March 2025 - gerrit-log - lists.osmocom.org

[S] Change in pysim[master]: ara_m: add command to lock write access to the ARA-M rules.

by dexter

dexter has posted comments on this change by dexter. ( https://gerrit.osmocom.org/c/pysim/+/39780?usp=email ) Change subject: ara_m: add command to lock write access to the ARA-M rules. ...................................................................... Patch Set 1: (1 comment) File docs/shell.rst: https://gerrit.osmocom.org/c/pysim/+/39780/comment/748c44a9_3ad4fdf9?usp=em… : PS1, Line 1011: Newer versions (50f092037a) of the ara-m applet (Bertrand Martel) allow to lock maybe we shoud tag a release and name the version here? But before we can do that we must first get https://gerrit.osmocom.org/c/aram-applet/+/39781 through. -- To view, visit https://gerrit.osmocom.org/c/pysim/+/39780?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I71581a0c9f146f9a0921093d9b53b053b4a8946c Gerrit-Change-Number: 39780 Gerrit-PatchSet: 1 Gerrit-Owner: dexter <pmaier(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Comment-Date: Thu, 13 Mar 2025 09:54:30 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No

3 months, 4 weeks

1
0
0 0

[S] Change in aram-applet[master]: README.md document recently added lock/unlock feature

by dexter

dexter has uploaded this change for review. ( https://gerrit.osmocom.org/c/aram-applet/+/39781?usp=email ) Change subject: README.md document recently added lock/unlock feature ...................................................................... README.md document recently added lock/unlock feature The ara-m applet now has a method to lock the store data command. This prevents unauthorized changes to the access rules. Related: SYS#7245 Change-Id: I5a8db9c823a207842aa894485820d610d311c2e0 --- M README.md 1 file changed, 14 insertions(+), 0 deletions(-) git pull ssh://gerrit.osmocom.org:29418/aram-applet refs/changes/81/39781/1 diff --git a/README.md b/README.md index e6fb5f3..816a5d5 100644 --- a/README.md +++ b/README.md @@ -46,10 +46,12 @@ - [x] delete REF-DO - [ ] delete REF-AR-DO - [x] update refresh tag +- [x] lock/unlock store data (protect against unauthorized access rule changes) ### Note * store data can be accessed via install for personalization or via raw apdu STORE DATA +* when store data is locked, then store data can only be accessed via install for personalization * get data length is coded on **2 bytes** max * get specific is **not** compatible with get next * rules are not stored as data object but as plain apdu AR-DO @@ -127,6 +129,18 @@ gp -acr-delete -app D2760001180002FF49502589C0019B18 -acr-hash 1FA8CC6CE448894C7011E23BCF56DB9BD9097432 ``` +#### lock + +```bash +gp --key-enc $KIC --key-mac $KID --key-dek $KIK --secure-apdu 80e620000f000009a00000015141434c00000000 --secure-apdu 80E2900001A1 +``` + +#### unlock + +```bash +gp --key-enc $KIC --key-mac $KID --key-dek $KIK --secure-apdu 80e620000f000009a00000015141434c00000000 --secure-apdu 80E2900001A2 +``` + ### Raw APDU #### list rules -- To view, visit https://gerrit.osmocom.org/c/aram-applet/+/39781?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: aram-applet Gerrit-Branch: master Gerrit-Change-Id: I5a8db9c823a207842aa894485820d610d311c2e0 Gerrit-Change-Number: 39781 Gerrit-PatchSet: 1 Gerrit-Owner: dexter <pmaier(a)sysmocom.de>

3 months, 4 weeks

1
0
0 0

[M] Change in libosmo-abis[master]: trau: new function osmo_trau2rtp_ufe()

by falconia

Attention is currently required from: fixeria, laforge, pespin. falconia has posted comments on this change by falconia. ( https://gerrit.osmocom.org/c/libosmo-abis/+/39731?usp=email ) Change subject: trau: new function osmo_trau2rtp_ufe() ...................................................................... Patch Set 3: (6 comments) File src/trau/trau_rtp_conv.c: https://gerrit.osmocom.org/c/libosmo-abis/+/39731/comment/6a3ce467_8ca4cfa5… : PS2, Line 249: * \param[in] emit_twts002 self-explanatory > Same, not self-explanatory. Resolved in https://gerrit.osmocom.org/c/libosmo-abis/+/39731/comment/70624bbd_9a2f4402/ https://gerrit.osmocom.org/c/libosmo-abis/+/39731/comment/76427d24_2399df94… : PS2, Line 260: return -EINVAL; > ufe is left uninitialized here. Resolved in https://gerrit.osmocom.org/c/libosmo-abis/+/39731/comment/27668a3c_341e3e03/ https://gerrit.osmocom.org/c/libosmo-abis/+/39731/comment/79964b5b_52570e92… : PS2, Line 263: return -ENOSPC; > ufe is left uninitialized here. Resolved in https://gerrit.osmocom.org/c/libosmo-abis/+/39731/comment/27668a3c_341e3e03/ https://gerrit.osmocom.org/c/libosmo-abis/+/39731/comment/8d205de4_d46e5e2b… : PS2, Line 282: return 0; > ufe is left uninitialized here. Resolved in https://gerrit.osmocom.org/c/libosmo-abis/+/39731/comment/27668a3c_341e3e03/ https://gerrit.osmocom.org/c/libosmo-abis/+/39731/comment/e0b85775_06dd7f62… : PS2, Line 299: return 1; > ufe is left uninitialized here. Resolved in https://gerrit.osmocom.org/c/libosmo-abis/+/39731/comment/27668a3c_341e3e03/ https://gerrit.osmocom.org/c/libosmo-abis/+/39731/comment/5bd84693_5f4a66bf… : PS2, Line 311: return GSM_HR_BYTES_RTP_RFC5993; > ufe is left uninitialized here. Resolved in https://gerrit.osmocom.org/c/libosmo-abis/+/39731/comment/27668a3c_341e3e03/ -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/39731?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: libosmo-abis Gerrit-Branch: master Gerrit-Change-Id: I7a90eca296b17b1211e5c2125fb1496cd362e1c9 Gerrit-Change-Number: 39731 Gerrit-PatchSet: 3 Gerrit-Owner: falconia <falcon(a)freecalypso.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: pespin <pespin(a)sysmocom.de> Gerrit-Attention: laforge <laforge(a)osmocom.org> Gerrit-Attention: pespin <pespin(a)sysmocom.de> Gerrit-Attention: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Comment-Date: Wed, 12 Mar 2025 20:24:52 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: pespin <pespin(a)sysmocom.de>

3 months, 4 weeks

1
0
0 0

[M] Change in libosmo-abis[master]: trau: new function osmo_trau2rtp_ufe()

by pespin

Attention is currently required from: falconia, fixeria, laforge. pespin has posted comments on this change by falconia. ( https://gerrit.osmocom.org/c/libosmo-abis/+/39731?usp=email ) Change subject: trau: new function osmo_trau2rtp_ufe() ...................................................................... Patch Set 3: Code-Review+1 (2 comments) File src/trau/trau_rtp_conv.c: https://gerrit.osmocom.org/c/libosmo-abis/+/39731/comment/52c8a59b_69e3b127… : PS2, Line 137: * \param[in] emit_twts001 self-explanatory > > It may be self explanatory to you, but no to others. […] Done https://gerrit.osmocom.org/c/libosmo-abis/+/39731/comment/13363978_8e0407ae… : PS2, Line 359: > I disagree: I intentionally designed the new `osmo_trau2rtp_ufe()` API to set `*ufe` to true if a UF […] Done -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/39731?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: libosmo-abis Gerrit-Branch: master Gerrit-Change-Id: I7a90eca296b17b1211e5c2125fb1496cd362e1c9 Gerrit-Change-Number: 39731 Gerrit-PatchSet: 3 Gerrit-Owner: falconia <falcon(a)freecalypso.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: pespin <pespin(a)sysmocom.de> Gerrit-Attention: falconia <falcon(a)freecalypso.org> Gerrit-Attention: laforge <laforge(a)osmocom.org> Gerrit-Attention: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Comment-Date: Wed, 12 Mar 2025 20:14:26 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: falconia <falcon(a)freecalypso.org> Comment-In-Reply-To: pespin <pespin(a)sysmocom.de>

3 months, 4 weeks

1
0
0 0

[M] Change in libosmo-abis[master]: trau: new function osmo_trau2rtp_ufe()

by falconia

Attention is currently required from: fixeria, laforge, pespin. Hello Jenkins Builder, fixeria, laforge, I'd like you to reexamine a change. Please visit https://gerrit.osmocom.org/c/libosmo-abis/+/39731?usp=email to look at the new patch set (#3). The following approvals got outdated and were removed: Verified+1 by Jenkins Builder Change subject: trau: new function osmo_trau2rtp_ufe() ...................................................................... trau: new function osmo_trau2rtp_ufe() TRAU frame formats for newer codecs (HR, EFR, AMR) include a UFE (uplink frame error) indicator bit in the DL direction. TRAUs are expected to set this bit to active error state (0 for HR/EFR/AMR or 1 for D144 E-TRAU) if frame synchronization is lost in the UL direction, or if received TRAU-UL frames have bad CRC or invalid control bits - errors that indicate corruption on terrestrial circuits or faults in the CCU, rather than radio Rx errors. In Osmocom implementation, TRAU frame CRC and control bit patterns are checked during conversion to RTP, as part of the work done by osmo_trau2rtp() - but there is no separate return indication from that function that distinguishes these errors from ordinary BFIs due to radio errors or FACCH stealing etc. Solution: add a new API function that indicates UFE conditions separately. Related: OS#6614 Change-Id: I7a90eca296b17b1211e5c2125fb1496cd362e1c9 --- M include/osmocom/trau/trau_rtp.h M src/trau/trau_rtp_conv.c 2 files changed, 90 insertions(+), 33 deletions(-) git pull ssh://gerrit.osmocom.org:29418/libosmo-abis refs/changes/31/39731/3 -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/39731?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: libosmo-abis Gerrit-Branch: master Gerrit-Change-Id: I7a90eca296b17b1211e5c2125fb1496cd362e1c9 Gerrit-Change-Number: 39731 Gerrit-PatchSet: 3 Gerrit-Owner: falconia <falcon(a)freecalypso.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-CC: pespin <pespin(a)sysmocom.de> Gerrit-Attention: laforge <laforge(a)osmocom.org> Gerrit-Attention: pespin <pespin(a)sysmocom.de> Gerrit-Attention: fixeria <vyanitskiy(a)sysmocom.de>

3 months, 4 weeks

1
0
0 0

[M] Change in libosmo-abis[master]: trau: new function osmo_trau2rtp_ufe()

by falconia

Attention is currently required from: fixeria, laforge, pespin. falconia has posted comments on this change by falconia. ( https://gerrit.osmocom.org/c/libosmo-abis/+/39731?usp=email ) Change subject: trau: new function osmo_trau2rtp_ufe() ...................................................................... Patch Set 2: (2 comments) File src/trau/trau_rtp_conv.c: https://gerrit.osmocom.org/c/libosmo-abis/+/39731/comment/86fdaeab_d1091b40… : PS2, Line 137: * \param[in] emit_twts001 self-explanatory > It may be self explanatory to you, but no to others. > Please add something like: "Generate RTP in TW-TS-001 format" or whatever the name of the spec it is. OK, fine. In the next spin of this patch, I'll change the doxygen comment for `emit_twts001` to "Generate RTP in TW-TS-001 format", and the one for `emit_twts002` to "Generate RTP in TW-TS-002 format". > Also some reference to where that spec may be found may be useful. I don't agree that internal Doxygen comments for static functions internal to trau2rtp implementation are the right place for such verbose documentation. The comment block for `osmo_trau2rtp()` public API seems like the more sensible place. Please read the comments that are already there, including description of RFC vs TW-TS output format selection, and then tell me if you think that description should be extended. https://gerrit.osmocom.org/c/libosmo-abis/+/39731/comment/3f9fc05d_5fe855db… : PS2, Line 359: > Let's better initialize ufe always if present, to avoid uninitialized memory. I disagree: I intentionally designed the new `osmo_trau2rtp_ufe()` API to set `*ufe` to true if a UFE condition is detected, but **not** set it to false otherwise. This aspect of the API is clearly documented in the header comment for the new API function. Rationale: CRC errors (HR and EFR) or invalid control bit pattern (HR only) are only one type of UFE condition, but it is the UFE condition that is most naturally caught simultaneously with conversion to RTP, as opposed to a separate check function. There are other sources of UFE condition: errors in the frame sync pattern, or the frame type code in C1..C5 bits (decoded in `osmo_trau_frame_decode_16k()` or `osmo_trau_frame_decode_8k()` rather than here) suddenly being received as neither the original expected frame type nor a different valid type that could be a plausible result of a Channel Mode Modify operation. My vision is that an application such as `tw-e1abis-mgw` will need to maintain a `bool ufe` flag in its TRAU state structure, it will be initialized (by the app) to false at the beginning of Rx frame processing, and `osmo_trau2rtp_ufe()` is just one step out of several that can change it from false to true. -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/39731?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: libosmo-abis Gerrit-Branch: master Gerrit-Change-Id: I7a90eca296b17b1211e5c2125fb1496cd362e1c9 Gerrit-Change-Number: 39731 Gerrit-PatchSet: 2 Gerrit-Owner: falconia <falcon(a)freecalypso.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-CC: pespin <pespin(a)sysmocom.de> Gerrit-Attention: laforge <laforge(a)osmocom.org> Gerrit-Attention: pespin <pespin(a)sysmocom.de> Gerrit-Attention: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Comment-Date: Wed, 12 Mar 2025 19:31:50 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: pespin <pespin(a)sysmocom.de>

3 months, 4 weeks

1
0
0 0

[S] Change in osmo-pcap[master]: pcap-server: Introduce VTY cmd file-write-queue-max-length

by pespin

pespin has posted comments on this change by pespin. ( https://gerrit.osmocom.org/c/osmo-pcap/+/39774?usp=email ) Change subject: pcap-server: Introduce VTY cmd file-write-queue-max-length ...................................................................... Patch Set 2: (1 comment) File src/osmo_pcap_wr_file.c: https://gerrit.osmocom.org/c/osmo-pcap/+/39774/comment/d795e657_b14b62f0?us… : PS1, Line 100: osmo_pcap_wr_file_write_queue_max_length > Maybe add _set for consistency with osmo_pcap_wr_file_set_flush_completed_cb above? […] Ack, forgot about it. -- To view, visit https://gerrit.osmocom.org/c/osmo-pcap/+/39774?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: osmo-pcap Gerrit-Branch: master Gerrit-Change-Id: I137f13481c03f82d11a2d38ba4fd5691a55535ce Gerrit-Change-Number: 39774 Gerrit-PatchSet: 2 Gerrit-Owner: pespin <pespin(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: osmith <osmith(a)sysmocom.de> Gerrit-Reviewer: pespin <pespin(a)sysmocom.de> Gerrit-Comment-Date: Wed, 12 Mar 2025 18:42:30 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: osmith <osmith(a)sysmocom.de>

3 months, 4 weeks

1
0
0 0

[S] Change in docker-playground[master]: update redmine to latest 5.1.7 (security update)

by fixeria

Attention is currently required from: laforge. fixeria has posted comments on this change by laforge. ( https://gerrit.osmocom.org/c/docker-playground/+/39779?usp=email ) Change subject: update redmine to latest 5.1.7 (security update) ...................................................................... Patch Set 1: Code-Review+1 -- To view, visit https://gerrit.osmocom.org/c/docker-playground/+/39779?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: docker-playground Gerrit-Branch: master Gerrit-Change-Id: Ia628674900376623626d8ad5f2a97324ed8780a1 Gerrit-Change-Number: 39779 Gerrit-PatchSet: 1 Gerrit-Owner: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Attention: laforge <laforge(a)osmocom.org> Gerrit-Comment-Date: Wed, 12 Mar 2025 18:26:26 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes

3 months, 4 weeks

1
0
0 0

[S] Change in pysim[master]: ara_m: add command to lock write access to the ARA-M rules.

by dexter

dexter has uploaded this change for review. ( https://gerrit.osmocom.org/c/pysim/+/39780?usp=email ) Change subject: ara_m: add command to lock write access to the ARA-M rules. ...................................................................... ara_m: add command to lock write access to the ARA-M rules. Recent versions of the ARA-M applet from Bertrand Martel can lock the write access to ARA-M rules. Let's add a command for that and some documentation. Related: SYS#7245 Change-Id: I71581a0c9f146f9a0921093d9b53b053b4a8946c --- M docs/shell.rst M pySim/ara_m.py 2 files changed, 19 insertions(+), 0 deletions(-) git pull ssh://gerrit.osmocom.org:29418/pysim refs/changes/80/39780/1 diff --git a/docs/shell.rst b/docs/shell.rst index 564f162..9c8eb9b 100644 --- a/docs/shell.rst +++ b/docs/shell.rst @@ -1006,6 +1006,21 @@ intended must be manually inserted again using :ref:`aram_store_ref_ar_do` +aram_lock +~~~~~~~~~ +Newer versions (50f092037a) of the ara-m applet (Bertrand Martel) allow to lock +the access to the STORE DATA command. This renders all access rules stored within +the ARA-M applet effectively read-only. The lock can only be removed via a secure +channel to the security domain and is therefore suitable to prevent unauthorized +changes to ARA-M rules. + +Removal of the lock: +:: + + pySIM-shell (SCP02[01]:00:MF/ADF.ISD)> install_for_personalization A00000015141434C00 + pySIM-shell (SCP02[01]:00:MF/ADF.ISD)> apdu --expect-sw 9000 80E2900001A2 + + GlobalPlatform commands ----------------------- diff --git a/pySim/ara_m.py b/pySim/ara_m.py index 7a0f93f..f06acee 100644 --- a/pySim/ara_m.py +++ b/pySim/ara_m.py @@ -389,6 +389,10 @@ if res_do: self._cmd.poutput_json(res_do.to_dict()) + def do_aram_lock(self, opts): + """Lock STORE DATA command to prevent unauthorized changes (use with caution!)""" + self._cmd.lchan.scc.send_apdu_checksw('80e2900001A1', '9000') + # SEAC v1.1 Section 4.1.2.2 + 5.1.2.2 sw_aram = { -- To view, visit https://gerrit.osmocom.org/c/pysim/+/39780?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: pysim Gerrit-Branch: master Gerrit-Change-Id: I71581a0c9f146f9a0921093d9b53b053b4a8946c Gerrit-Change-Number: 39780 Gerrit-PatchSet: 1 Gerrit-Owner: dexter <pmaier(a)sysmocom.de>

3 months, 4 weeks

1
0
0 0

[S] Change in osmo-pcu[master]: csn1: Use enum to select enc/dec direction

by fixeria

Attention is currently required from: pespin. fixeria has posted comments on this change by pespin. ( https://gerrit.osmocom.org/c/osmo-pcu/+/39778?usp=email ) Change subject: csn1: Use enum to select enc/dec direction ...................................................................... Patch Set 1: Code-Review+1 (1 comment) Patchset: PS1: Looks good to me. We need to relax the linter a bit, though. -- To view, visit https://gerrit.osmocom.org/c/osmo-pcu/+/39778?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: osmo-pcu Gerrit-Branch: master Gerrit-Change-Id: I845bcab61e354436bff1c3a0f2b6f49de9705716 Gerrit-Change-Number: 39778 Gerrit-PatchSet: 1 Gerrit-Owner: pespin <pespin(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Attention: pespin <pespin(a)sysmocom.de> Gerrit-Comment-Date: Wed, 12 Mar 2025 16:37:24 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes

3 months, 4 weeks

1
0
0 0

2025

2024

2023

2022

gerrit-log March 2025