2020-12-01: Depthcharge Release 0.2.0 ("Clatter and Hiss") ---------------------------------------------------------------------------- Summary: * Introduced configuration checker API and depthcharge-audit-config * Command-line argument and API "breaking" changes: * ARM is longer the default architecture, "Generic" is * Migrated uboot.py submodule to a uboot subpackage * Change to opt-in semantics for payload deploy+execute, device crash/reboot * Payload base and offset improvements Versions: Python module (`depthcharge`): 0.2.0 Companion Firmware: 0.1.0 Details: **Introduced configuration checker API and depthcharge-audit-config** The depthcharge.checker API is designed to to facilitate configuration auditing, where the goal is to consistently and quickly identify common security pitfalls or known vulnerabilities, so time spent on security review efforts can be focused elsewhere (e.g., in newly developed code). The depthcharge.checker.ConfigChecker class defines the overarching framework and implements the common auditing and reporting functionality. The depthcharge.checker.UBootConfigChecker and .UBootHeaderChecker classes implement support for parsing .config and platform configuration header files, respectively. The audit() methods of these "checkers" produce depthcharge.checker.Report objects, which are sets of depthcharge.checker.SecurityRisk objects that describe the potential risks and provide a high-level, general recommendations. The Report class supports a few export formats, including html, csv, and Markdown. The depthcharge-audit-config script exposes this new API functionality via the command-line. **ARM is longer the default architecture, "Generic" is.** In the interest of being more user friendly, Depthcharge now defaults to an ARM-ish "Generic" architecture, which is still 32-bit and little endian. By making no assumptions about registers and instruction set, we can exclude operations that would otherwise cause a target device to spin out of control. The goal here is try to balance provide some reasonable amount of functionality, while being resilient to platform-specific quirks that would otherwise cause grief fro a newcomer to Depthcharge. In order to use ARM-specific functionality, one must now do one of the following: * API: Create a Depthcharge context using `arch='arm'` * Scripts: pass an `--arch arm` argument See `arch/generic.py` for the other Generic architectures available. However, note that 64-bit and big-endian platforms have not yet undergone testing. **Migration uboot.py submodule to a uboot subpackage** The migration of the uboot.py submodule to a uboot subpackage was performed in order to allow new additions to be introduced in a more organized manner. The uboot.py submodule has been converted to a subpackage organized as follows: * depthcharge.uboot.board: Platform and "board" configuration data * depthcharge.uboot.cmd_table: Console command handler table inspection * depthcharge.uboot.env: Environment (variable) functionality * depthcharge.uboot.jump_table: Exported jump table definitions This breaks the (unstable) v0.1.x API. Below is a summary of the v0.1.x items that have been removed, along with their corresponding replacements in the (also unstable) v0.2.x API. depthcharge.uboot.board: v0.1.x: depthcharge.uboot.bdinfo_dict() Replaced by: v0.2.x: depthcharge.uboot.board.bdinfo_dict() depthcharge.uboot.cmd_table: v0.1.x: depthcharge.uboot.cmdtbl_entry_to_bytes() Replaced by: v0.2.x: depthcharge.uboot.cmd_table.entry_to_bytes() depthcharge.uboot.env: v0.1.x: depthcharge.uboot.raw_environment_regex() depthcharge.uboot.raw_env_var_regex() depthcharge.uboot.expand_environment() depthcharge.uboot.expand_variable() depthcharge.uboot.parse_raw_environment() depthcharge.uboot.load_raw_environment() depthcharge.uboot.save_raw_environment() depthcharge.uboot.create_raw_environment() depthcharge.uboot.parse_environment() depthcharge.uboot.load_environment() depthcharge.uboot.save_environment() Replaced by: v0.2.x: depthcharge.uboot.env.raw_regex() depthcharge.uboot.env.raw_var_regex() depthcharge.uboot.env.expand() depthcharge.uboot.env.expand_variable() depthcharge.uboot.env.parse_raw() depthcharge.uboot.env.load_raw() depthcharge.uboot.env.save_raw() depthcharge.uboot.env.create_raw() depthcharge.uboot.env.load() depthcharge.uboot.env.save() depthcharge.uboot.jump_table: v0.1.x: depthcharge.uboot.jump_table_exports() depthcharge.uboot.find_jump_table() Replaced by: v0.2.x: depthcharge.uboot.jump_table.exports() depthcharge.uboot.jump_table.find() **Opt-in Operation Semantics** Previously, Depthcharge would attempt to automatically explore a device as much as possible when the depthcharge.Depthcharge context object is created (which is what is happening when the depthcharge-inspect is used). However, when beginning work on a bringing up MIPS support, it became clear that the (expected) failures resulting from previously untested U-Boot versions (including those heavily modified by a platform vendor) would be very unintuitive to new users of the Depthcharge toolkit. In order to better to provide a better user experience (i.e. a less annoying and kludgy-feeling toolkit), as well as making adding new architecture support less of a hassle, the platform inspection now behaves according to opt-in semantics, rather than opt-out semantics. In the depthcharge.Depthcharge constructor, there are now `allow_deploy` and `skip_deploy` options, whose semantics are detailed in the corresponding API documentation. On the command-line, these correspond to -A, --allow-deploy and -S, --skip-deploy arguments. Similarly, the opt-out of operations requiring a device crash or reboot in scripts was found to be unfriendly and has been similarly been changed to have opt-in semantics. The relevant API function keyword argument has always been allow_reboot; the change was only needed in scripts' command-line options, which now match: -R, --allow-reboot **Payload base address and offset improvements** The code used to configure the address at which Depthcharge should deploy payloads has been updated to address some deficiencies and better match the promises made in the API docs. 2020-07-22: Depthcharge 0.1.1.post1 ---------------------------------------------------------------------------- Post-release update to temporarily work around setup.py issue (#14) affecting RTD builds until proper fix is merged in a later release. Versions: Python module (`depthcharge`): 0.1.1.post1 Companion Firmware: 0.1.0 2020-07-22: Depthcharge Release 0.1.1 ("Burn No Bridges") ---------------------------------------------------------------------------- Documentation and packaging fixes - no functional changes. Versions: Python module (`depthcharge`): 0.1.1 Companion Firmware: 0.1.0 2020-07-21: Depthcharge Release 0.1.0 ("Against the Grain") ---------------------------------------------------------------------------- Initial public release of Depthcharge. Versions: Python module (`depthcharge`): 0.1.0 Companion Firmware: 0.1.0 Current limitations: - Supports ARM (32-bit) only. Additional architecture support can be introduced via python/depthcharge/arch.py. - The Companion Firmware currently acts only as an I2C peripheral. This can certainly be expanded upon to also act as a SPI peripheral. - GoExecutor is the only Executor implementation. Boot commands could also be leveraged as such, provided that payloads are wrapped in appropriate image formats, preferably automatically by Depthcharge.