ROS 2 Humble security, a tour of the new and improved features

We’re excited about the recent release of ROS 2 Humble Hawksbill, a Long Term Support (LTS) distro, supported for the next five years. ROS 2 releases come out on every even-numbered year together with the LTS release of Ubuntu, this time with Ubuntu 22.04 (Jammy Jellyfish). 

Earlier this week, we shared a step-by-step guide to install ROS 2 Humble in Ubuntu 20.04 or 18.04 using LXD containers, that will allow you to easily install it on your current Ubuntu station. So, take a few minutes to check that out as well!

Let’s dive into the new developments available to you when you start using Humble. And if this is the first time you hear about ROS, here is a good place to start.

What is new in ROS 2 Humble?

Humble comes with a host of new code and tutorials. For instance, ‘launch’ incorporated the pytest plugin ‘launch_pytest’. And when using ‘launch_ros’ you can now provide ROS-specific node arguments directly, without a leading ‘–ros-args’ flag. ROS 2 Humble also offers new frontend support for composable nodes. Just as exciting are content-filtered topics that allow a more sophisticated subscription to topics. Finally, the ros2cli saw an expansion, with a new  ‘–launch-prefix’ argument. This feature allows passing a prefix to all executables in a launch file, useful in many debugging situations. These are just a few examples of the amazing work the ROS community has done to reach this milestone.

But particularly interesting to us are security enhancing developments, as they continuously  increase trust in ROS 2, with each release the most secure one yet. This time, we are seeing yet new enhancements to the security features of ROS with the addition of Certificate Revocation Lists (CRL) to the SROS2 toolbox. Let’s take a closer look at ROS 2 Humble security features.

What are CRLs, and what can they do for your robot?

For those of you who are new to security in ROS 2, a reminder that ROS 2 includes tools that help create and load the needed artefacts to enable DDS-security. The SROS2 package in particular provides the tools and instructions to enable these features. This is a great place to start using these tools on your robot.

Specifically, SROS2 introduced the concept of a security “enclave”, defined as a process or group of processes that will share the same identity and access control rules. As in public key infrastructure, the Certificate Authority (CA) acts as a trust anchor, validating the identities and permissions of participants. Again, there is great documentation available to satisfy your technical curiosity of all the elements in ROS 2 security, such as these tutorials.

But let us come back to CRL. In short, a Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing CA before their expiration date. A CRL works essentially as a blocklist of certificates that are no longer trusted. 

As of Humble, it is possible to include a CRL with an SROS2 security enclave. 

Certificate revocation is an essential component of the certificate process to establish and maintain trust. For example, a certificate can be revoked if its integrity is at risk. This could result from a key being compromised or lost due to modification of privileges, misuse, or termination.

Try ROS 2 Humble security today 

Try this new feature for yourself now! This tutorial follows the usual talker/listener example and will show you exactly how to set up a Certificate Revocation List on your robot today.

As always, we would love to hear about your ROS project! Reach out to us.