mirror of
https://github.com/BetterCorp/BetterFrame.git
synced 2026-05-26 17:56:34 +00:00
436d2d730c
New module kiosk/src/at_rest.rs. Derives an AES-256-GCM key via HKDF from a Pi-bound value: 1. /proc/device-tree/serial-number (Pi 5 firmware exposes it) 2. /proc/cpuinfo Serial line (older kernels) 3. /etc/machine-id (non-Pi dev fallback) File format: "BFE1" magic || 12-byte random nonce || ciphertext+tag. Atomic write via tempfile + rename so a crash mid-write can't leave a half-encrypted file. Wired into kiosk/src/server.rs at every file I/O touching sensitive state: - kiosk.key (bearer token to BF server) - local.key (LAN-side API auth key) - bundle.json (cached bundle with RTSP credentials in URL form) Migration: read paths tolerate legacy plaintext (kiosks upgraded from a pre-at_rest build) AND re-store as ciphertext on the first read. One- shot upgrade — subsequent boots skip the migration write. Threat model defended: SD card extraction. Attacker who pulls the card can't decrypt without also having the same physical Pi (CPU serial is hardware-bound). Doesn't defeat an attacker who has both — at that point they ARE the kiosk. Bar is raised from "trivially extract every camera password" to "must steal the device intact." Not defended: TPM-style attestation, remote attestation, sealed boot. Pi 5 has no TPM and we don't ship a secure-boot config. Tests in-module: round-trip short bytes, round-trip JSON, legacy plaintext passthrough.
56 lines
1.6 KiB
TOML
56 lines
1.6 KiB
TOML
[package]
|
|
name = "betterframe-kiosk"
|
|
version = "0.1.0"
|
|
edition = "2024"
|
|
description = "BetterFrame kiosk — multi-camera display with GTK4 + GStreamer"
|
|
license = "AGPL-3.0-only OR Commercial"
|
|
|
|
[dependencies]
|
|
# GTK4 for windowing/layout. v4_14 = Debian Trixie / Pi OS Trixie stock
|
|
# libgtk-4 — pi-gen defaults to trixie, so build chain + image are aligned.
|
|
gtk4 = { version = "0.9", features = ["v4_14"] }
|
|
|
|
# GStreamer for RTSP decode
|
|
gstreamer = "0.23"
|
|
gstreamer-video = "0.23"
|
|
gst-plugin-gtk4 = "0.13"
|
|
|
|
# HTTP client for server API
|
|
reqwest = { version = "0.12", features = ["json", "blocking"] }
|
|
|
|
# JSON
|
|
serde = { version = "1", features = ["derive"] }
|
|
serde_json = "1"
|
|
|
|
# Async runtime
|
|
tokio = { version = "1", features = ["rt-multi-thread", "macros", "time", "fs"] }
|
|
|
|
# Misc
|
|
dirs = "6"
|
|
tracing = "0.1"
|
|
tracing-subscriber = { version = "0.3", features = ["env-filter"] }
|
|
hostname = "0.4"
|
|
tokio-tungstenite = { version = "0.24", features = ["native-tls"] }
|
|
futures-util = "0.3"
|
|
url = "2"
|
|
webkit6 = "0.4"
|
|
gpiod = "0.3"
|
|
|
|
# OTA firmware update: sha256 + Ed25519 signature verify
|
|
sha2 = "0.10"
|
|
ed25519-dalek = { version = "2", features = ["pem"] }
|
|
base64 = "0.22"
|
|
urlencoding = "2"
|
|
|
|
# Hardware-bound at-rest encryption of state files (kiosk_key + bundle cache
|
|
# contain camera RTSP credentials in URL form). Keys derived via HKDF from
|
|
# the Pi CPU serial — pulling the SD doesn't yield plaintext without also
|
|
# having the same physical board.
|
|
aes-gcm = "0.10"
|
|
hkdf = "0.12"
|
|
|
|
# Local HTTP server on kiosk (LAN GET-only layout switch + admin proxy)
|
|
axum = "0.7"
|
|
tower = "0.5"
|
|
hex = "0.4"
|
|
rand = "0.8"
|