CyberMind-FR
8015d790e0
Host-side orchestrator (secubox-clone-station.sh): - Dual USB serial control with MOKATOOL integration - ASU API firmware building for clone images - TFTP serving with auto-generated U-Boot commands - Full workflow: detect → pull → flash → verify On-device CLI (secubox-cloner): - Build ext4 images for same device type - TFTP server management via dnsmasq - Clone token generation with auto-approve - Integration with master-link mesh onboarding First-boot provisioning (50-secubox-clone-provision): - Partition resize to full disk (parted + resize2fs) - Master discovery via mDNS/network scan - Automatic mesh join with pre-approved tokens Master-link enhancements: - ml_clone_token_generate() for 24h auto-approve tokens - ml_token_is_auto_approve() for token type detection - Auto-approve logic in join request handler SecuBox CLI additions: - secubox clone (build, serve, token, status, list, export) - secubox master-link (status, peers, token, join, approve) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| files | ||
| Makefile | ||
| README.md | ||
SecuBox Master-Link
Secure mesh onboarding for SecuBox appliances. A master node generates one-time join tokens, serves the secubox IPK bundle, and approves new peers via blockchain-backed trust. Supports gigogne (nested) hierarchy where approved nodes can become sub-masters.
Overview
MASTER (depth 0)
├── Peer A (depth 1)
├── Sub-Master B (depth 1)
│ ├── Peer C (depth 2)
│ └── Peer D (depth 2)
└── Peer E (depth 1)
Installation
opkg install secubox-master-link luci-app-master-link
Configuration
# /etc/config/master-link
config master-link 'main'
option enabled '1'
option role 'master' # master | peer | sub-master
option upstream '' # upstream master IP (peers/sub-masters)
option depth '0' # gigogne depth (0 = root master)
option max_depth '3' # max nesting depth
option token_ttl '3600' # token validity in seconds
option auto_approve '0' # auto-approve join requests
option ipk_path '/www/secubox-feed/secubox-master-link_*.ipk'
Join Protocol
- Master generates token — one-time HMAC-SHA256 token with TTL
- New node opens landing page —
http://<master>:7331/master-link/?token=... - New node downloads IPK — token-validated download via
/api/master-link/ipk - New node sends join request — fingerprint + address submitted to master
- Master approves — TOFU key exchange, blockchain block recorded, peer added to mesh
- Optional: promote to sub-master — approved peer can onboard its own peers
CGI Endpoints
All served on port 7331 under /api/master-link/.
| Endpoint | Method | Auth | Description |
|---|---|---|---|
/token |
POST | Local only | Generate join token |
/join |
POST | Token | Submit join request |
/approve |
POST | Local only | Approve/reject peer |
/status |
GET | Public/Local | Mesh status |
/ipk |
POST | Token | Download secubox IPK |
RPCD API
ubus call luci.master_link status '{}'
ubus call luci.master_link peers '{}'
ubus call luci.master_link tree '{}'
ubus call luci.master_link token_generate '{}'
ubus call luci.master_link approve '{"fingerprint":"...","action":"approve"}'
ubus call luci.master_link approve '{"fingerprint":"...","action":"reject","reason":"..."}'
ubus call luci.master_link approve '{"fingerprint":"...","action":"promote"}'
ubus call luci.master_link token_cleanup '{}'
Blockchain Block Types
| Type | Description |
|---|---|
join_request |
New node requesting to join |
peer_approved |
Master approved peer |
peer_rejected |
Master rejected peer |
peer_promoted |
Peer promoted to sub-master |
token_generated |
Audit: token was created |
Security
- Tokens: HMAC-SHA256, one-time use, time-limited (default 1h)
- TOFU: First join establishes trust via fingerprint exchange
- Depth limiting:
max_depthprevents unbounded nesting - Chain integrity: All actions recorded as blockchain blocks
- Audit trail: Token lifecycle and peer events queryable via chain
Dependencies
secubox-p2p— mesh networking and blockchainopenssl-util— HMAC token generationcurl— peer notification
License
Apache-2.0