trezor-firmware/core/src/apps/base.py

import storage
import storage.device
import storage.recovery
import storage.sd_salt
from storage import cache
from trezor import config, sdcard, utils, wire, workflow
from trezor.messages import Capability, MessageType
from trezor.messages.Features import Features
from trezor.messages.Success import Success

from apps.common import mnemonic
from apps.common.request_pin import verify_user_pin

if False:
    import protobuf
    from typing import Optional, NoReturn
    from trezor.messages.Initialize import Initialize
    from trezor.messages.GetFeatures import GetFeatures
    from trezor.messages.Cancel import Cancel
    from trezor.messages.LockDevice import LockDevice
    from trezor.messages.Ping import Ping


def get_features() -> Features:
    f = Features()
    f.vendor = "trezor.io"
    f.language = "en-US"
    f.major_version = utils.VERSION_MAJOR
    f.minor_version = utils.VERSION_MINOR
    f.patch_version = utils.VERSION_PATCH
    f.revision = utils.GITREV.encode()
    f.model = utils.MODEL
    f.device_id = storage.device.get_device_id()
    f.label = storage.device.get_label()
    f.pin_protection = config.has_pin()
    f.pin_cached = config.is_unlocked()
    f.passphrase_protection = storage.device.is_passphrase_enabled()

    if utils.BITCOIN_ONLY:
        f.capabilities = [
            Capability.Bitcoin,
            Capability.Crypto,
            Capability.Shamir,
            Capability.ShamirGroups,
            Capability.PassphraseEntry,
        ]
    else:
        f.capabilities = [
            Capability.Bitcoin,
            Capability.Bitcoin_like,
            Capability.Binance,
            Capability.Cardano,
            Capability.Crypto,
            Capability.EOS,
            Capability.Ethereum,
            Capability.Lisk,
            Capability.Monero,
            Capability.NEM,
            Capability.Ripple,
            Capability.Stellar,
            Capability.Tezos,
            Capability.U2F,
            Capability.Shamir,
            Capability.ShamirGroups,
            Capability.PassphraseEntry,
        ]
    f.sd_card_present = sdcard.is_present()

    # private fields:
    if config.is_unlocked():
        # While this is technically not private, we can't reliably find the value while
        # locked. Instead of sending always False, we choose to not send it.
        f.initialized = storage.is_initialized()

        f.needs_backup = storage.device.needs_backup()
        f.unfinished_backup = storage.device.unfinished_backup()
        f.no_backup = storage.device.no_backup()
        f.flags = storage.device.get_flags()
        f.recovery_mode = storage.recovery.is_in_progress()
        f.backup_type = mnemonic.get_type()
        f.sd_protection = storage.sd_salt.is_enabled()
        f.wipe_code_protection = config.has_wipe_code()
        f.passphrase_always_on_device = storage.device.get_passphrase_always_on_device()

    return f


async def handle_Initialize(ctx: wire.Context, msg: Initialize) -> Features:
    features = get_features()
    if msg.session_id:
        msg.session_id = bytes(msg.session_id)
    features.session_id = cache.start_session(msg.session_id)
    return features


async def handle_GetFeatures(ctx: wire.Context, msg: GetFeatures) -> Features:
    return get_features()


async def handle_Cancel(ctx: wire.Context, msg: Cancel) -> NoReturn:
    raise wire.ActionCancelled


async def handle_LockDevice(ctx: wire.Context, msg: LockDevice) -> Success:
    lock_device()
    return Success()


async def handle_Ping(ctx: wire.Context, msg: Ping) -> Success:
    if msg.button_protection:
        from apps.common.confirm import require_confirm
        from trezor.messages.ButtonRequestType import ProtectCall
        from trezor.ui.text import Text

        await require_confirm(ctx, Text("Confirm"), ProtectCall)
    return Success(message=msg.message)


ALLOW_WHILE_LOCKED = (
    MessageType.Initialize,
    MessageType.GetFeatures,
    MessageType.LockDevice,
    MessageType.WipeDevice,
)


def set_homescreen() -> None:
    if not config.is_unlocked():
        from apps.homescreen.lockscreen import lockscreen

        workflow.set_default(lockscreen)

    elif storage.recovery.is_in_progress():
        from apps.management.recovery_device.homescreen import recovery_homescreen

        workflow.set_default(recovery_homescreen)

    else:
        from apps.homescreen.homescreen import homescreen

        workflow.set_default(homescreen)


def lock_device() -> None:
    if config.has_pin():
        config.lock()
        wire.find_handler = get_pinlocked_handler
        set_homescreen()
        workflow.close_others()


async def unlock_device(ctx: wire.GenericContext = wire.DUMMY_CONTEXT) -> None:
    await verify_user_pin(ctx)
    # verify_user_pin will raise if the PIN was invalid
    set_homescreen()
    wire.find_handler = wire.find_registered_workflow_handler


def get_pinlocked_handler(
    iface: wire.WireInterface, msg_type: int
) -> Optional[wire.Handler[wire.Msg]]:
    orig_handler = wire.find_registered_workflow_handler(iface, msg_type)
    if orig_handler is None:
        return None

    if __debug__:
        import usb

        if iface is usb.iface_debug:
            return orig_handler

    if msg_type in ALLOW_WHILE_LOCKED:
        return orig_handler

    async def wrapper(ctx: wire.Context, msg: wire.Msg) -> protobuf.MessageType:
        # mypy limitation: orig_handler is not recognized as non-None
        assert orig_handler is not None
        await unlock_device(ctx)
        return await orig_handler(ctx, msg)

    return wrapper


def boot() -> None:
    wire.register(MessageType.Initialize, handle_Initialize)
    wire.register(MessageType.GetFeatures, handle_GetFeatures)
    wire.register(MessageType.Cancel, handle_Cancel)
    wire.register(MessageType.LockDevice, handle_LockDevice)
    wire.register(MessageType.Ping, handle_Ping)

    workflow.idle_timer.set(storage.device.get_autolock_delay_ms(), lock_device)
core: create top-level storage module This is to avoid including app-specific functionality in storage and avoid circular imports. The following policy is now in effect: modules from `storage` namespace must not import from `apps` namespace. In most files, the change only involves changing import paths. A minor refactor was needed in case of webauthn: basic get/set/delete functionality was left in storage.webauthn, and more advanced logic on top of it was moved to apps.webauthn.resident_credentials. A significant refactor was needed for sd_salt, where application (and UI) logic was tightly coupled with the IO code. This is now separated, and storage.sd_salt deals exclusively with the IO side, while the app/UI logic is implemented on top of it in apps.common.sd_salt and apps.management.sd_protect. 5 years ago			`import storage`
			`import storage.device`
			`import storage.recovery`
			`import storage.sd_salt`
			`from storage import cache`
core: introduce PIN soft-locking 4 years ago			`from trezor import config, sdcard, utils, wire, workflow`
common: rename Features.features to Features.capabilities 5 years ago			`from trezor.messages import Capability, MessageType`
src/apps: cleanup workflow modules 6 years ago			`from trezor.messages.Features import Features`
			`from trezor.messages.Success import Success`

core: create top-level storage module This is to avoid including app-specific functionality in storage and avoid circular imports. The following policy is now in effect: modules from `storage` namespace must not import from `apps` namespace. In most files, the change only involves changing import paths. A minor refactor was needed in case of webauthn: basic get/set/delete functionality was left in storage.webauthn, and more advanced logic on top of it was moved to apps.webauthn.resident_credentials. A significant refactor was needed for sd_salt, where application (and UI) logic was tightly coupled with the IO code. This is now separated, and storage.sd_salt deals exclusively with the IO side, while the app/UI logic is implemented on top of it in apps.common.sd_salt and apps.management.sd_protect. 5 years ago			`from apps.common import mnemonic`
core: introduce PIN soft-locking 4 years ago			`from apps.common.request_pin import verify_user_pin`
add touch event rotation, msg dispatcher, wallet app 8 years ago
core/typing: add annotations 5 years ago			`if False:`
core: introduce PIN soft-locking 4 years ago			`import protobuf`
			`from typing import Optional, NoReturn`
core/typing: add annotations 5 years ago			`from trezor.messages.Initialize import Initialize`
			`from trezor.messages.GetFeatures import GetFeatures`
			`from trezor.messages.Cancel import Cancel`
core: introduce PIN soft-locking 4 years ago			`from trezor.messages.LockDevice import LockDevice`
core/typing: add annotations 5 years ago			`from trezor.messages.Ping import Ping`
add touch event rotation, msg dispatcher, wallet app 8 years ago
core/typing: add annotations 5 years ago
			`def get_features() -> Features:`
apps.homescreen: respond with ~correct data, handle GetFeatures 8 years ago			`f = Features()`
src: run black 6 years ago			`f.vendor = "trezor.io"`
common: change language field to IETF BCP 47 language tag 5 years ago			`f.language = "en-US"`
embed/extmod/modtrezorutils: remove utils.symbol, use constants directly 6 years ago			`f.major_version = utils.VERSION_MAJOR`
			`f.minor_version = utils.VERSION_MINOR`
			`f.patch_version = utils.VERSION_PATCH`
core: add final mypy fixes! 5 years ago			`f.revision = utils.GITREV.encode()`
embed/extmod/modtrezorutils: remove utils.symbol, use constants directly 6 years ago			`f.model = utils.MODEL`
core: create top-level storage module This is to avoid including app-specific functionality in storage and avoid circular imports. The following policy is now in effect: modules from `storage` namespace must not import from `apps` namespace. In most files, the change only involves changing import paths. A minor refactor was needed in case of webauthn: basic get/set/delete functionality was left in storage.webauthn, and more advanced logic on top of it was moved to apps.webauthn.resident_credentials. A significant refactor was needed for sd_salt, where application (and UI) logic was tightly coupled with the IO code. This is now separated, and storage.sd_salt deals exclusively with the IO side, while the app/UI logic is implemented on top of it in apps.common.sd_salt and apps.management.sd_protect. 5 years ago			`f.device_id = storage.device.get_device_id()`
			`f.label = storage.device.get_label()`
apps/homescreen: handle Initialize.skip_passphrase TODO: tests 6 years ago			`f.pin_protection = config.has_pin()`
core: introduce PIN soft-locking 4 years ago			`f.pin_cached = config.is_unlocked()`
all: rework passphrase The `on_device` field is being moved to PassphraseAck, State messages are removed. Features newly contain `session_id`. 5 years ago			`f.passphrase_protection = storage.device.is_passphrase_enabled()`
core: hide some fields when softlocked 4 years ago
core: fill in Features.features 5 years ago			`if utils.BITCOIN_ONLY:`
common: rename Features.features to Features.capabilities 5 years ago			`f.capabilities = [`
			`Capability.Bitcoin,`
			`Capability.Crypto,`
			`Capability.Shamir,`
			`Capability.ShamirGroups,`
common, core: add passphrase entry capability 5 years ago			`Capability.PassphraseEntry,`
common: add Feature.ShamirGroups to features 5 years ago			`]`
core: fill in Features.features 5 years ago			`else:`
common: rename Features.features to Features.capabilities 5 years ago			`f.capabilities = [`
			`Capability.Bitcoin,`
			`Capability.Bitcoin_like,`
			`Capability.Binance,`
			`Capability.Cardano,`
			`Capability.Crypto,`
			`Capability.EOS,`
			`Capability.Ethereum,`
			`Capability.Lisk,`
			`Capability.Monero,`
			`Capability.NEM,`
			`Capability.Ripple,`
			`Capability.Stellar,`
			`Capability.Tezos,`
			`Capability.U2F,`
			`Capability.Shamir,`
			`Capability.ShamirGroups,`
common, core: add passphrase entry capability 5 years ago			`Capability.PassphraseEntry,`
core: fill in Features.features 5 years ago			`]`
core: add SD format dialog, generalize sdcard usage 4 years ago			`f.sd_card_present = sdcard.is_present()`
core: hide some fields when softlocked 4 years ago
			`# private fields:`
			`if config.is_unlocked():`
			`# While this is technically not private, we can't reliably find the value while`
			`# locked. Instead of sending always False, we choose to not send it.`
			`f.initialized = storage.is_initialized()`

			`f.needs_backup = storage.device.needs_backup()`
			`f.unfinished_backup = storage.device.unfinished_backup()`
			`f.no_backup = storage.device.no_backup()`
			`f.flags = storage.device.get_flags()`
			`f.recovery_mode = storage.recovery.is_in_progress()`
			`f.backup_type = mnemonic.get_type()`
			`f.sd_protection = storage.sd_salt.is_enabled()`
			`f.wipe_code_protection = config.has_wipe_code()`
			`f.passphrase_always_on_device = storage.device.get_passphrase_always_on_device()`

apps.homescreen: cleanup 8 years ago			`return f`
First apps - homepage, playground 8 years ago

core/typing: add annotations 5 years ago			`async def handle_Initialize(ctx: wire.Context, msg: Initialize) -> Features:`
core: store multiple sessions/caches at the same time 4 years ago			`features = get_features()`
			`if msg.session_id:`
			`msg.session_id = bytes(msg.session_id)`
			`features.session_id = cache.start_session(msg.session_id)`
			`return features`
apps/homescreen: handle Initialize.skip_passphrase TODO: tests 6 years ago

core/typing: add annotations 5 years ago			`async def handle_GetFeatures(ctx: wire.Context, msg: GetFeatures) -> Features:`
apps/homescreen: handle Initialize.skip_passphrase TODO: tests 6 years ago			`return get_features()`


core/typing: add annotations 5 years ago			`async def handle_Cancel(ctx: wire.Context, msg: Cancel) -> NoReturn:`
core: add default messages to some error codes 4 years ago			`raise wire.ActionCancelled`
src/apps/homescreen: handle Cancel 6 years ago

core: introduce PIN soft-locking 4 years ago			`async def handle_LockDevice(ctx: wire.Context, msg: LockDevice) -> Success:`
			`lock_device()`
core: do not clear cache on ClearSession 4 years ago			`return Success()`
src/apps: cleanup workflow modules 6 years ago

core/typing: add annotations 5 years ago			`async def handle_Ping(ctx: wire.Context, msg: Ping) -> Success:`
apps/homescreen: implement PIng.button_protection 7 years ago			`if msg.button_protection:`
			`from apps.common.confirm import require_confirm`
			`from trezor.messages.ButtonRequestType import ProtectCall`
			`from trezor.ui.text import Text`
src: run black 6 years ago
			`await require_confirm(ctx, Text("Confirm"), ProtectCall)`
src/apps/homescreen: fix typo in Ping response (#129) 6 years ago			`return Success(message=msg.message)`
src/apps/homescreen: implement {Initialize,Features}.state field, implement ClearSession handling 6 years ago

core: hide some fields when softlocked 4 years ago			`ALLOW_WHILE_LOCKED = (`
			`MessageType.Initialize,`
			`MessageType.GetFeatures,`
core: do not prompt for PIN just to lock the device again 4 years ago			`MessageType.LockDevice,`
core: hide some fields when softlocked 4 years ago			`MessageType.WipeDevice,`
			`)`
core: introduce PIN soft-locking 4 years ago

core: consider lockscreen to be a separate homescreen this involves some changes to the workflow defaults: * workflow.start_default() takes no arguments * workflow.set_default() (originally replace_default) configures the default that will be started by next call to start_default(). The intended usecase is to set_default() first and then start it separately. * apps.base.set_homescreen() factors out the logic originally in main.py, that decides which homescreen should be launched. This uses set_default() call. start_default() is then used explicitly in main.py 4 years ago			`def set_homescreen() -> None:`
			`if not config.is_unlocked():`
			`from apps.homescreen.lockscreen import lockscreen`

			`workflow.set_default(lockscreen)`

			`elif storage.recovery.is_in_progress():`
			`from apps.management.recovery_device.homescreen import recovery_homescreen`

			`workflow.set_default(recovery_homescreen)`

			`else:`
			`from apps.homescreen.homescreen import homescreen`

			`workflow.set_default(homescreen)`


core: introduce PIN soft-locking 4 years ago			`def lock_device() -> None:`
core: only softlock when PIN is set 4 years ago			`if config.has_pin():`
			`config.lock()`
			`wire.find_handler = get_pinlocked_handler`
core: make sure that auto-lock shuts down running workflows 4 years ago			`set_homescreen()`
			`workflow.close_others()`
core: introduce PIN soft-locking 4 years ago

			`async def unlock_device(ctx: wire.GenericContext = wire.DUMMY_CONTEXT) -> None:`
			`await verify_user_pin(ctx)`
			`# verify_user_pin will raise if the PIN was invalid`
core: consider lockscreen to be a separate homescreen this involves some changes to the workflow defaults: * workflow.start_default() takes no arguments * workflow.set_default() (originally replace_default) configures the default that will be started by next call to start_default(). The intended usecase is to set_default() first and then start it separately. * apps.base.set_homescreen() factors out the logic originally in main.py, that decides which homescreen should be launched. This uses set_default() call. start_default() is then used explicitly in main.py 4 years ago			`set_homescreen()`
core: introduce PIN soft-locking 4 years ago			`wire.find_handler = wire.find_registered_workflow_handler`


			`def get_pinlocked_handler(`
			`iface: wire.WireInterface, msg_type: int`
			`) -> Optional[wire.Handler[wire.Msg]]:`
			`orig_handler = wire.find_registered_workflow_handler(iface, msg_type)`
			`if orig_handler is None:`
			`return None`

			`if __debug__:`
			`import usb`

			`if iface is usb.iface_debug:`
			`return orig_handler`

			`if msg_type in ALLOW_WHILE_LOCKED:`
			`return orig_handler`

			`async def wrapper(ctx: wire.Context, msg: wire.Msg) -> protobuf.MessageType:`
			`# mypy limitation: orig_handler is not recognized as non-None`
			`assert orig_handler is not None`
			`await unlock_device(ctx)`
			`return await orig_handler(ctx, msg)`

			`return wrapper`


core: remove persistence boot and set recovery as a default workflow 5 years ago			`def boot() -> None:`
core: introduce PIN soft-locking 4 years ago			`wire.register(MessageType.Initialize, handle_Initialize)`
			`wire.register(MessageType.GetFeatures, handle_GetFeatures)`
			`wire.register(MessageType.Cancel, handle_Cancel)`
			`wire.register(MessageType.LockDevice, handle_LockDevice)`
			`wire.register(MessageType.Ping, handle_Ping)`
core: implement auto-lock after a configurable timeout (fixes #75) 4 years ago
			`workflow.idle_timer.set(storage.device.get_autolock_delay_ms(), lock_device)`