netifd-morse/dpp-key-recovery: (APP-3496, PR #879) clean up DPP qrcode paths

- only attempt to generate qrcode if dpp_key.pem exists - reduce number of code paths: - only generate private key in dpp-key-recovery - only generate qrcode when morse interface is brought up and we definitely have a MAC address (this lets us remove a bunch of mac address fallback code which is not useful) - some refactoring/simplification to reduce amount of code This means that this script doesn't change this key later in the bringup, and the logic is simpler. It also means we don't _regenerate_ if we've failed to put it in persistent storage (i.e. the persistent storage write failed). Approved-by: Evan Benn Approved-by: Milad Mohtashamirad
2025-12-09 19:42:26 -06:00 · 2024-10-11 03:10:48 +00:00 · 2024-10-11 03:10:48 +00:00 · 5f4347ee5b
commit 5f4347ee5b
parent 9cc09a8fdf
3 changed files with 27 additions and 119 deletions
--- a/netifd-morse/lib/netifd/wireless/morse.sh
+++ b/netifd-morse/lib/netifd/wireless/morse.sh
@ -146,11 +146,11 @@ build_morse_mod_params(){
 }


-# If thinlmac optimisation is unset, the original settings are not restored unless the device is rebooted. 
-# This is because the user could have forced different settings (e.g. via rc.local, or by setting ipv6_disabled=0 
-# in UCI on the network device itself), and we do not want to unexpectedly interfere with these when this option 
-# is unset. Note also that it's difficult to disable IPv6 via UCI in the normal way because it needs to be done 
-# on the L3 device, and this device is not fixed for a particular wifi-iface (i.e. it might be a bridge) so there's 
+# If thinlmac optimisation is unset, the original settings are not restored unless the device is rebooted.
+# This is because the user could have forced different settings (e.g. via rc.local, or by setting ipv6_disabled=0
+# in UCI on the network device itself), and we do not want to unexpectedly interfere with these when this option
+# is unset. Note also that it's difficult to disable IPv6 via UCI in the normal way because it needs to be done
+# on the L3 device, and this device is not fixed for a particular wifi-iface (i.e. it might be a bridge) so there's
 # no clean way to push the wifi-device option into the right network device.
 apply_thin_lmac_optimization() {
 	# Disable noise from IPv6 incidental traffic
@ -297,10 +297,10 @@ get_mesh11sd_config() {
 	json_select ..
 }

-get_matter_config() { 
+get_matter_config() {
 	config_load matter
 	var=
-	
+
 	json_select config

 	config_get var config enable
--- a/utils/dpp-key-recovery/files/etc/init.d/dpp-key-recovery
+++ b/utils/dpp-key-recovery/files/etc/init.d/dpp-key-recovery
@ -2,69 +2,14 @@
 #
 # Copyright (C) 2021-2023 Morse Micro Pty Ltd. All rights reserved.
 #
-. /lib/netifd/morse/morse_utils.sh

+# It's important this happens before netifd sets up any
+# morse interfaces, because the actual svg creation happens
+# when there and /etc/dpp_key.pem must already exist.
 START=11

-# update_dpp_private_key compares the recovered dpp_key (if exist) with the one
-# in /etc/dpp_key.pem and will overwrite it if they are different. 
-update_dpp_private_key()
-{
-	local tmp_key_path=$1
-	local etc_key_path=$2
-
-	# /tmp/key exist , /etc/key DOESN'T exist
-	if [ -f "$tmp_key_path" ] && [ ! -f "$etc_key_path" ]; then
-		#copy /tmp/key to /etc/key; return
-		cp $tmp_key_path $etc_key_path
-		return
-	fi
-
-
-	# /tmp/key DOESN'T exist , /etc/key DOESN'T exist
-	if [ ! -f "$tmp_key_path" ] && [ ! -f "$etc_key_path" ]; then
-		#generate a key and save it to /etc/key; return
-		openssl ecparam -genkey -name prime256v1 -noout -out $etc_key_path
-		return
-	fi
-
-
-	# /tmp/key DOESN'T exist , /etc/key exist
-	if [ ! -f "$tmp_key_path" ] && [ -f "$etc_key_path" ]; then
-		return
-	fi
-
-	# /tmp/key exist , /etc/key exist
-	if [ -f "$tmp_key_path" ] && [ -f "$etc_key_path" ]; then
-		#are they different?		
-		local md5sum_tmp_key=$(md5sum $tmp_key_path | awk '{ print $1 }')
-		local md5sum_etc_key=$(md5sum $etc_key_path | awk '{ print $1 }')
-		if [ ! "$md5sum_tmp_key" = "$md5sum_etc_key" ]; then
-			#yes
-			#copy /tmp/key to /etc/key; return
-			cp $tmp_key_path $etc_key_path
-			return
-		else
-			#no
-			return
-		fi
-	fi
-
-}
-
 boot() {
-    /morse/scripts/recover_dpp_key.sh /tmp/dpp_key.pem
-    update_dpp_private_key /tmp/dpp_key.pem /etc/dpp_key.pem
-
-	local halow_mac="$(morse_get_chip_macaddr)"
-	if [ -z "$halow_mac" ]; then
-		local ETH0_MAC_SUFFIX="$(cat /sys/class/net/eth0/address | cut -d: -f4-)"
-		halow_mac="0C:BF:74:$ETH0_MAC_SUFFIX"
-	fi
-
-	if [ -n "$halow_mac" ]; then
-		update_dpp_qrcode /etc/dpp_key.pem "$halow_mac"
-	else
-		logger "Unable to get macaddr of the halow interface. Skipping QR code string generation"
+	if [ ! -e /etc/dpp_key.pem ]; then
+		/morse/scripts/recover_dpp_key.sh /etc/dpp_key.pem
 	fi
 }
--- a/utils/dpp-key-recovery/files/morse/scripts/recover_dpp_key.sh
+++ b/utils/dpp-key-recovery/files/morse/scripts/recover_dpp_key.sh
@ -3,65 +3,28 @@
 # Copyright (C) 2023 MorseMicro
 #

-
 dpp_key_tmp_file=$1

-get_key_from_persistent_storage()
-{
-    local ubenv_key=
-    [ -f "/sbin/persistent_vars_storage.sh" ] && ubenv_key=$(/sbin/persistent_vars_storage.sh READ dpp_priv_key)
-    echo "$ubenv_key"
-}
+ubenv_key=$(persistent_vars_storage.sh READ dpp_priv_key)

-create_persistent_private_key()
-{
-    logger "Generating a new private key and saving it to the persistent storage."    
-    local priv_key=$(openssl ecparam -genkey -name prime256v1 -noout -outform DER | hexdump -e '16/1 "%02x " "\n"'| xxd -r -p | base64 -w 0)
-    
-    /sbin/persistent_vars_storage.sh WRITE dpp_priv_key "$priv_key"
-    
-    echo "$priv_key"
-}
+# logger is not available at START=11, which is when this is
+# used by /etc/init.d/dpp-key-recovery

-save_private_key_file()
-{
-    echo "-----BEGIN EC PRIVATE KEY-----" > $2
-    echo "$1"                            >> $2
-    echo "-----END EC PRIVATE KEY-----"  >> $2
-}
-
-
-#1-check if the /sbin/persistent_vars_storage.sh scripts exist.
-[ ! -f "/sbin/persistent_vars_storage.sh" ] && exit 0
-
-
-#2-get the private key from uboot_env
-ubenv_key=$(get_key_from_persistent_storage)
-
-#3-is private key empty?
 if [ -z "$ubenv_key" ]; then
-    #23-yes: we don't have dpp private key.
-    logger "DPP private key isn't found in u-boot-env."    
-    ubenv_key=$(create_persistent_private_key)
+    echo "dpp-key-recovery: DPP private key isn't found in persistent storage." > /dev/kmsg
 fi

-#create /tmp/dpp_key.pem with the result.
-save_private_key_file $ubenv_key $dpp_key_tmp_file
-
-#is the private key valid?
-if openssl ec -in $dpp_key_tmp_file -check 1>/dev/null 2>/dev/null ; then 
-    #yes: done.
-    exit 0
-else 
-    #no
-    logger "persistent storage contains an incorrect DPP private key." 
-    ubenv_key=$(create_persistent_private_key) 
-    save_private_key_file $ubenv_key $dpp_key_tmp_file
-    exit 0
+if ! openssl ec -in $dpp_key_tmp_file -check 1>/dev/null 2>/dev/null; then
+    echo "dpp-key-recovery: persistent storage contains an incorrect DPP private key." > /dev/kmsg
+    ubenv_key=
 fi

+if [ -z "$ubenv_key" ]; then
+    echo "dpp-key-recovery: generating a new private key and saving it to the persistent storage." > /dev/kmsg
+    ubenv_key=$(openssl ecparam -genkey -name prime256v1 -noout -outform DER | base64 -w0)
+    /sbin/persistent_vars_storage.sh WRITE dpp_priv_key "$ubenv_key"
+fi

-
-
-
-
+echo "-----BEGIN EC PRIVATE KEY-----" > "$dpp_key_tmp_file"
+echo "$ubenv_key"                     >> "$dpp_key_tmp_file"
+echo "-----END EC PRIVATE KEY-----"  >> "$dpp_key_tmp_file"