►
From YouTube: ROS 2 Security Working Group June 8, 2021
Description
Discussion on adding PKCS11 support to ROS 2
A
Okay,
so
the
meeting
is
being
recorded.
I
want
to
begin
just
by
asking
if
I
could
get
anybody
a
second,
the
meeting
minutes
from
our
last
our
last
meeting.
It's
dropped
on
linkedin.
If
anybody
has
any
concerns
that
was
a
meeting
from
last
month
may
11th
any
comments
on
that.
A
Okay
I'll
go
ahead
and
get
this
published
then,
and
then,
after
that,
I'm
going
to
hand
it
over
to
eicher
and
cali
to
give
us
an
update
on
where
you're
at
with
pkcs.
B
Okay,
so
last
week
we
were
discussing
kalyan
and
my
my
team.
B
We
made
some
progress
in
the
part
of
what
we
have
to
do
from
the
middleware
part
of
the
problem,
but
obviously
there
is
also
the
problem
about
how
to
address
this
on
rost2,
and
I
think
we
found
a
quite
a
simple
solution
that
may
be
worth
mentioning
here.
So
let
me
just.
B
Share
my
screen
in
a
moment
so,
as
you
know,
kanye
and
his
team,
they
want
to
use
a
pikachu
11
in
the
security
module
of
dds
which,
by
the
way
is
already
accounted
for
in
the
in
the
standard.
But
there
is
this
problem
about
how
azure
stu
can
support.
B
Okay,
so
you
cannot
raise
this
up
an
issue
about
the
environments
without
the
file
system
and
such,
but
that
seems
to
be
stored
for
quite
a
long
time
and
in
fact
it's
pretty
obvious
that
it
requires
requires
quite
a
lot
of
changes.
B
So
what
we
are
proposing
here
is
a
simpler
solution
that
could
be
implemented
in
quite
a
shorter
time
and
without
large
changes,
and
the
idea
is
keeping
the
current
concept
of
enclaves
but
making
extras
aware
of
the
file
extension
somehow
so,
for
example,
for
a
private
key
file.
If
there
is
a
kickout
pen
file,
make
it
as
always
and
just
set
the
tts
property
to
the
file
path.
B
But,
however,
if
there
is
a
key.p11
file
set
the
dds
property
to
the
content
of
the
file,
so
I
assume
that
that
file
will
con,
contain
the
pica
cs,
ui
and
just
set
the
content
of
the
file
to
the
security
property.
B
Obviously
the
middleware
has
to
be
it
has
to
support
a
pikachu
s11
uis,
but
that's
also
out
of
the
scope
of
of
errors,
and
that's
that
that's
just
another
another
issue.
But
we
think
that
this
is
pretty
simple
and
that
may
give
extras
the
support
for
pikachu
11
us
in
just
to
communicate
them
to
the
to
the
middle.
B
D
Yeah
not
not
much,
I
think,
in
the
discussion.
We
also
discussed
a
little
bit
like
what.
What
do
we
want
to
include
in
the
in
the
scope
of
this
approach
and-
and
I
think
at
least
for
our
use
case-
it's
quite
okay-
to
call
it
rather
bare
minimum,
meaning
that
we
just
want
to
protect
the
private
key
on
the
crypto
backend
and
consume
that
over
the
over
t,
p
kcs11
interface.
D
So
basically
that
would
then
mean
that
we
just
need
to
have
key
creation
requests
and
and
signing
requests
going
through
that
channel
and
what
would
be
out
of
scope
is
basically,
then
all
the
certificates
and
and
those
basically
public
artifacts,
so
all
the
ca
files
and
certificate
pen
files,
but
yeah.
I
think
that's
just
some
insight
of
our
discussion.
I
I
don't
think
that
include
or
well
actually
yeah
it
also
it's
relevant
for
esros.
B
Yeah,
even
in
that
case,
I
guess
that
if
we,
if
we
at
the
end,
if
we
go
this
in
this
path,
even
adding
the
rest
of
the
elements
like
the
certificates
and
such
to
this
mechanism-
wouldn't
be-
I
mean
it's.
So
it's
easy
to
do
and
we
can
have
that
already
in
place
in
in
this
rows,
regardless
of
the
middleware
supporting
it
or
not.
D
Yeah
then
we
had
another
discussion
about
the
actual
encryption
plug-in
and
agreed
that
this
would
be
quite
much
more
complicated
at
this
phase
to
implement.
So
we
are
basically
just
concentrating
on
the
authentication,
plug-in
and
and
what
that
includes,
in
the
graphic
perspective,.
C
So
so,
if
I
can
recap,
the
the
deal
here
is
using
the
file
extension
for
pk11
sros
could
delimit
whether
you
know
we're
dealing
with
a
pen
file
or
pk11.
C
If
it's
pk11,
we
would
deserialize
the
file
into
a
pk,
11
uri,
and
then
we
pass
the
uri
string
to
the
security
plug-in.
C
B
That's
that's
that's
something
that
the
middleware
has
to
do
following
the
security
as
a
standard.
Once
the
you
once
it
knows,
the
uri.
C
E
D
Yeah,
okay,
you
were
referring
to
p
key.
I
heard
the
p11
yeah,
that's
right,
so
basically,
the
private
key
material
or
the
secret
material
is
only
in
the
crypto
backend,
and
this
is
just
a
pointer
for
it,
and
middleware
will
take
care
of
how
to
use
the
pointer.
C
So
yeah
you
don't
have
you
don't
have
to
you?
Don't
have
to
solve
the
problem
now,
but
hypothetically,
if,
if
a
user
was
using
a
a
tpm,
where
would
they
configure
would
be
the
appropriate
location
in
their
in
their
application
code
or
some
kind
of
config
file
that
their
application
then
reads
is
that
if
they
didn't
pass
the
tpm
uri
to
sros
and
then
sros
should
pass
that
to
the
dds.
C
So
so,
if
if
a
user
was
using
a
tpm,
where
would
that
be
configured
if
there
was
no
file
system
right.
C
Like
s,
we
have
like
these
environment
variables
that
we
pick
up
on
to
figure
out
where
to
locate
the
credentials,
but
if
a
user
was
like
had
some
embedded
system
project,
where
is
that
normally?
Is
that
set
within
the
compiled
into
the
program.
D
That's
a
good
question
like
I:
I
haven't
worked
in
environments
without
a
file
system,
so
can't
really
answer
to
that,
but
but
basically,
if
environment
wire
apples
are
okay
for
those,
although
isn't
that
also,
and
just
a
matter
of
file
in
at
least
in
linux
systems,
so
I
don't
know
how
but
yeah
but
yeah.
Basically
the
configuration
is
rather
simple.
It's
just
a
string,
so
so
I
guess
no
matter
what
they
where
they
store
it.
D
This
is
probably
another
another
question
to
tackle,
and
this
is
not
something
that
concerns
our
use
case,
but
definitely
I'm
happy
to
kind
of
look
into
that
as
well.
If
we
want
to.
A
Yes,
you
think
about
it,
but
yeah
to
add
on
that
rough,
and
I
think
when
we
talked
about
it
last
time,
we
actually
separated
out
the
two
problems,
one
of
them
for
using
pks
and
one
of
them
for
doing
this
with
a
on
a
device
that
doesn't
have
a
file
system
and
we
weren't
going
after
the
the
device
without
a
file
system
problem.
Yet.
C
C
One
one
last
question
the
pk11
string
or
this
uri.
C
I
know
the
dds
spec,
I
think,
allows
you
to
pass
in
the
string
serialization
of
a
pin
file
or
the
path
to
the
pen
file
in
the
case
of
where
is,
is
the
dds
spec
already
support
pk11
uris,
or
is
that
something
we
have
to
go
and
ask
the
vendors
to
extend.
B
E
A
E
I
had
the
similar
question
just
to
be
sure
to
clarify
on
that
point,
so
it
would
not
be
supported
by
the
standards
if
estros
2
would
be
passing
you,
the
file
path
of
either
the
pen
file
or
the
p11
file
and
the
and
the
middleware
would
just
like
take
whatever
is
in
there
and
resolve
it.
B
No,
no
in
that
case
that
wouldn't
be
the
standard
way
of
doing
it.
So
I
I,
if
I
understood
correctly,
you
are
saying
for
us
to
send
the
in
this
case
the
key
dot,
p11
file
path
and
then
the
middleware
resolving
that
right.
E
E
B
Based
on
site
extension,
not
completely
because
you
still
have
to
to
let's
say
serialize
or
somehow
that
that
information,
if
you
are
going
to
pass
the
the
serialized
key
directly,
you
have
to
set
the
correct
the
correct
format
to
that.
To
that
string,
I
believe
that's
the
a
data
uri
and
that
would
be
so
data
column
and
then
the
serialization
in
the
case
of
pikachus
11.
That
would
be
because
you
see
that
in
column
and
then
the
object
and
for
the
file
path.
B
E
Yeah,
that
makes
sense.
Okay,
and
I
guess
one
other
like
practical
question
on
that
front.
How
do
we,
how
do
you
envision
estrus
to
sorting
out
like
we
would
be
looking
for
like
a
site
starting
with
key,
and
then
we
have
like
a
priority
list
like
I
guess
in
practice,
in
deployed
system,
you
would
never
have
a
pen
file
and
a
p11
file,
but
like
how
do
how
do
we
expect
the
system
to
behave
if
you
have
both
like
should
like
the
p11,
be
the
one
taking
priority
or.
B
C
We
could
just
error
out
instead
of
doing
some
indeterminate
behavior
to
say,
yeah,
hey,
you
got
two
files,
we
don't
know.
A
D
I
think
it
goes
down
a
little
bit
to
the
middleware,
because
I
think
this
uri
would
go
quite
directly
to
the
middleware
api
eventually,
but
this
is
quite
standard
format.
This
big
ss11
uri.
So
I
guess
we
can
quite
easily
mitigate
the
risk
if,
if
there
is
any
just
buy
with
some
regular
expression
to
validate
the
syntax.
A
A
D
A
C
You
know
that
would
probably
that'd
be
it
rather
than
having
the
generation
figure
out
whether
it
needs
to
write
a
pim
file
or
a
pk11
file.
We
just
convert
the
pen
file
later
in
the
installation
step
on
where
you
want
to
deploy
it
in
a
tpm
module
or
some
other
system.
A
D
A
A
Like
the
sros
2
utilities,
then
would
pull
out
the
the
certificate
associated
with
the
key
and
drop
the
certificate
on
to
the
file
system
and
then
drop
the
p11
pointer
as
well
right
and
I'm
sure
you
could
do
it
all
by
hand.
But
I'm
thinking
that
you'll
quickly
want
to
automate
it
with
the
you
know.
D
C
D
So
so,
as
I
said,
the
certificate
doesn't
need
to
be
there
in
the
tpm.
I
I
think
it's
still
up
to
up
to
us
to
decide
whether
we
want
to
go
which
way
we
want
to
go.
But
but
if
it's,
if
it's
not
in
the
tpm,
then
basically
yeah.
D
Yeah
exactly
exactly
so,
they
either
need
to
fetch
that
overpick
ss11
or
they
just
get
it
from
the
file
system,
and
I
think,
for
sake
of
simplicity,
I
would
even
suggest
that
we
keep
that
as
it
is
today
the
public
certificates
because
they
are
public.
I
I
don't
see
much
reason
to
you
know
protect
the
hardcore.
A
So
so
you
have
the
certificate
and
then
you
have
the
certificate
authority
and
I
think
it
and
both
of
them
obviously
have
the
private
side
it's
right,
so
so
the
private
side,
key
of
the
certificate
authority,
also,
if
I'm
not
mistaken,
that
will
need
to
be
in
the
tpm.
So
you
can
ask
the
tpm
to
sign.
A
D
Yeah
yeah
and
this
this
is
kind
of
like
a
different
flow,
because,
at
least
in
our
use
case,
only
the
the
participant
certificate
will
reside
on
the
throne
side
and
then
the
cas
will
be
in
the
cloud
and
yeah
yeah.
We
are
planning.
A
Today,
it's
actually
easier
to
leave
the
certificates
in
the
tpm
and
just
give
them.
You
know
the
same
thing:
pkcs
you'll
figure
that
out
in
the
implementation,
though
I
don't
want
to
tell
you
how
to
how
to
do
it.
I
just
I
think
that
you
may
find
that
it's
just
as
easy
to
do.
C
D
Like
the
whole
yeah,
both
ways
are
definitely
possible,
but
but
basically
generating
csrs
and
and
otca
sort
of
logic
are
not.
You
know,
part
of
p11
specifications,
so
it's
much
higher
level.
So
anyway,
whatever
ca
solution
will
be
used,
can
consume
big
ss11
to
do
the
crypto
operations,
but
but
bill
has
or
needs
some
higher
level
software
to
let
it
be
open,
ssl
or
whatever,
to
to
actually
sign
the
csrs
and
whatnot
but
yeah.
D
C
So
I
think
I
was
working
on
sros
one.
I
was
looking
at
other
key
management
tools
and
I'm
trying
I'm
trying
to
look
at
what
it
was,
but
there's
a
rather
large
open
source
project
for
key
management.
Stuff,
like
everything
from
you
know,
your
your
classic
certificate
authority
chain
management
to
stuff
more
advanced.
Like
token
generation.
C
I
always
thought
it
would
be
kind
of,
if,
like
maybe
sros,
just
kind
of
hooked
into
something
else
where,
if
you
wanted
to
really
like
do
this
on
industrial
scales,
that
esross
would
sort
of
be
a
client
in
that
relationship
in
requesting
certificates
or
submitting
certificate
requests,
and
you
can
either
host
that
locally.
C
If
you're
just
doing
this
one-off
thing
with
a
small
platform,
but
you
could
also
point
it
at
your
corporate
hosting
of
the
tool
so
yeah
that
that
might
be
one
way
of
of
managing
this
certificate
allocation,
revocation
at
scale.
D
D
C
I
I
had
an
earlier
project
called
keyment,
which
a
lot
of
the
stuff
we're
using
now
kind
of
drives,
but
the
the
idea
with
ikea.
It
was
like
similar
to
event
where
you
had
a
workspace
for
your
key
material,
and
you
had
like
a
you,
had
a
source
file
without
all
the
configurations.
That
would
be
where
you
encode
the
permissions,
the
structures
for
your
certificate
authorities
and
who
you
want
what
to
sign.
C
Then
you
would
have
your
build
where
you
would
generate
all
the
certificate
requests,
signing
requests
and
intermittent
key
material
so
that
the
private
keys
would
be
generated,
but
the
certificates
wouldn't
be
signed
and
then
you'd
have
like
your
install
folder,
which
would
have
all
the
final
resulting
files,
but
having
that
level
of
like
different
directories
for
intermittent
stages
of
your
key
store
was
kind
of
helpful.
Because
then
you
could,
you
know,
pull
in
any
other
external
tool
that
can
work
with
the
file
system
to
manage
your
key
material.
A
A
Think
we're
on
a
great
path.
I
think
probably
the
next
step
is,
if
you
guys
are
up
for
it
to
actually
propose
some.
You
know,
design
updates,
yeah,
just
simpler
is
better,
I
think
so.
The
idea
of
just
simply
having
and
recognizing
a
p11
file-
that's
a
uri,
I
think
is
is
really
is,
is
really
straightforward.
It's
a
clean
solution.
A
You
know
how
how
you
actually
implement
it
and
how
we
tool
sros
2,
can
be
a
separate
discussion
right
because
I
think
there's
a
bunch
of
different
use
cases
that
can
derive
from
this
one
of
them
being
keeping
the
key
in
the
key
store.
I
think
another
one
is
imagine
if
your
ca
was
on
a
physical
device,
you
plug
it
into
the
robot
to
have
it
generate.
You
know
its
own
keys
and
then
you
pull
it
off.
So
essentially,
you
use
some
physical
to
have
a
robot
join
a
swarm
like
all
that
becomes
enabled.
A
I
think
with
with
this.
So
so
I
think
the
next
step
again
is
to
update
designs,
if
you,
if
you
guys,
agree
in
it.
So
if
you're
up
for
that,
you
know
just
ping
us.
I
think
on
on
chat
as
you
get
stuff
and
and
we'll
just
continue,
commenting
on
it
asynchronously
there.
D
A
So
the
only
thing,
the
only
question
that
I
have
for
you
is
it
seems
like
all
these
updates
can
be
made
in
the
middleware
itself.
Is
there
anything
that
we
should.
E
D
Yeah
so
yeah,
I
think
the
requirement
is
pretty
much
says
that,
as
you
said,
because
11
uris
needs
to
be
supported
and
obviously
those
crypto
operations
that
we
require,
which
was,
I
think,
just
rsa,
was
it
pss
signing
scheme
and
yeah
key
creation,
but
but
it's
very
basic
concept
and
I
I
cannot
think
of
any
any
vendor
middleware.
That
would
not
support
this.
D
So
we
kind
of
discussed
what
would
be
the
reference
implementation
and
there
is
this
open
source
project
called
openhsm
and
or
software.
I'm
sorry,
soft
hsn,
which
is
basically
a
software
mock-up
of
a
hardware
security
module
and
it
has
big
it
works
as
a
big
s11
back-end.
So
if
we
get
it
working
with
this,
it
should
pretty
much
work
with
any
any
commercially
available
solution
as
well.
B
So
maybe
just
if,
if
ezros
finally
does
support
this,
the
only
thing
that
I
can
think
of
is
for
the
middleware
vendors
to
be
aware
of
it,
so
that
they
at
least
they
can
sanitize
their
the
properties
in
the
security
properties.
B
Being
a
word
that
now
not
only
file
your
eyes
would
be
available,
but
also
because
you're,
single
and
your
eyes
so
that
at
least
they
can,
if
they
are
not
supporting
this,
at
least
they
can,
you
know,
fall
back
or
or
exit
there,
gracefully.
Somehow,
I'm
not
trying
to
open
a
path
that
will
it's
not
a
path.
A
So
they
knew
we're
running
a
long
bit
long,
but
only
throw
it
out
there
is.
We
have
a
ta
there's
a
tsc
meeting
scheduled
for
next
week
next
thursday.
I
wonder
if
it
might
be
worthwhile
to
for
either
of
you
or
both
of
you
to
actually
present
just
at
a
high
level.
What's
going
on
and
that
becomes
you
know,
a
notification
that
you
know,
there's
there's
a.
B
B
D
A
E
A
Yeah,
the
tsc
meeting
is
thursday,
the
17th
it's
11
30
eastern
time,
so
it's
a
half
an
hour
before
this
meeting
as
far
as
time
of
day,
depending
on
your
time
zone.
It's
so
I
can
just.
I
can
add
that
onto
the
agenda.
A
If
you'd,
like
you
know,
if
brian
has
time
on
the
agenda,
then
he
can
just
present
on
the
plan.
Then.
A
Maybe
I'm
wrong,
but
I
think
it's
fair
just
to
let
the
community
know
that
we're
going
to
be
supporting
this.
I
think
it's
a
really
neat
feature
and
also,
if
you
have
any
concerns
about
any
other
compatibility
issues,
that's
the
place
to
air
that.
E
I
guess
one
concern
I
have
is
not
every
like
vendor
dds
vendor
is
on
the
psc
and
and
like
it.
I'm
not
sure
that
is
the
one
way
to
communicate,
changes
that
are
expected
to
be
supported
by
various
middlewares,
not
that
it
should
not
be
presented
to
the
tfc,
but,
like
I
believe
there
is
a
team
on
github
or
something
or
like
a
group
on
this
course
with
people
from
various
dds
vendor
companies
and
like.
E
I
think
this
should
be
tagged
on
whatever
design
is
suggested
and
and
then
like
put
in
a
actually
full-fledged
discord
post
instead
of
for
the
community
to
have
to
go
through
the
tsc
meeting.
Notes
to
be
able
to
find
out
that
this
is
happening.
A
Okay,
yeah
great
point
so,
and
maybe
I'm
rushing
this
a
little
bit.
Maybe
you
want
to
flush
it
out
a
little
bit
more,
so
I'll
just
leave
that
out
there.
If,
if
at
some
point
you
want
to
present
this
to
the
tsc,
but
otherwise
you
know
we
flush
it
out
on
on
discourse
or
I
think
there
is
a
just
a
little
bit
of
it
yeah
socialization
of
it.
I
just
leave
it
at
that.
A
Community,
okay,
so
I'll
leave
it
at
that.
If,
if
you're
interested
in
you
know
getting
on
the
tsc
agenda,
we
can
do
that,
but
I
think,
like
mikhail
pointed
out,
there's
probably
other
places
where
we
need
to
socialize
it
as
well,
and
part
of
that
will
probably
be
if
you
put
out
a
design
doc
update,
making
sure
that
gets
visibility
as
well.
So
but
again,
I
think
it's
really
really
neat
feature
there.
D
A
So
I'm
gonna
I'll
actually
defer
to
mikhail,
because
I
know
you
did
this
recent
most
recently
with
the
updates
for
for
for
the
enclave
changes.
E
I
don't
remember
exactly
what's
in
there,
but
my
guess
is
that
there
is
one
explaining
how
key
like
security
material
is
retrieved,
and
so
I
think,
a
pull
request
modifying
that
one
to
just
add
the
option
for
pkcs
and
explaining
how
it's
gonna
work
would
be
the
good
place
to
start
and
then,
like
just
drop.
A
note
like
on
the
matrix
chart-
or
I
think
like
most
of
us
may
be
watching
that
repo.
So
we
will
then
like
iterate
on
it
and
and
then
it's
gonna
be
open
robotics.
E
That
will
like
do
the
final
like
approval
or
merging,
but
I
guess
the
security
working
group
would
be
the
like.
The
people
literating
on
it.
Okay,.
A
So
so
I
think
great
discussion
again.
I
just
want
to
move
on
to
the
real.
Briefly
to
the
last
item
I
had
on
the
agenda,
there's
a
I
opened
up
a
pull
request
for
the
raws
to
documentation,
I'll
drop
the
link
in
there.
If
you
get
a
chance
to
review
that
I'd
really
appreciate
it.
This
takes
the
documentation
for
using
security,
that's
in
the
sros
2
repo
and
adds
it
to
the
the
the
raws
tutorials.
A
I
just
want
to
get
more
visibility
about
security,
and
then
I
created
a
tutorial
section
for
security
that
that
takes
again
some
of
the
content
from
srs2,
but
I
also
added
a
more
detail
about
the
rost2
keystore
and
that
should
explain
as
well
about
enclaves
and
a
little
bit
about
validating
signatures
on
things
in
the
key
store
and
the
point
there
was
that's
where
I
see
potentially
some
problems
arising.
A
So
I
wanted
folks
to
understand
how
to
troubleshoot
and
validate
the
the
certificates,
and
then
I
also
added
a
section
on
network
traffic.
That's
just
me
because
to
me
the
truth
is
in
the
packets,
so
I
wanted
just
a
real
quick
like
this
is
how
you
can
see
that
the
packets
are
encrypted
and
stuff
like
that,
so
some
other
minor
changes
and
whatnot.
A
So
if
you
get
a
chance
to
review
it,
it's
a
rather
large
documentation,
update
larger
than
I
wanted,
but
I
really
wanted
to
kind
of
keep
all
that
stuff
together.
So
comments.
Welcome
on
that
when
you
get
a
chance.
E
That
is
super
cool.
How
how
do
you
see
it
in
the
future?
Like
would
the
estrus
2
repo
point
to
the
documentation-
and
we
just
like-
saw
everything
there?
Yes,
yeah.
A
I
I
I
I
would
prefer
that
just
in
my
experience
I
always
start
on
the
stuff.
That's
on
yeah
the
ros
documentation
site.
So.
A
So
they're
versioned
nicely
now
that
you
can
add
it
into
rolling
and
yeah.
So
so
we
can
keep
everything
in
sync
and
not
have
to
worry
about
maintaining
the
different
versions
and
whatnot.
So.
A
Okay,
so
hopefully
I've
been
faithful
to
the
content.
There
is
one
to
do
under
there,
where
there's
the
example
about
using
security
across
two
machines,
which
right
now
uses
copying
files.
You
know
copying
the
entire
key
store.
I
would
rather
just
copy
the
cas
over
and
then
recreate
the
enclave
on
the
other
machine,
so
that
tutorial
should
be
kind
of
updated.
I
think
to
reflect
that,
but
I
just
didn't
want
to
make
that
change
at
this
point.
A
So
so
please,
when
you
get
a
chance
to
take
a
look
at
that.
Does
anybody
have
anything
else
that
you
want
to
cover
today.
A
All
right,
so
silence
is
golden.
So
with
that
I'll
go
ahead
and
call
it
a
wrap
and
again
I'll
update
the
meeting
minutes,
put
out
a
pull
request
and
drop
a
link
on
chat
on
matrix
for
where
you'll
see
the
notes
for
this
meeting.
A
And
it's
been
good
and
we'll
see
you
next.