Releases: worldcoin/orb-software
Releases · worldcoin/orb-software
orb-attest/v0.2.10-c0c6f49
feat(attest): SE050 key migration selection at startup (#1226) On startup, check whether `worldcoin-se050-provision.service` is active (via systemd D-Bus) to decide which key set to use. If migrated keys are present, wait for the backend to become reachable, then attempt a token round-trip with the migrated key. If the backend does not yet have the key registered, submit an NXP-attested proof and poll for up to 60 s until the backend accepts the migrated key. Expose the result as `new_keys_active` on the `AuthTokenManager1` D-Bus interface for listeners. Added feature flag to skip migration phase from current release until issues are resolved ``` 2026-06-16T20:01:37.160597Z INFO orb_attest: worldcoin-se050-provision.service not active, using legacy keys 2026-06-16T20:01:37.174423Z INFO orb_attest: iris-code pubkey symlink: /usr/persistent/se/keystore/active_iris_code_pubkey.bin -> sss_70000002_0002_0040.bin ``` with feature flag on test orb with migrated keys: ``` 2026-06-16T20:35:50.174936Z INFO orb_attest: backend already accepts migrated keys 2026-06-16T20:35:50.200215Z INFO orb_attest: iris-code pubkey symlink: /usr/persistent/se/keystore/active_iris_code_pubkey.bin -> sss_60000002_0002_0040.bin ```
orb-attest/v0.2.10-2e41303
chore(dogd): add how long it took socket to show up (#1265) help us see how much of an issue this is across multiple services
orb-attest/v0.2.10-tmp.3
Full Changelog: orb-attest/v0.2.10-2e41303...orb-attest/v0.2.10-tmp.3
orb-attest/v0.2.10-6420083
feat(dogd): handle backpressure (#1261) ## changes introduces backpressure handling to avoid issue seen when burst emitting full queue of metrics <img width="2910" height="1327" alt="image" src="https://github.com/user-attachments/assets/2615eeba-68ab-4f25-a56d-8eb471199ff4" /> limits metrics to 25/50ms (500/s). this should avoid the errno 11 seen in the image above, most likely caused by multiple clients overwhelming the socket/agent. ## drawbacks if we add any metrics where the _emitting itself_ (not the value of the metric) is time sensitive, this could cause issues if we have a hot loop. worst case scenario we deviate a bit on distribution of some metric time buckets up to 5s. if this becomes an issue we might prefer to drop sending these metrics
orb-mcu-util/v0.7.3-e95507f
feat: mcu-util signup cmd (#1255) It mimics the actions performed by orb-core duting a signup. Required for the temperature testing.
orb-mcu-util/v0.7.3-tmp.0
chore(hil): install lsof on HILs (#1256)
orb-connd/v0.1.1-beta.2
fix(connd): allow CAN (#1247) Grant `CAP_NET_RAW` for orb-connd in order to power-cycle the LTE modem through orb-mcu-util
orb-ui/v0.0.3-tmp.2
feat(zenorb): configureable session open retry (#1244) will help provide greater resilience when trying to establish initial connection through zenoh
orb-update-verifier/v0.3.0-beta.6
feat(hardening): per-service least-privilege users (#1198)
# Motivation
All Worldcoin Orb services previously ran as the worldcoin user, which
has root-equivalent privileges on the system. This PR replaces that
model with dedicated, least-privilege system accounts for each service.
Each account receives only the Linux capabilities, filesystem access,
and supplementary groups required for its specific function — nothing
more.
Four services are hardened in this PR. Other services will be addressed
in a separate workstream.
# Services hardened
## orb-attest
Changes:
- Runs as dedicated orb-attest user/group
- Added to worldcoin-dbus group for session bus socket access
(/tmp/worldcoin_bus_socket)
- Ambient + bounding capability set reduced to CAP_NET_RAW only
(required by orb-mcu-util for raw CAN-FD socket to reboot security MCU)
- Device access restricted: only `/dev/i2c-*` and char-tee
- Address families restricted to `AF_INET AF_INET6 AF_UNIX AF_CAN`
## orb-backend-status
Changes:
- Runs as dedicated orb-backend-status user/group
- Added to worldcoin-dbus group for session bus socket access
- Zero capabilities (AmbientCapabilities=, CapabilityBoundingSet=) —
this service needs none
- PrivateDevices=yes (no device access required)
- Address families restricted to `AF_INET AF_INET6 AF_UNIX`
## orb-connd
Changes:
- Runs as dedicated orb-connd user/group
- Added to netdev group: wpa_cli accesses the wpa_supplicant control
socket at /var/run/wpa_supplicant/wlan0 (udev: GROUP=netdev MODE=0660)
- Added to tee group: on Diamond, orb-connd spawns itself as the
orb-ss-connd-nmprofiles subprocess for OP-TEE secure storage. The
subprocess inherits supplementary groups across fork()+exec(), so the
parent must hold the tee group membership.
- PrivateDevices=no, DeviceAllow=char-tee rw for Diamond OP-TEE path
- PrivateTmp=no — session D-Bus socket lives at
/tmp/worldcoin_bus_socket; a private tmpfs would hide it
## orb-update-verifier
Changes:
- Previously ran as root; now runs as dedicated orb-update-verifier
user/group
- Added to tty group for orb-mcu-util UART access (/dev/ttyTHS*)
- Ambient + bounding capabilities scoped to exactly what's needed:
- CAP_NET_RAW — CAN-FD SOCK_RAW socket for orb-mcu-util
- CAP_LINUX_IMMUTABLE — clear FS_IMMUTABLE_FL on EFI variable files
- CAP_FOWNER — efivarfs FS_IOC_SETFLAGS ioctl requires passing the inode
ownership check; since EFI vars are owned by root and we are not root,
CAP_FOWNER is required alongside CAP_LINUX_IMMUTABLE
- CAP_DAC_OVERRIDE — write to PMC sysfs nodes
(/sys/devices/platform/*/c360000.pmc/rootfs_retry_count_*) currently
owned by root. TODO: replace with a udev rule setting GROUP=orb-slot on
those nodes.
- ProtectKernelTunables=no — service must write to
/sys/firmware/efi/efivars/ and PMC sysfs; these would be blocked by the
strict /sys read-only bind mount
- ReadWritePaths carved out for EFI vars and both known PMC sysfs paths
- Address families restricted to AF_UNIX AF_CAN
# Testing
- Tested each service and their functionality
- Tested a mock signup
- Tested OTA from the hardened PR version to something else
orb-update-agent/v6.0.4-b04335c
feat(gondor): cleanup gondor invocations (#1241) * `supervisor`: instead of wrapping another python script, sanitizes the input, and exports it to systemd * `orb-hil`: instead of calling gondor, use `zorb` from the runner to query supervisor's job * `update-agent`: consume `version_overwrite`, if that is provided, overwrite `/etc/os-release` with that value. The `gondor` binary will be removed from `development` builds, and be replaced by an alias to `zorb`querying `supervisor`. This is a development feature to quickly allow developers to OTA to whatever they wish. PR is spread upon commits touching the different crates separately