Septentrio: Add GNSS resilience reporting

[Tory9]

What does this PR do?

This PR implements support for collecting GNSS resilience data from Septentrio receivers and relaying it to the Ground Control Station (GCS).

---

Why is this change needed?

GNSS resilience information—such as spoofing, jamming, and authentication states—is crucial for operational safety and informed decision-making. Providing this data to the GCS enhances an operator's situational awareness, allowing for better flight planning and in-flight control.

---

How is it implemented?

The Septentrio driver has been modified to:

• Auto-configure the receiver to output the SBF blocks containing resilience information (if auto-config is enabled).
• Parse these new SBF message types.
• Map the extracted data to the MAVLink GNSS_INTEGRITY message.
• Add the GNSS_INTEGRITY message to the STREAM_EXTENDED_STATUS to ensure it is sent to the GCS.

---

Related Work & Context

• PX4 Autopilot: An analogous PR has been open: PX4/PX4-Autopilot#25012
• QGroundControl: GCS support is ready and waiting to be merged mavlink/qgroundcontrol#13009
• Mission Planner: Implementation is forthcoming.
• MAVLink Message: This feature uses the GNSS_INTEGRITY message from the development dialect.

---

How has this been tested?

The feature was validated on a CubeOrange+ using a replayed SBF log file that was recorded in an environment with active jamming and spoofing.

[peterbarker]

Nice to see some effort being put in to report this stuff.

[peterbarker]

Don't bother making these locals, just throw them straight into the packet; add comments to indicate which field is being passed where things are unclear.

[peterbarker]

Diagnostics to be removed :-)

[peterbarker]

Can we make these enum-class and contained within the AP_GPS class? Would allow for dropping the extra namespacing.

[peterbarker]

Suggested change

	enum GPS_Authentication {
	AUTHENTICATION_UNKNOWN = 0, ///< The GPS receiver does not provide GPS signal authentication info
	enum Authentication {
	UNKNOWN = 0, ///< The GPS receiver does not provide GPS signal authentication info

... and move to within AP_GPS:: namespace. This reduces a lot of duplication.

The enumeration you're modelling this on is one of three enuemations we use for status type in ArduPilot - but it's also the one I believe we're trying to remove!

[peterbarker]

I'm not sure we really need these accessors, but if you do want to keep them please make them private.

[peterbarker]

I don't think this is used?

We have a no-dead-code policy which we mostly enforce....

Similarly for other "primary_instance" methods

[peterbarker]

I wonder if a static const data structure here which is iterated over might make this a bit nicer / simpler to extend later / more compact byte-wise.

[peterbarker]

This construct makes me unhappy.

At the very least you can (a) create a pointer you can index into and (b) use a reference for each of the entries in the array for pulling things out.

But I'd really also like to see a belt-and-bracers check that we don't step outside the packet here. When pointer games go wrong vehicles get lost. Right here if temp.N is corrupt (which can happen if the packets gets through the checksumming while invalid, or if the GPS device itself puts a bad value in) we could try to access memory we don't have access to and fall out of the sky. We had a similar problem with massive packet loss in this driver that we fixed with #29399

[peterbarker]

I don't know whether we will want to stream this message by default. Telemetry bandwidth is actually one of those things that doesn't seem to be growing for a lot of users!

Users can get the autopilot to start streaming the message in many ways if we don't decide to stream this by default.

[Tory9]

@peterbarker , thank you for a detailed review. I have considered your suggestions and applied some changes. I have a question about streaming this message by default. Since I'm new to ArduPilot, could you mb hint at the best way to introduce this to the community?

[MattKear]

Not a blocker but one suggestion that was raised on the dev call that that it might be worth combining all of these get functions into one function as they are all called in once in the same currently.

[MattKear]

A general comment that was made on the dev call was that it would be good if an accessor variable can be added. If the GPS is sending the relevant information then the variable is set true. That way any get functions could return early if the accessor if false.

[rmackay9]

nitpick: the brackets and else should be on the same line

[rmackay9]

Could you double check that each commit only affects a single subsystem? Also each commit should be prefixed with the subsystem affected. E.g. "AP_GPS: add xxxx"

Finally could you rebase on master to get rid of the "merge" commit?

[peterbarker]

https://ardupilot.org/dev/docs/contributing.html

[peterbarker]

https://ardupilot.org/dev/docs/mavlink-requesting-data.html

[Georacer]

Discussion on today's Dev Call:

Peter: The feature should be define-fenced for 1M flash boards.
Randy: Please split the commits into one for each subsystem.
P: What is the size-cost to the output binary when the feature is left undefined? It would be nice to have this as small as possible, ideally zero.
R: It’s very zero for small boards, it’s a lot for larger boards.
P: A couple dozen bytes extra when the feature is turned off is okay. Anything larger is a problem.
R: We also need a build option for the build server, in the build_options.py file.
Victoria: I’ve added the message on the EXTRA_3 stream, but I don’t see it in QGC.
P: Adding the message ID on the stream ID list is one way to have the message sent.
Another is to have the GCS request for this message on-demand.
QGC probably doesn’t have compiled-in
You can add a SEND_STATUSTEXT macro before the place where you try to send the message and see if this code path is being traversed.

R: If the feature is off by default, we should be streaming the message in this case.
P: Agreed.
Matt: We can have it off by default, we don’t know how much usage this feature will get.
P: It also needs a change in our Wiki, to document this feature.

[Tory9]

Hello @peterbarker,

I was thinking about the issue of memory being occupied by this feature even if it's not used, which is a problem for boards with smaller flash memory. However, on the other hand, requiring a custom build—even with the great web tool ArduPilot has—might discourage some users from using the feature.

Thus, I've implemented the following solution:

• The feature's code is excluded at compile time for boards with less than 1MB of memory.
• For boards with more memory, the feature code is included, but if the connected receiver is not a Septentrio receiver, then the message is not streamed.
• If users with smaller flash on their controller want to include the feature, they can still do so with a custom build.
  Please let me know if this approach is okay and if I correctly made the custom build implementation

[peterbarker]

Looking pretty good now!

[peterbarker]

Suggested change

	if(state[instance].has_gnss_integrity) {
	if (!state[instance].has_gnss_integrity) {
	return;
	}

... just return early if there's nothing to do

[peterbarker]

indenting problem here...

[peterbarker]

stray whitespace change

[peterbarker]

Stray whitespace change

[peterbarker]

Suggested change

	const AP_GPS_SBF::SBF_Error_Map AP_GPS_SBF::sbf_error_map[] = {
	static const AP_GPS_SBF::SBF_Error_Map AP_GPS_SBF::sbf_error_map[] {

[peterbarker]

So since these changes are outside the new AP_MAVLINK_MSG_GNSS_INTEGRITY_ENABLED, I guess these must be changes to existing behaviour?

These changes are not pulled out as a separate commit, and you haven't mentioned them anywhere, I think?

If the extent of the changes comes to "Print external error changes as they come in" then we can probably let that slide.

One thing here, 'though, is that our send-rate here is limited only to the rate at which we get messages from the external unit. That risks flooding telemetry links and making vehicles choke up on other telemetry... pre-existing in this driver, so also not a big deal.

[peterbarker]

Again, change unrelated to new functionality. I think this is probably benign, but it might just be neater to not know about the message when we're not doing integrity stuff?

[peterbarker]

Please also check that (p + temp.SBLength) -(&temp.RFBand) is < sizeof(sbf_msg).

We do not want to implicitly trust this packet to not be corrupt, even if it does pass a checksum. If temp.SBLength or tmp.N are wild then we run the risk of falling out of the sky. Which is bad.

... also, you can probably make this a lot neater by casting (const uint8_t *)&temp.RFBand to const RFStatusRFBandSubBlock &rf_band_data and incrementing that to move between the N entries, rather than adding temp.SBLength to a uint8_t*. You can use pointer subtraction on p and the &temp.RFBand similarly to my suggestion above to work out whether you're going to over-read the buffer.

[peterbarker]

Similar to the above - should we know about GALAuthStatus at all if we're not doing integrity stuff?

[peterbarker]

We'll probably change this down-the-line - we can actually use this new information you're supplying in the EKF to change how ArduPilot responds to bad GPS data. But this is fine for now.

[peterbarker]

BTW, how does this PR relate to #27891 ?

[Tory9]

@peterbarker This is an old PR opened by a former Septentrio intern. I based this PR on it but had to create a fresh one. You can safely close that one. Sorry, I should’ve mentioned it in the description of PR

[peterbarker]

@peterbarker This is an old PR opened by a former Septentrio intern. I based this PR on it but had to create a fresh one. You can safely close that one. Sorry, I should’ve mentioned it in the description of PR

Thanks.

Note that if you based your work on someone else's unmerged work it's often a good idea to add a Co-authored-by: to the commits containing their work.