Add nat20cli command line tool for nat20device.#104
Conversation
LCOV of commit
|
werwurm
force-pushed
the
werwurm/linux_example_nat20cli
branch
3 times, most recently
from
54d8a0f to
0612f25
Compare
This reverts commit b159fbb.
…nux_example_nat20cli
There was a problem hiding this comment.
Pull request overview
Adds a new nat20cli Linux userspace command-line tool that drives the nat20 DICE service through /dev/nat200, together with a parallel nat20test integration test suite and CI plumbing to run both in QEMU. The CLI exposes promote/cdi-cert/eca-cert/eca-ee-cert/eca-ee-sign operations and ships with a helper test script that uses OpenSSL to validate the produced chain; the integration test exhaustively verifies all key-type/format permutations across promote levels using libnat20 + OpenSSL primitives in test_helpers.c/h.
Changes:
- New
nat20clitool (option parsing, request construction, response handling, hex helpers) plus shell test script and OpenSSL DICE OID config. - New
nat20testintegration test binary with COSE/X.509/signature verification helpers and a full multi-level promote chain test. - Buildroot packages (
nat20cli,nat20test), defconfig wiring, envsetup additions, and a CI workflow extension that builds the rootfs and runs both suites under QEMU.
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| examples/linux/nat20cli/src/main.c | New CLI program implementing all request types and hex parsing. |
| examples/linux/nat20cli/nat20cli_test.sh | E2E test invoking the CLI and OpenSSL chain/signature verification. |
| examples/linux/nat20cli/nat20cli_qemu_init.sh | PID 1 init wrapper to run the CLI test in QEMU. |
| examples/linux/nat20cli/openssl_dice.cnf | Registers DICE OID names for openssl x509 -text. |
| examples/linux/nat20cli/CMakeLists.txt | CMake build for the CLI binary and scripts. |
| examples/linux/nat20test/test/nat20_integration_test.c | Parameterised integration test driving the DICE service. |
| examples/linux/nat20test/test/test_helpers.{c,h} | OpenSSL/COSE/X.509 verification utilities used by the test. |
| examples/linux/nat20test/nat20test.sh / nat20_qemu_init.sh | Test runner and QEMU init wrappers. |
| examples/linux/nat20test/CMakeLists.txt | CMake build for the integration test. |
| examples/linux/br_external/package/nat20cli/{Config.in,nat20cli.mk} | Buildroot package definition for the CLI. |
| examples/linux/br_external/package/nat20test/{Config.in,nat20test.mk} | Buildroot package definition for the integration test. |
| examples/linux/br_external/Config.in / configs/qemu_br_defconfig | Hooks new packages into the build. |
| examples/linux/br_external/utils/envsetup.sh | Adds SRCDIR overrides and a run_cli_test helper. |
| .github/workflows/linux-kmod-build.yml | Builds CLI/test packages and runs both QEMU test suites in CI. |
| .github/license-check/license-config.json | Adds openssl_dice.cnf to exempted-formats list. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| int parse_output_format(char const *str) { | ||
| if (strcmp(str, "x509") == 0) return n20_certificate_format_x509_e; | ||
| #ifdef N20_WITH_COSE |
| size_t pos = 0; | ||
| if ((len & 1) != 0) { | ||
| // Odd length, assume leading zero | ||
| *out_pos++ = nibble2bits(hex[0]); |
| " --certificate-format -f <x509|cose>\n" | ||
| " The format of the certificate to be issued.\n" | ||
| "\n" | ||
| "Options (cdi-cert):" |
| if (strcmp(str, "sign") == 0) { | ||
| N20_OPEN_DICE_KEY_USAGE_SET_DIGITAL_SIGNATURE(key_usage); | ||
| } else if (strcmp(str, "cert-sign") == 0) { | ||
| N20_OPEN_DICE_KEY_USAGE_SET_KEY_CERT_SIGN(key_usage); | ||
| } |
| " The output file to write the resulting certificate or " | ||
| "signature to.\n" | ||
| "\n" | ||
| "Options (*-cert commands):\n" |
…nux_example_nat20cli
timhirsh
left a comment
timhirsh
left a comment
There was a problem hiding this comment.
Approving GH Actions changes 👍
werwurm
changed the base branch from
werwurm/linux_example_libnat20
to
werwurm/linux_example_integration_test
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
…nux_example_nat20cli
| } | ||
|
|
||
| slice->buffer = (uint8_t *)hex_str; | ||
| int bytes_written = hex_string_to_bytes_in_place((char *)slice->buffer); |
There was a problem hiding this comment.
This was found by Claude and it probably works OK, but this in-place mutation occurs on otparg from the parse_command_options() function. It seems to work with our compiler, so I'm unclear how important this is.
| return cli_error_libnat20; | ||
| } | ||
|
|
||
| printf("Compressed input: "); |
There was a problem hiding this comment.
Not a problem, but you have a lot of informational print statements throughout the code and I just wanted to verify that you meant to keep all of these in.
| exit(EXIT_FAILURE); | ||
| } | ||
|
|
||
| uint8_t response_buffer[1024]; |
There was a problem hiding this comment.
I want to verify that 1024 bytes is sufficient. Is this only going to run on our sample implementation, or might it run in different scenarios? In PR 105 from yesterday, your response buffers were a mixture of 1024 and 2048 sizes (depending on the scenario), but most of the certificate responses were 2048.
This commandline tool provides a primitive interface to communicate with
a nat20 device.