Creating a VxWorks-7 System With Secure User Login
Table of Contents
- 1. Introduction
- 2. Prerequisites
- 3. Related Wind River Documentation
- 4. Create and Build the VxWorks Source Build (VSB) Project
- 5. Create and Build the VxWorks Image Project (VIP)
- 6. Boot VxWorks on the Target
- 7. Create an Initial User
- 8. Login to the Target and Create a Second User
- 9. OPTIONAL: Plug a Potential Security Hole
- 10. OPTIONAL: Establish Individual User Privileges
VxWorks is a Real Time Operating System built by Wind River that supports secure user login to the VxWorks target.
This blog describes how to configure VxWorks 7 with secure user login support. Once configured, the target will require a username and
password to be supplied before access to the VxWorks kernel shell is permitted.
These instructions assume that you are using:
Wind River VxWorks 7, SR0620 installed on a Windows workstation
3 Related Wind River Documentation
For more information on these topics, refer to:
VxWorks 7 Security Programmer’s Guide
4 Create and Build the VxWorks Source Build (VSB) Project
Open a DOS shell, configure the build environment and then configure and build the project.
cd <WIND_HOME> // your installation directory wrenv -p vxworks-7 cd <YOUR_WORKSPACE> // your workspace vxprj vsb create users_vsb -bsp vxsim_windows -smp -force -S cd users_vsb // your VSB directory vxprj vsb add USER_MANAGEMENT // add the user management layer to the VSB vxprj vsb add USER_MANAGEMENT_POLICY vxprj vsb add USER_MANAGEMENT_USER_PRIVILEGES make -j 32 // build the VSB
5 Create and Build the VxWorks Image Project (VIP)
Create the VxWorks image project (VIP) as follows.
cd .. vxprj create -smp vxsim_windows users_vip -profile PROFILE_DEVELOPMENT -vsb users_vsb cd users_vip vxprj vip bundle add BUNDLE_STANDALONE_SHELL vxprj vip component add INCLUDE_USER_DATABASE vxprj vip component add INCLUDE_SHELL_SECURITY vxprj vip component add INCLUDE_LOGIN_POLICY vxprj parameter set UDB_STORAGE_PATH "\"host:vxUserDB.txt"\" vxprj parameter set UDB_PROMPT_INITIAL_USER TRUE vxprj parameter set meta_UDB_HASH_KEY "\"\x48\x61"\" vxprj build
Make sure you rename meta_UDB_HASH_KEY as UDB_HASH_KEY, and use your own unique security hash key. A key length of 256 bytes
is recommended. This hash key secures the contents of the user database text file.
6 Boot VxWorks on the Target
cd default vxsim
Once the target has booted, you will see the kernel shell appear.
7 Create an Initial User
Your first task will be to create an initial username and password. You will be asked to enter the password twice.
** Creation of initial user ** Initial user's login:
VxWorks will then ask you to login using the initial username and password you just defined.
The target is now configured to require those login details before kernel shell access is permitted on the target.
8 Login to the Target and Create a Second User
Login to the target using the initial username and password you defined above.
From the kernel shell, create a second login to the target and then logout.
[vxWorks *]# C -> userAdd "harmonicss", "harmonicss" value = 0 = 0x0 -> logout login:
The VxWorks target now supports two separate user logins. You can now use either login to access the kernel shell at boot time.
In this example, the encrypted user database file is located in the VIP default directory (users_vip\default\vxUserDB.txt)
and VxWorks accesses this file to validate login attempts on this target.
VxWorks allows you to manage users by defining user groups, monitoring login times, setting permitted login times, and updating
and deleting user accounts. For more details about VxWorks user account management, refer to the VxWorks Security Programmer’s Guide.
9 OPTIONAL: Plug a Potential Security Hole
If you delete the user database file vxUserDB.txt, then at boot time VxWorks will revert to the state of requesting the setting up of a new
initial user. This is a potential security hole that you will need to resolve if you are building a highly secure VxWorks system that
includes the standard VxWorks kernel shell (many secure systems do not). One strategy would be to store this file locally on the target in an
encrypted file system partition that system users cannot easily access.
10 OPTIONAL: Establish Individual User Privileges
VxWorks gives you the option to tightly control the kernel shell activities permitted for each user. This is called adding
user privileges. To achieve this, add the following additional VIP settings:
cd .. vxprj vip component add INCLUDE_USER_PRIVILEGES vxprj vip parameter set PRIVILEGE_MANIFEST_PATH "\"host:\privilege_manifest\prvlgManifest.txt"\"
Locate and open the privilege manifest text file. Review the instructions at the top of the file and modify the contents of
the file to set the privileges for your users. Then rebuild the VIP and reboot the target.
The default privilege setting gives no permissions to any users. Once you have enabled user privileges in the VIP, unless you modify the
privilege manifest file, the kernel shell will always report a privilege error. Even though your users can login, they will not be
permitted to do anything from the kernel shell.