Hatchery support

Add app directories to the path and change menu to use the provided metadata.

ELF apps are listed, but people can also include them with apps. I think they should be published in the hatchery together with an init.py containing something like:

import os
os.exec("/apps/myapp/mybinary.elf")

It lists all ELF files found in /elf

ELF apps are no longer listed. They should be published in the hatchery together with an init.py containing something like:

We really don't want people to distribute blobs via the hatchery ...

Why not? How else would they distribute their creations?

ping @q3k

We'll disable .elf files in epicardium right now. Then we will create a config option which allows them to be executed. This script should list them.

We will also implement a blacklist in micropython to prevent the config from being access directly though pyhton. we will also blacklist card10.bin and the menu files.

added 1 commit

• 8c0200dd - Making the code style checker happy

Compare with previous version

Hatchery now has support for .elf files . . https://github.com/badgeteam/Hatchery/commit/39b20d4e3c40d1eca10e3408d4cb6be16a645f9b

I share the concern that distributing binary blobs is questionable on a hacker event, and that a transparent source->bin way would be preferable, but given the time constraints, this is probably the most user friendly way to get more code on more card10's

I think we should not make central distribution of l0dables available until we have a proper solution here. @q3k said he can get something up quickly but he was busy the last few days ...

If I can help @q3k in any way to make it more easily usable, please let me know :)

I would still like scripts in the root directory to show up as well. For hacking some quick scripts this is way more comfortable.

changed this line in version 3 of the diff

Please add all files in the root directory ending in .py or .elf (except menu.py).

added 1 commit

• eca5177f - Add listing of ELF files

Compare with previous version

Sorry, it looks like this Merge Request has some code quality issues!

The pipeline lint has failed - look at its failure output to understand what sort of diffs we'd like you to apply.

You can also use tools/code-style.sh to fix files that have issues.

Good luck! I will update this comment when I detect you have applied your fixes.

changed the description

Maybe you should blacklist python from writing to any .elf file, that would solve the virus problem for now. Also prevent writing to the firmware update file from python, unless you want people to fuck around with that...

I don't think we should try to build a fake sense of security into this. If some script wants to be malicious it has all the possibilities it wants. We can't protect against that anyway.

The main rationale behind the whole elf story for me was, that I want to at least give people certainty about the source-code of the binary blob; If we just allow uploading random blobs, there is no guarantee about what sources it was built from and thus you don't have the option to look at the sources and evaluate for yourself whether that looks legit.

If we only allow uploading source-files which are then built (and optionally signed) by some CI-server, you at least know how the C-code looks which the l0dable was built from.

mentioned in merge request !143 (merged)

Based of your work, we've implemented https://git.card10.badge.events.ccc.de/card10/firmware/merge_requests/143

For now we will work on some opt-in feature for elfs, until we have working infrastructure.

closed