Have a way to control whether we use in-memory or actual
-        // optee via runtime configuration (for testing and portability)
-        let mut in_memory_ctx =
-            orb_secure_storage_ca::in_memory::InMemoryContext::default();
-        rt.block_on(match self {
-            EntryPoint::SecureStorage => {
-                crate::secure_storage::subprocess::entry::<InMemoryBackend>(
-                    tokio::io::join(tokio::io::stdin(), tokio::io::stdout()),
-                    &mut in_memory_ctx,
-                )
-            }
-        })
-    }
-}
-
-impl FromStr for EntryPoint {
-    type Err = eyre::Report;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        Self::from_u8(u8::from_str(s).wrap_err("not a u8")?).ok_or_eyre("unknown id")
-    }
-}
-
-pub fn maybe_fork() -> Result<()> {
-    match std::env::var(ENV_FORK_MARKER) {
-        Err(VarError::NotUnicode(_)) => panic!("expected unicode env var value"),
-        Err(VarError::NotPresent) => Ok(()),
-        Ok(s) => EntryPoint::from_str(&s).expect("unknown entrypoint").run(),
-    }
-}