Setup signing when autopilot has unknown secret key
benbarkay opened this issue · 1 comments
benbarkay commented
Situation:
- The autopilot has been configured with a secret key.
- That secret key is now unknown/forgotten.
Problem:
The autopilot drops unsigned or incorrectly signed SETUP_SIGNING messages, thus making it impossible to recover from a lost secret key via Mavlink communication.
Questions:
- Is that a scenario that should be handled by Mavlink? Or is it expected that the autopilot device may have a reset secret key button or some other such recovery mechanism?
- If it is a problem that Mavlink should provide a standard solution for, do we have such solution? If so, what is it?
hamishwillee commented
Hi Ben,
Great question.
- PX4 does not handle the SETUP_SIGNING message yet.
- Ardupilot accepts any message on Channel 0, which is assumed to be secure (maps to USB). So the model there is explicitly that you can reset the message over a secure channel (if you have physical access to the device). That is reasonable - we're trying to stop interception on the public channel, not drone-nappers :-)
- This case is not explicitly defined in the documentation, however the general implication is that
- The key must be shared securely, and in particular not over open/radio channels
- it is up to the autopilot/manufacturer to determine what mechanism they consider secure
- Whatever is used to set the key in the first place should also work for replacing the key. There is no presumption that once you've set the key you need a more secure method to replace it.
To explicitly answer your question, I think that MAVLink does define the solution: use a secure channel and replace over a (the same) secure channel. Anything more reasonably should be outside of spec - though I think we should recommend USB for this.
I'll create a PR for the docs.