Initial implementation of IEEE 802.15.4 security

[fabian18]

Contribution description

This PR aims to integrate initial IEEE 802.15.4 security support for RIOT.
The implementation waives to use a proper key store to mitigate complexity. Instead it always uses the key that has been set via
NETOPT_ENCRYPTION_KEY. So in terms of specification, the key is always implicitly known (IEEE802154_SCF_KEYMODE_IMPLICIT).
This is what I have been using as a reference.

Testing procedure

You can test the implementation with examples/gnrc_networking, if you add USEMODULE += ieee802154_security and try ping6. It is supposed to work with any 802.15.4 radio. If you have an at86rf2xx with SPI, you can additionally add USEMODULE += at86rf2xx_aes_spi, if you want to utilize the transceiver´s hardware crypto module.
I tested the implementation on two nucleo-f767zi with an at86rf233.

Issues/PRs references

Could be related to #14950

[benpicco]

Awesome, thank you!
Want to split out 5c2a1eb as a separate PR?
While technically an API change, we should be able to merge that quick.

I'll look into the other things soon.

[jia200x]

I think code-wise makes a lot of sense. My only concern is the dependency from sys/ieee802154 to netdev, specially since we are currently migrating to the Radio HAL.
But I think integrating it to netdev would work for applications that still rely on that.

Also, do you think it could make sense to (optionally) expand the radio_ops of the Radio HAL to expose the primitives to use the internal crypto accelerator?
I think in the long run would be nice to have a separated crypto structure, but in the short run we could live with this in the radio descriptor.

what do you think?

[fabian18]

Want to split out 5c2a1eb as a separate PR?

Did this real quick

[fabian18]

Also, do you think it could make sense to (optionally) expand the radio_ops of the Radio HAL to expose the primitives to use the internal crypto accelerator?

That´s the hard question. I could try to add these and see what comes out. Or do you want to add the CAP´s ?

[jia200x]

I could try to add these and see what comes out.

That could be nice!

[jia200x]

btw, I think this could work already out of the box using netdev_ieee802154_submac! Since it depends on netdev_ieee802154.

That means, CC2420 and nrf802154 can be used with full CSMA-CA and retransmissions + security

[benpicco]

Also, do you think it could make sense to (optionally) expand the radio_ops of the Radio HAL to expose the primitives to use the internal crypto accelerator?

That´s the hard question. I could try to add these and see what comes out. Or do you want to add the CAP´s ?

I mean ideally we would have a general crypto API that is either backed by a hardware or a software implementation depending on the platform. But that is for another endeavor.

I like your idea that the radio driver can 'catch' those netops, so if the radio can handle crypto itself we already get this abstraction for free.

[fabian18]

btw, I think this could work already out of the box using netdev_ieee802154_submac! Since it depends on netdev_ieee802154.

So as a first step, I should move my ieee802154_sec_context_t from netdev_ieee802154_t to netdev_ieee802154_submac_t?

[jia200x]

So as a first step, I should move my ieee802154_sec_context_t from netdev_ieee802154_t to netdev_ieee802154_submac_t?

It shouldn't be necessary, since netdev_ieee802154_submac_t already depends on netdev_ieee802154_t and most IEEE 802.15.4 drivers depends on netdev_ieee802154_t (but not netdev_ieee802154_submac_t). At the moment we remove netdev from the IEEE 802.15.4 drivers we can decide where to allocate that context (I would say the SubMAC is an option)

[benpicco]

Sorry for the long radio silence, I tried to do some interoperability testing, but wasn't very successful on that end.

• for Linux I followed this guide using the nl802154_llsec branch of wpan-tools and made sure to enable the IEEE802154_NL802154_EXPERIMENTAL option in the kernel config. I would however only get a netlink: 'iwpan': attribute type 1 has an invalid length. when trying to configure the encryption key 😞

• for Zephyr I flashed samples/net/sockets/echo_server with the NET_L2_IEEE802154_SECURITY option enabled onto a nrf52840dk_nrf52840. I also set CONFIG_NET_L2_IEEE802154_SECURITY_CRYPTO_DEV_NAME to CRYPTO_TC and enabled TinyCrypt since the driver for the nRF build-in crypto hardware was not supporting asyc operations which apparently the MAC layer needs.
  With that I got no run-time errors, but still no encrypted traffic 😕

Anyway so with a samr21-xpro this is sending encrypted packets just fine.
I tried on an openmote-b with netdev_ieee802154_submac and cc2538_rf but that would not get me any encrypted traffic. It wouldn't decode the packets from samr21-xpro either.

avr-rss2 also has an at862xx radio, but the memory mapped variant that's not supported by the aes_spi driver just yet - it would still encrypt and decrypt packets.

The at86rf233 radio attached to an esp32 also worked fine with encryption.

I also noticed nodes can still receive unencrypted frames - that'll be convenient if we want to do some Diffie-Hellman key exchange and have per-node keys 😀

[benpicco]

Please squash & rebase before addressing the review comments.

[benpicco]

A so this is only hooked up to the at86rf2xx driver so far, but it could be hooked up the the sub-MAC and then catch all drivers that implement the radio HAL? (That would be for a later PR)

I'm happy with starting at a basic but solid foundation so we can get results, and make it more practical going forward, so a hard-coded key for all nodes and just supporting a single driver is fine.

But those encrypt and decrypt routines are a bit scary - manipulating buffers with long lists of offsets… if there is a bug in there I wouldn't want to search it.
Those mathematical variable names need explanations, otherwise they are just cryptic.

[maribu]

Before I again forget to submit my review, here is at least the chunk I looked at so far.

[benpicco]

tests/ieee802154_security will need a Makefile.ci

[benpicco]

@miri64 have your comments been addressed?

[benpicco]

Suggested change

	uint32_t frame_counter = byteorder_ntohl(
	byteorder_ltobl((le_uint32_t){aux->fc}));
	uint32_t frame_counter = byteorder_ltohl((le_uint32_t){aux->fc});

should also work now.

[benpicco]

Suggested change

	ahr->fc = byteorder_btoll(byteorder_htonl(ctx->frame_counter)).u32;
	ahr->fc = byteorder_htoll(ctx->frame_counter).u32;

feel free to squash directly

My comments were addressed

re-ACK to re-trigger CI

[maribu]

🎉 Good to have this in :-)

[fabian18]

Hurray 🎊. Thank you @benpicco and @miri64

[jia200x]

congratz! One stop closer to the full MAC layer :)