sys/shell: new module shell_lock

[HendrikVE]

Contribution description

This PR adds a locking mechanism to the shell, implemented by the new shell_lock module. It's not meant as a super secure system protection, it should rather be thought of as a small simple protection for demo environment purposes. For example, I recently raised a PR (#12012) for stdio over Blueooth. I might want to show a demo and control my project via bluetooth and I don't want other people to be able to connect to my device and use the shell. Using this new module you have to type in a password first. The mentioned bluetooth service only allows a single connection per device, that is an assumption that needs to be maintained, because there is only a single shell instance per device. A second user would get access to the previous unlocked shell by another user otherwise. Furthermore it's not the responsibility of this module to provide a secure channel. This needs to be done by the used communication channel, e.g. nimble in the mentioned case.
All of this doesn't mean it couldn't extended to be more secure for other purposes though.

The module shell_lock_auto_locking extends the lock mechanism by auto locking the "session" after a given timeout, which might be also interesting. Otherwise the user has to lock the shell manually by calling the added lock-command within the shell.

Testing procedure

Simply run the default application on a board. A test configuration is set in the Makefile.

[fjmolinas]

What PR is this waiting for @HendrikVE ?

[HendrikVE]

Basically, it is/was waiting for the shell refactoring PRs. Its primary use case is given once #12012 is merged. Technically I could probably do a rebase by now. I will try to do that on the weekend, but I'm not sure about merging this before the use case from #12012 is given?

[HendrikVE]

Rebased and squashed! No dependency on any other PR left.

[miri64]

How is this related to #6893 and #12191?

[miri64]

(or asking differently can #12191 be closed as this PR supersedes this one?)

[HendrikVE]

#6893 is a whole security layer with different user permissions, so it's quite different from what I did.

This PR is basically the idea of #12191, but without any crypto. I guess it can be closed. If we want crypto some day, we could add it to this module.

[benpicco]

Needs a rebase, but I think this can still be useful.

[HendrikVE]

Rebased to master and cleaned the PR a little. The module now uses the SHELL_COMMAND macro to put its command into shell_commands_xfa.

[benpicco]

I've added some commits to fix locking with the telnet server.
While this is certainly not secure, it is a cleaner workaround to the GNRC TCP issue (not generating -ECONNABORTED) than #17897.

[benpicco]

If you are doing that you might as well

Suggested change

	extern void shell_lock_checkpoint(char *line_buf, int len);
	extern bool shell_lock_is_locked(void);
	#if IS_USED(MODULE_SHELL_LOCK)
	extern void shell_lock_checkpoint(char *line_buf, int len);
	extern bool shell_lock_is_locked(void);
	#else
	static inline void shell_lock_checkpoint(char *line_buf, int len)
	{
	(void)line_buf;
	(void)len;
	}
	static inline bool shell_lock_is_locked(void)
	{
	return false;
	}
	#endif

and avoid cluttering the code further down with if (IS_USED(…)) blocks

[HendrikVE]

Mh I don't see the benefit of doing this. At the moment it is in line with MODULE_SHELL_HOOKS and MODULE_SHELL_COMMANDS. Since these are just forward declarations we don't need empty definitions in case the module is not used at all.

[maribu]

This needs a rebase now, sorry.

[HendrikVE]

Thanks for the review!