BetterCorp/BetterFrame
1
0
Fork 0
mirror of https://github.com/BetterCorp/BetterFrame.git synced 2026-05-26 19:06:34 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
BetterFrame/kiosk/Cargo.toml
Mitchell R 436d2d730c
feat(harden): hardware-bound at-rest encryption of kiosk state files 
New module kiosk/src/at_rest.rs. Derives an AES-256-GCM key via HKDF
from a Pi-bound value:
  1. /proc/device-tree/serial-number  (Pi 5 firmware exposes it)
  2. /proc/cpuinfo Serial line          (older kernels)
  3. /etc/machine-id                    (non-Pi dev fallback)

File format: "BFE1" magic || 12-byte random nonce || ciphertext+tag.
Atomic write via tempfile + rename so a crash mid-write can't leave a
half-encrypted file.

Wired into kiosk/src/server.rs at every file I/O touching sensitive
state:
  - kiosk.key      (bearer token to BF server)
  - local.key      (LAN-side API auth key)
  - bundle.json    (cached bundle with RTSP credentials in URL form)

Migration: read paths tolerate legacy plaintext (kiosks upgraded from a
pre-at_rest build) AND re-store as ciphertext on the first read. One-
shot upgrade — subsequent boots skip the migration write.

Threat model defended: SD card extraction. Attacker who pulls the card
can't decrypt without also having the same physical Pi (CPU serial is
hardware-bound). Doesn't defeat an attacker who has both — at that
point they ARE the kiosk. Bar is raised from "trivially extract every
camera password" to "must steal the device intact."

Not defended: TPM-style attestation, remote attestation, sealed boot.
Pi 5 has no TPM and we don't ship a secure-boot config.

Tests in-module: round-trip short bytes, round-trip JSON, legacy
plaintext passthrough.
2026-05-21 11:34:29 +02:00

56 lines
1.6 KiB
TOML
Raw Blame History

[package]
name = "betterframe-kiosk"
version = "0.1.0"
edition = "2024"
description = "BetterFrame kiosk — multi-camera display with GTK4 + GStreamer"
license = "AGPL-3.0-only OR Commercial"
[dependencies]
# GTK4 for windowing/layout. v4_14 = Debian Trixie / Pi OS Trixie stock
# libgtk-4 — pi-gen defaults to trixie, so build chain + image are aligned.
gtk4 = { version = "0.9", features = ["v4_14"] }
# GStreamer for RTSP decode
gstreamer = "0.23"
gstreamer-video = "0.23"
gst-plugin-gtk4 = "0.13"
# HTTP client for server API
reqwest = { version = "0.12", features = ["json", "blocking"] }
# JSON
serde = { version = "1", features = ["derive"] }
serde_json = "1"
# Async runtime
tokio = { version = "1", features = ["rt-multi-thread", "macros", "time", "fs"] }
# Misc
dirs = "6"
tracing = "0.1"
tracing-subscriber = { version = "0.3", features = ["env-filter"] }
hostname = "0.4"
tokio-tungstenite = { version = "0.24", features = ["native-tls"] }
futures-util = "0.3"
url = "2"
webkit6 = "0.4"
gpiod = "0.3"
# OTA firmware update: sha256 + Ed25519 signature verify
sha2 = "0.10"
ed25519-dalek = { version = "2", features = ["pem"] }
base64 = "0.22"
urlencoding = "2"
# Hardware-bound at-rest encryption of state files (kiosk_key + bundle cache
# contain camera RTSP credentials in URL form). Keys derived via HKDF from
# the Pi CPU serial — pulling the SD doesn't yield plaintext without also
# having the same physical board.
aes-gcm = "0.10"
hkdf = "0.12"
# Local HTTP server on kiosk (LAN GET-only layout switch + admin proxy)
axum = "0.7"
tower = "0.5"
hex = "0.4"
rand = "0.8"
Reference in a new issue View git blame Copy permalink