OpenWrt One / project update
Bjørn Mork
bjorn at mork.no
Wed Apr 10 00:16:10 PDT 2024
Michael Richardson <mcr at sandelman.ca> writes:
> Bjørn Mork <bjorn at mork.no> wrote:
>
> > I assume the private key must be protected on the device. What are the
> > hardware requirements?
>
> There are no hard and fast rules. It certainly would be best if it's in some
> enclave. But, my take is that something is better than nothing
I agree that this sounds useful in any case.
But a key which can actually certify that you're talking to that
specific device is so much better. I believe it should be seriously
considered if you're going to do this.
Maintaining a PKI and adding more device specific data will have a
cost. Doing it "properly" might not be significanty more expensive. At
least not if you can use functionaliy already there in the SoC (or other
chips). Of which I know absolutely nothing, except that todays SoCs come
with more functional blocks than I can count on my fingers.
> In the RFC8995 onboarding situation, it would be used directly during
> bootstrap, but then probably replaced with an LDevID with a more accessible
> private key.
Thanks for the pointer. This section is pretty close to answering my
"IDevID howto for dummies" request:
https://datatracker.ietf.org/doc/html/rfc8995#name-initial-device-identifier
(and a sidenote: I'm really impressed that you got the IETF to
standardize
"BRSKI", pronounced like "brewski", is a colloquial term for beer in
Canada and parts of the Midwestern United States
Great work! :-)
Bjørn
More information about the openwrt-devel
mailing list