diff --git a/docs/en/SUMMARY.md b/docs/en/SUMMARY.md index 7574e4601e..e47d02cdca 100644 --- a/docs/en/SUMMARY.md +++ b/docs/en/SUMMARY.md @@ -758,6 +758,7 @@ - [Streaming Messages](mavlink/streaming_messages.md) - [Receiving Messages](mavlink/receiving_messages.md) - [Custom MAVLink Messages](mavlink/custom_messages.md) + - [Message Signing](mavlink/message_signing.md) - [Protocols/Microservices](mavlink/protocols.md) - [Standard Modes Protocol](mavlink/standard_modes.md) - [uXRCE-DDS (PX4-ROS 2/DDS Bridge)](middleware/uxrce_dds.md) diff --git a/docs/en/mavlink/index.md b/docs/en/mavlink/index.md index 887bee66f5..e8d9f31c75 100644 --- a/docs/en/mavlink/index.md +++ b/docs/en/mavlink/index.md @@ -11,6 +11,7 @@ It also links instructions for how you can add PX4 support for: - [Streaming MAVLink messages](../mavlink/streaming_messages.md) - [Handling incoming MAVLink messages (and writing to a uORB topic)](../mavlink/receiving_messages.md) - [Custom MAVLink Messages](../mavlink/custom_messages.md) +- [Message Signing](../mavlink/message_signing.md) - [Protocols/Microservices](../mavlink/protocols.md) ::: info diff --git a/docs/en/mavlink/message_signing.md b/docs/en/mavlink/message_signing.md new file mode 100644 index 0000000000..62e4b17975 --- /dev/null +++ b/docs/en/mavlink/message_signing.md @@ -0,0 +1,126 @@ +# MAVLink Message Signing + +[MAVLink 2 message signing](https://mavlink.io/en/guide/message_signing.html) allows PX4 to cryptographically verify that incoming MAVLink messages originate from a trusted source (authentication). + +::: info +This mechanism does not _encrypt_ the message payload. +::: + +## Overview + +When signing is enabled, PX4 appends a 13-byte [signature](https://mavlink.io/en/guide/message_signing.html#signature) to every outgoing MAVLink 2 message. + +Incoming messages are checked against the shared secret key, and unsigned or incorrectly signed messages are rejected (with [exceptions for safety-critical messages](#unsigned-message-allowlist)). + +The signing implementation is built into the MAVLink module and is always available — no special build flags are required. +It is enabled and disabled at runtime through the [MAV_SIGN_CFG](../advanced_config/parameter_reference.md#MAV_SIGN_CFG) parameter. + +## Enable/Disable Signing + +The [MAV_SIGN_CFG](../advanced_config/parameter_reference.md#MAV_SIGN_CFG) parameter controls whether signing is active: + +| Value | Mode | Description | +| ----- | ------------------ | ------------------------------------------------------------------------------------------------------ | +| 0 | Disabled (default) | No signing. All messages are accepted regardless of signature. | +| 1 | Non-USB | Signing is enabled on all links **except** USB serial connections. USB links accept unsigned messages. | +| 2 | Always | Signing is enforced on all links, including USB. | + +::: warning +Setting `MAV_SIGN_CFG` alone does not enable signing — a secret key must also be present (see [Key Provisioning](#key-provisioning) below). +If no key has been set (or the key is all zeros with a zero timestamp), all messages are accepted regardless of this parameter. +::: + +To **disable** signing, set `MAV_SIGN_CFG` to zero. + +## Key Provisioning + +The signing key is set by sending the MAVLink [SETUP_SIGNING](https://mavlink.io/en/messages/common.html#SETUP_SIGNING) message (ID 256) to PX4. +This message contains: + +- A 32-byte secret key +- A 64-bit initial timestamp + +::: warning +For security, PX4 only accepts `SETUP_SIGNING` messages received on a **USB** connection. +The message is silently ignored on all other link types (telemetry radios, network, and so on). +This ensures that an attacker cannot remotely change the signing key. +::: + +## Key Storage + +The secret key and timestamp are stored on the SD card at: + +```txt +/mavlink/mavlink-signing-key.bin +``` + +The file is a 40-byte binary file: + +| Offset | Size | Content | +| ------ | -------- | ------------------------------------- | +| 0 | 32 bytes | Secret key | +| 32 | 8 bytes | Timestamp (`uint64_t`, little-endian) | + +The file is created with mode `0600` (owner read/write only), and the containing `/mavlink/` directory is created with mode `0700` (owner only). + +On startup, PX4 reads the key from this file. +If the file exists and contains a non-zero key or timestamp, signing is initialized automatically. + +::: info +The timestamp in the file is set when `SETUP_SIGNING` is received. +A graceful shutdown also writes the current timestamp back, but in practice most vehicles are powered off by pulling the battery, so the on-disk timestamp will typically remain at the value from the last key provisioning. +::: + +::: info +Storage of the key on the SD card means that signing can be disabled by removing the card. +Note that this requires physical access to the vehicle, and therefore provides the same level of security as allowing signing to be modified via the USB channel. +::: + +## How It Works + +### Initialization + +1. The MAVLink module calls `MavlinkSignControl::start()` during startup. +2. The `/mavlink/` directory is created if it doesn't exist. +3. The `mavlink-signing-key.bin` file is opened (or created empty). +4. If a valid key is found (non-zero key or timestamp), signing is marked as initialized. +5. The `accept_unsigned` callback is registered with the MAVLink library. + +### Outgoing Messages + +When signing is initialized, the `MAVLINK_SIGNING_FLAG_SIGN_OUTGOING` flag is set, which causes the MAVLink library to automatically append a [SHA-256 based signature](https://mavlink.io/en/guide/message_signing.html#signature) to every outgoing MAVLink 2 message. + +### Incoming Messages + +For each incoming message, the MAVLink library checks whether a valid signature is present. +If the message is unsigned or has an invalid signature, the library calls the `accept_unsigned` callback, which decides whether to accept or reject the message based on: + +1. **Signing not initialized** — If no key has been loaded, all messages are accepted. +2. **Allowlisted message** — Certain [safety-critical messages](#unsigned-message-allowlist) are always accepted. +3. **Sign mode** — The `MAV_SIGN_CFG` parameter determines behavior: + - Mode 0 (disabled): All unsigned messages are accepted. + - Mode 1 (non-USB): Unsigned messages are accepted only on USB links. + - Mode 2 (always): Unsigned messages are rejected on all links. + +## Unsigned Message Allowlist + +The following messages are **always** accepted unsigned, regardless of the signing mode. +These are safety-critical messages that may originate from systems that don't support signing: + +| Message | ID | Reason | +| ----------------------------------------------------------------------- | --- | -------------------------------------------------------- | +| [RADIO_STATUS](https://mavlink.io/en/messages/common.html#RADIO_STATUS) | 109 | Radio link status from SiK radios and other radio modems | +| [ADSB_VEHICLE](https://mavlink.io/en/messages/common.html#ADSB_VEHICLE) | 246 | ADS-B traffic information for collision avoidance | +| [COLLISION](https://mavlink.io/en/messages/common.html#COLLISION) | 247 | Collision threat warnings | + +## Security Considerations + +- **Physical access required for key setup**: The `SETUP_SIGNING` message is only accepted over USB, so an attacker must have physical access to the vehicle to provision or change the key. +- **Key not exposed via parameters**: The secret key is stored in a separate file on the SD card, not as a MAVLink parameter, so it cannot be read back through the parameter protocol. +- **SD card access**: Anyone with physical access to the SD card can read or modify the `mavlink-signing-key.bin` file, or just remove the card. + Ensure physical security of the vehicle if signing is used as a security control. +- **Replay protection**: The MAVLink signing protocol includes a timestamp that prevents replay attacks. + The on-disk timestamp is updated when a new key is provisioned via `SETUP_SIGNING`. + A graceful shutdown also persists the current timestamp, but since most vehicles are powered off by pulling the battery, the timestamp will typically reset to the value from the last key provisioning on reboot. +- **No encryption**: Message signing provides authentication and integrity, but messages are still sent in plaintext. + An eavesdropper can read message contents but cannot forge or modify them without the key. diff --git a/docs/en/mavlink/protocols.md b/docs/en/mavlink/protocols.md index 9dac078fb9..5105df2344 100644 --- a/docs/en/mavlink/protocols.md +++ b/docs/en/mavlink/protocols.md @@ -30,6 +30,7 @@ These services are known to be supported in some form: - [Landing Target Protocol](https://mavlink.io/en/services/landing_target.html) - [Manual Control (Joystick) Protocol](https://mavlink.io/en/services/manual_control.html) - [MAVLink Id Assignment (sysid, compid)](https://mavlink.io/en/services/mavlink_id_assignment.html) +- [Message Signing](../mavlink/message_signing.md) ([MAVLink spec](https://mavlink.io/en/guide/message_signing.html)) - [Mission Protocol](https://mavlink.io/en/services/mission.html) - [Offboard Control Protocol](https://mavlink.io/en/services/offboard_control.html) - [Remote ID](../peripherals/remote_id.md) ([Open Drone ID Protocol](https://mavlink.io/en/services/opendroneid.html)) diff --git a/src/modules/mavlink/CMakeLists.txt b/src/modules/mavlink/CMakeLists.txt index 4701863c07..79cd271c28 100644 --- a/src/modules/mavlink/CMakeLists.txt +++ b/src/modules/mavlink/CMakeLists.txt @@ -120,6 +120,7 @@ px4_add_module( mavlink_stream.cpp mavlink_timesync.cpp mavlink_ulog.cpp + mavlink_sign_control.cpp MavlinkStatustextHandler.cpp open_drone_id_translations.cpp tune_publisher.cpp diff --git a/src/modules/mavlink/mavlink_main.cpp b/src/modules/mavlink/mavlink_main.cpp index 57ceab1467..d1f4686f29 100644 --- a/src/modules/mavlink/mavlink_main.cpp +++ b/src/modules/mavlink/mavlink_main.cpp @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (c) 2012-2023 PX4 Development Team. All rights reserved. + * Copyright (c) 2012-2026 PX4 Development Team. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -95,6 +95,17 @@ void mavlink_end_uart_send(mavlink_channel_t chan, int length) { mavlink_module_ mavlink_status_t *mavlink_get_channel_status(uint8_t channel) { return mavlink_module_instances[channel]->get_status(); } mavlink_message_t *mavlink_get_channel_buffer(uint8_t channel) { return mavlink_module_instances[channel]->get_buffer(); } +static bool accept_unsigned_callback(const mavlink_status_t *status, uint32_t message_id) +{ + Mavlink *m = Mavlink::get_instance_for_status(status); + + if (m != nullptr) { + return m -> accept_unsigned(m->sign_mode(), m -> is_usb_uart(), message_id); + } + + return false; +} + static void usage(); hrt_abstime Mavlink::_first_start_time = {0}; @@ -314,6 +325,20 @@ Mavlink::get_instance_for_device(const char *device_name) return nullptr; } +Mavlink * +Mavlink::get_instance_for_status(const mavlink_status_t *status) +{ + LockGuard lg{mavlink_module_mutex}; + + for (Mavlink *inst : mavlink_module_instances) { + if (status == mavlink_get_channel_status(inst->get_instance_id())) { + return inst; + } + } + + return nullptr; +} + #ifdef MAVLINK_UDP Mavlink * Mavlink::get_instance_for_network_port(unsigned long port) @@ -1029,6 +1054,12 @@ Mavlink::handle_message(const mavlink_message_t *msg) * NOTE: this is called from the receiver thread */ + if (is_usb_uart()) { + if (_sign_control.check_for_signing(msg)) { + return; + } + } + if (get_forwarding_on()) { /* forward any messages to other mavlink instances */ Mavlink::forward_message(msg, this); @@ -1930,6 +1961,8 @@ Mavlink::task_main(int argc, char *argv[]) } } + _sign_control.start(_instance_id, get_status(), &accept_unsigned_callback); + int ch; _baudrate = 57600; _datarate = 0; diff --git a/src/modules/mavlink/mavlink_main.h b/src/modules/mavlink/mavlink_main.h index cdf079f9db..3e13715d64 100644 --- a/src/modules/mavlink/mavlink_main.h +++ b/src/modules/mavlink/mavlink_main.h @@ -1,6 +1,6 @@ /**************************************************************************** * - * Copyright (c) 2012-2023 PX4 Development Team. All rights reserved. + * Copyright (c) 2012-2026 PX4 Development Team. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -83,6 +83,7 @@ #include "mavlink_events.h" #include "mavlink_messages.h" #include "mavlink_receiver.h" +#include "mavlink_sign_control.h" #include "mavlink_shell.h" #include "mavlink_ulog.h" @@ -120,6 +121,7 @@ public: { _task_should_exit.store(true); _receiver.request_stop(); + _sign_control.write_key_and_timestamp(); } void display_status(); @@ -134,6 +136,7 @@ public: mavlink_message_t *get_buffer() { return &_mavlink_buffer; } mavlink_status_t *get_status() { return &_mavlink_status; } + static Mavlink *get_instance_for_status(const mavlink_status_t *status); void setProtocolVersion(uint8_t version); uint8_t getProtocolVersion() const { return _protocol_version; }; @@ -142,8 +145,8 @@ public: static int get_status_all_instances(bool show_streams_status); static bool serial_instance_exists(const char *device_name, Mavlink *self); - static bool component_was_seen(int system_id, int component_id, Mavlink &self); static void forward_message(const mavlink_message_t *msg, Mavlink *self); + static bool component_was_seen(int system_id, int component_id, Mavlink &self); bool check_events() const { return _should_check_events.load(); } void check_events_enable() { _should_check_events.store(true); } @@ -467,6 +470,7 @@ public: bool ftp_enabled() const { return _ftp_on; } bool hash_check_enabled() const { return _param_mav_hash_chk_en.get(); } + int32_t sign_mode() const { return _param_mav_sign_cfg.get(); } bool forward_heartbeats_enabled() const { return _param_mav_hb_forw_en.get(); } bool failure_injection_enabled() const { return _param_sys_failure_injection_enabled.get(); } @@ -490,9 +494,14 @@ public: bool radio_status_critical() const { return _radio_status_critical; } + bool accept_unsigned(int32_t sign_mode, bool is_usb_uart, uint32_t message_id) { return _sign_control.accept_unsigned(sign_mode, is_usb_uart, message_id); } + + private: MavlinkReceiver _receiver; + MavlinkSignControl _sign_control{}; + int _instance_id{-1}; int _task_id{-1}; @@ -632,6 +641,7 @@ private: (ParamBool) _param_mav_usehilgps, (ParamBool) _param_mav_fwdextsp, (ParamBool) _param_mav_hash_chk_en, + (ParamInt) _param_mav_sign_cfg, (ParamBool) _param_mav_hb_forw_en, (ParamInt) _param_mav_radio_timeout, (ParamInt) _param_sys_hitl, diff --git a/src/modules/mavlink/mavlink_params.c b/src/modules/mavlink/mavlink_params.c index f616bd01d6..5386c4f080 100644 --- a/src/modules/mavlink/mavlink_params.c +++ b/src/modules/mavlink/mavlink_params.c @@ -49,6 +49,15 @@ PARAM_DEFINE_INT32(MAV_SYS_ID, 1); */ PARAM_DEFINE_INT32(MAV_COMP_ID, 1); +/** + * MAVLink protocol signing + * @group MAVLink + * @value 0 Message signing disabled + * @value 1 Signing enabled except on USB + * @value 2 Signing always enabled + */ +PARAM_DEFINE_INT32(MAV_SIGN_CFG, 0); + /** * MAVLink protocol version * @group MAVLink diff --git a/src/modules/mavlink/mavlink_sign_control.cpp b/src/modules/mavlink/mavlink_sign_control.cpp new file mode 100644 index 0000000000..c4ace8a7ac --- /dev/null +++ b/src/modules/mavlink/mavlink_sign_control.cpp @@ -0,0 +1,199 @@ +/**************************************************************************** + * + * Copyright (c) 2026 PX4 Development Team. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * 3. Neither the name PX4 nor the names of its contributors may be + * used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + ****************************************************************************/ + +/** + * @file mavlink_sign_control.cpp + * Mavlink messages signing control helpers implementation. + * + * @author Yulian oifa + */ + +#include "mavlink_sign_control.h" +#include + +static mavlink_signing_streams_t global_mavlink_signing_streams = {}; + +static const uint32_t unsigned_messages[] = { + MAVLINK_MSG_ID_RADIO_STATUS, + MAVLINK_MSG_ID_ADSB_VEHICLE, + MAVLINK_MSG_ID_COLLISION +}; + +MavlinkSignControl::MavlinkSignControl() +{ +} + +MavlinkSignControl::~MavlinkSignControl() +{ +} + +void MavlinkSignControl::start(int _instance_id, mavlink_status_t *_mavlink_status, + mavlink_accept_unsigned_t accept_unsigned_callback) +{ + _mavlink_signing.link_id = _instance_id; + _mavlink_signing.flags = MAVLINK_SIGNING_FLAG_SIGN_OUTGOING; + _mavlink_signing.accept_unsigned_callback = accept_unsigned_callback; + _is_signing_initialized = false; + + int mkdir_ret = mkdir(MAVLINK_FOLDER_PATH, S_IRWXU); + + if (mkdir_ret != 0 && errno != EEXIST) { + PX4_ERR("failed creating module storage dir: %s (%i)", MAVLINK_FOLDER_PATH, errno); + + } else { + int _fd = ::open(MAVLINK_SECRET_FILE, O_CREAT | O_RDONLY, PX4_O_MODE_600); + + if (_fd == -1) { + if (errno != ENOENT) { + PX4_ERR("failed creating mavlink secret key file: %s (%i)", MAVLINK_SECRET_FILE, errno); + } + + } else { + //if we dont have enough bytes we simply ignore it , because it may be not set yet + ssize_t bytes_read = ::read(_fd, _mavlink_signing.secret_key, MAVLINK_SECRET_KEY_LENGTH); + + if (bytes_read == MAVLINK_SECRET_KEY_LENGTH) { + bytes_read = ::read(_fd, &_mavlink_signing.timestamp, MAVLINK_SECRET_KEY_TIMESTAMP_LENGTH); + + if (bytes_read == MAVLINK_SECRET_KEY_TIMESTAMP_LENGTH) { + if (_mavlink_signing.timestamp != 0 || !is_array_all_zeros(_mavlink_signing.secret_key, MAVLINK_SECRET_KEY_LENGTH)) { + _is_signing_initialized = true; + } + } + } + + close(_fd); + } + } + + //lets reset it to nulls if it was not read properly + if (!_is_signing_initialized) { + for (size_t i = 0; i < MAVLINK_SECRET_KEY_LENGTH; ++i) { + _mavlink_signing.secret_key[i] = 0; + } + + _mavlink_signing.timestamp = 0; + } + + // copy pointer of the signing to status struct + _mavlink_status -> signing = &_mavlink_signing; + _mavlink_status -> signing_streams = &global_mavlink_signing_streams; +} + +bool MavlinkSignControl::check_for_signing(const mavlink_message_t *msg) +{ + if (msg->msgid != MAVLINK_MSG_ID_SETUP_SIGNING) { + return false; + } + + mavlink_setup_signing_t setup_signing; + mavlink_msg_setup_signing_decode(msg, &setup_signing); + + //setup signing provides new key , lets update it + //we update it only in case everything was stored properly + memcpy(_mavlink_signing.secret_key, setup_signing.secret_key, MAVLINK_SECRET_KEY_LENGTH); + _mavlink_signing.timestamp = setup_signing.initial_timestamp; + + if (setup_signing.initial_timestamp != 0 || !is_array_all_zeros(setup_signing.secret_key, MAVLINK_SECRET_KEY_LENGTH)) { + _is_signing_initialized = true; + + } else { + _is_signing_initialized = false; + } + + write_key_and_timestamp(); + + return true; +} + +void MavlinkSignControl::write_key_and_timestamp() +{ + int _fd = ::open(MAVLINK_SECRET_FILE, O_CREAT | O_WRONLY | O_TRUNC, PX4_O_MODE_600); + + if (_fd == -1) { + if (errno != ENOENT) { + PX4_ERR("failed opening mavlink secret key file for writing: %s (%i)", MAVLINK_SECRET_FILE, errno); + } + + } else { + ssize_t bytes_write = ::write(_fd, _mavlink_signing.secret_key, MAVLINK_SECRET_KEY_LENGTH); + + if (bytes_write == MAVLINK_SECRET_KEY_LENGTH) { + bytes_write = ::write(_fd, &_mavlink_signing.timestamp, MAVLINK_SECRET_KEY_TIMESTAMP_LENGTH); + } + + close(_fd); + } +} + +bool MavlinkSignControl::accept_unsigned(int32_t sign_mode, bool is_usb_uart, uint32_t message_id) +{ + // if signing is not initilized properly or has all zeroes we will allow any message + if (!_is_signing_initialized) { + return true; + } + + // Always accept a few select messages even if unsigned + for (unsigned i = 0; i < sizeof(unsigned_messages) / sizeof(unsigned_messages[0]); i++) { + if (unsigned_messages[i] == message_id) { + return true; + } + } + + switch (sign_mode) { + // If signing is not required always return true + case MavlinkSignControl::PROTO_SIGN_OPTIONAL: + return true; + + // Accept USB links if enabled + case MavlinkSignControl::PROTO_SIGN_NON_USB: + return is_usb_uart; + + case MavlinkSignControl::PROTO_SIGN_ALWAYS: + + // fallthrough + default: + return false; + } +} + +bool MavlinkSignControl::is_array_all_zeros(uint8_t arr[], size_t size) +{ + for (size_t i = 0; i < size; ++i) { + if (arr[i] != 0) { + return false; + } + } + + return true; +} diff --git a/src/modules/mavlink/mavlink_sign_control.h b/src/modules/mavlink/mavlink_sign_control.h new file mode 100644 index 0000000000..9c4c631797 --- /dev/null +++ b/src/modules/mavlink/mavlink_sign_control.h @@ -0,0 +1,99 @@ +/**************************************************************************** + * + * Copyright (c) 2026 PX4 Development Team. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * 3. Neither the name PX4 nor the names of its contributors may be + * used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + ****************************************************************************/ + +/** + * @file mavlink_sign_control.h + * Mavlink messages signing control helpers. + * + * @author Yulian oifa + */ + +#ifndef MAVLINK_SIGN_CONTROL_H_ +#define MAVLINK_SIGN_CONTROL_H_ + +#define MAVLINK_SD_ROOT_PATH CONFIG_BOARD_ROOT_PATH "/" +#define MAVLINK_FOLDER_PATH MAVLINK_SD_ROOT_PATH"/mavlink" +#define MAVLINK_SECRET_FILE MAVLINK_FOLDER_PATH"/mavlink-signing-key.bin" + +#define MAVLINK_SECRET_KEY_TIMESTAMP_LENGTH 8 ///< size of timestamp in bytes +#define MAVLINK_SECRET_KEY_LENGTH 32 ///< size of key in bytes + +#include "mavlink_receiver.h" + +class Mavlink; + +class MavlinkSignControl +{ + +public: + MavlinkSignControl(); + ~MavlinkSignControl(); + + enum PROTO_SIGN { + PROTO_SIGN_OPTIONAL = 0, + PROTO_SIGN_NON_USB, + PROTO_SIGN_ALWAYS + }; + + /** + * Initialize signing and read configuration from file + */ + void start(int _instance_id, mavlink_status_t *_mavlink_status, mavlink_accept_unsigned_t accept_unsigned_callback); + + /** + * Checks whether the message is SETUP_SIGNING, and if yes , updates local key + */ + bool check_for_signing(const mavlink_message_t *msg); + + /** + * stores the key and timestamp from memory to file + */ + void write_key_and_timestamp(); + + /** + * Checks whether should accept unsigned message for specific sign mode + */ + bool accept_unsigned(int32_t sign_mode, bool is_usb_uart, uint32_t message_id); + + static bool is_array_all_zeros(uint8_t arr[], size_t size); +private: + mavlink_signing_t _mavlink_signing {}; + + /** + * Checks whether the key has been initialized + */ + bool _is_signing_initialized; +}; + + +#endif /* MAVLINK_SIGN_CONTROL_H_ */