Add nat20cli command line tool for nat20device.#104
Conversation
Add a kernel module that provides libnat20 functionality to linux kernel modules. Also add a configuration to build a minimal linux image with buildroot and run in on qemu and a workflow to test build nat20lib.ko
This module creates a new character device class intended to implement the nat20 service protocol implementing DICE based device state attestation and an embedded CA.
The nat20crypto module implements the libnat20 crypto interface in terms of linux kernel crypto primitives. The module implements - deterministic ECDSA with curves P256 and P384. - Bytewise SHA-2 224/256/384/512 - HMAC - HKDF ED25519 is currently not supported.
…/linux_example_nat20device
…urm/linux_example_nat20crypto
There was a problem hiding this comment.
Pull request overview
Adds a new nat20cli Linux userspace command-line tool that drives the nat20 DICE service through /dev/nat200, together with a parallel nat20test integration test suite and CI plumbing to run both in QEMU. The CLI exposes promote/cdi-cert/eca-cert/eca-ee-cert/eca-ee-sign operations and ships with a helper test script that uses OpenSSL to validate the produced chain; the integration test exhaustively verifies all key-type/format permutations across promote levels using libnat20 + OpenSSL primitives in test_helpers.c/h.
Changes:
- New
nat20clitool (option parsing, request construction, response handling, hex helpers) plus shell test script and OpenSSL DICE OID config. - New
nat20testintegration test binary with COSE/X.509/signature verification helpers and a full multi-level promote chain test. - Buildroot packages (
nat20cli,nat20test), defconfig wiring, envsetup additions, and a CI workflow extension that builds the rootfs and runs both suites under QEMU.
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| examples/linux/nat20cli/src/main.c | New CLI program implementing all request types and hex parsing. |
| examples/linux/nat20cli/nat20cli_test.sh | E2E test invoking the CLI and OpenSSL chain/signature verification. |
| examples/linux/nat20cli/nat20cli_qemu_init.sh | PID 1 init wrapper to run the CLI test in QEMU. |
| examples/linux/nat20cli/openssl_dice.cnf | Registers DICE OID names for openssl x509 -text. |
| examples/linux/nat20cli/CMakeLists.txt | CMake build for the CLI binary and scripts. |
| examples/linux/nat20test/test/nat20_integration_test.c | Parameterised integration test driving the DICE service. |
| examples/linux/nat20test/test/test_helpers.{c,h} | OpenSSL/COSE/X.509 verification utilities used by the test. |
| examples/linux/nat20test/nat20test.sh / nat20_qemu_init.sh | Test runner and QEMU init wrappers. |
| examples/linux/nat20test/CMakeLists.txt | CMake build for the integration test. |
| examples/linux/br_external/package/nat20cli/{Config.in,nat20cli.mk} | Buildroot package definition for the CLI. |
| examples/linux/br_external/package/nat20test/{Config.in,nat20test.mk} | Buildroot package definition for the integration test. |
| examples/linux/br_external/Config.in / configs/qemu_br_defconfig | Hooks new packages into the build. |
| examples/linux/br_external/utils/envsetup.sh | Adds SRCDIR overrides and a run_cli_test helper. |
| .github/workflows/linux-kmod-build.yml | Builds CLI/test packages and runs both QEMU test suites in CI. |
| .github/license-check/license-config.json | Adds openssl_dice.cnf to exempted-formats list. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (strcmp(str, "sign") == 0) { | ||
| N20_OPEN_DICE_KEY_USAGE_SET_DIGITAL_SIGNATURE(key_usage); | ||
| } else if (strcmp(str, "cert-sign") == 0) { | ||
| N20_OPEN_DICE_KEY_USAGE_SET_KEY_CERT_SIGN(key_usage); | ||
| } |
There was a problem hiding this comment.
It is always safe to cerate an unusable key.
…nux_example_nat20cli
timhirsh
left a comment
timhirsh
left a comment
There was a problem hiding this comment.
Approving GH Actions changes 👍
werwurm
changed the base branch from
werwurm/linux_example_libnat20
to
werwurm/linux_example_integration_test
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
…nux_example_nat20cli
| } | ||
|
|
||
| slice->buffer = (uint8_t *)hex_str; | ||
| int bytes_written = hex_string_to_bytes_in_place((char *)slice->buffer); |
There was a problem hiding this comment.
This was found by Claude and it probably works OK, but this in-place mutation occurs on otparg from the parse_command_options() function. It seems to work with our compiler, so I'm unclear how important this is.
There was a problem hiding this comment.
I changed this so that the binary blobs are stored into allocated buffers instead of reusing the argv buffer.
| return cli_error_libnat20; | ||
| } | ||
|
|
||
| printf("Compressed input: "); |
There was a problem hiding this comment.
Not a problem, but you have a lot of informational print statements throughout the code and I just wanted to verify that you meant to keep all of these in.
There was a problem hiding this comment.
This is behind a flag now.
| exit(EXIT_FAILURE); | ||
| } | ||
|
|
||
| uint8_t response_buffer[1024]; |
There was a problem hiding this comment.
I want to verify that 1024 bytes is sufficient. Is this only going to run on our sample implementation, or might it run in different scenarios? In PR 105 from yesterday, your response buffers were a mixture of 1024 and 2048 sizes (depending on the scenario), but most of the certificate responses were 2048.
…nux_example_nat20cli
…nux_example_nat20cli
werwurm
changed the base branch from
werwurm/linux_example_integration_test
to
main
werwurm
dismissed stale reviews from smacdude and timhirsh
The base branch was changed.
This commandline tool provides a primitive interface to communicate with
a nat20 device.