Skip to content

Commit

Permalink
add how to use ros2cli with security enclaves. (#4900) (#4907)
Browse files Browse the repository at this point in the history
Signed-off-by: Tomoya Fujita <Tomoya.Fujita@sony.com>
(cherry picked from commit 65868a5)

Co-authored-by: Tomoya Fujita <Tomoya.Fujita@sony.com>
  • Loading branch information
mergify[bot] and fujitatomoya authored Dec 17, 2024
1 parent ce912f6 commit e5f3d9c
Showing 1 changed file with 59 additions and 1 deletion.
60 changes: 59 additions & 1 deletion source/Tutorials/Advanced/Security/Introducing-ros2-security.rst
Original file line number Diff line number Diff line change
Expand Up @@ -241,7 +241,65 @@ Note: You can switch between the C++ (demo_nodes_cpp) and Python (demo_nodes_py)

These nodes are able to communicate because we have created the appropriate keys and certificates for them.

Leave both nodes running as you answer the questions below.
Leave both nodes running as you use ``ros2cli`` and answer the questions below.


6\. Use ``ros2cli`` with security
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

To use ``ros2cli`` to iterate with ROS 2 secured network, you need to provide it with override enclave by ``ROS_SECURITY_ENCLAVE_OVERRIDE`` environmental variable.
Open an another terminal and set up the following environmental variables.

.. tabs::

.. group-tab:: Linux

.. code-block:: bash
export ROS_SECURITY_KEYSTORE=~/sros2_demo/demo_keystore
export ROS_SECURITY_ENABLE=true
export ROS_SECURITY_STRATEGY=Enforce
export ROS_SECURITY_ENCLAVE_OVERRIDE=/talker_listener/listener
.. group-tab:: MacOS

.. code-block:: bash
export ROS_SECURITY_KEYSTORE=~/sros2_demo/demo_keystore
export ROS_SECURITY_ENABLE=true
export ROS_SECURITY_STRATEGY=Enforce
export ROS_SECURITY_ENCLAVE_OVERRIDE=/talker_listener/listener
.. group-tab:: Windows

.. code-block:: bat
set ROS_SECURITY_KEYSTORE=%cd%/demo_keystore
set ROS_SECURITY_ENABLE=true
set ROS_SECURITY_STRATEGY=Enforce
set ROS_SECURITY_ENCLAVE_OVERRIDE=/talker_listener/listener
Now you can use ``ros2cli`` to communicate with ROS 2 secured network.

.. code-block:: bash
ros2 node list --no-daemon --spin-time 3
[INFO] [1733862009.410918416] [rcl]: Found security directory: /root/ros2_ws/colcon_ws/demo_keystore/enclaves/talker_listener/talker
/listener
/talker
.. code-block:: bash
ros2 topic list --no-daemon --spin-time 3
[INFO] [1733861998.562163611] [rcl]: Found security directory: /root/ros2_ws/colcon_ws/demo_keystore/enclaves/talker_listener/talker
/chatter
/parameter_events
/rosout
.. note::

Avoid using ros2 daemon because it may not have security enclaves, and enough time duration should be given for the discovery in ROS 2 secured network.


Take the Quiz!
Expand Down

0 comments on commit e5f3d9c

Please sign in to comment.