arno/trezor-firmware
1
0
Fork 0
mirror of https://github.com/trezor/trezor-firmware.git synced 2025-07-26 00:18:15 +00:00
Code Issues Releases Wiki Activity

fixup! feat(core): Implement OPTIGA provisioning in prodtest.

Browse Source
This commit is contained in:
Andrew Kozlik 2023-08-03 19:10:48 +02:00
parent c539c1c439
commit 36664a9ae8
1 changed files with 48 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
core/embed/prodtest/main.c
View File

@ -132,6 +132,8 @@ static void vcp_write_as_hex(uint8_t *data, uint16_t len) {
} }
#ifdef USE_OPTIGA #ifdef USE_OPTIGA
static secbool is_optiga_locked(void);
static uint16_t get_byte_from_hex(const char **hex) { static uint16_t get_byte_from_hex(const char **hex) {
uint8_t result = 0; uint8_t result = 0;
@ -563,10 +565,10 @@ static void test_otp_write(const char *args) {
static void test_otp_write_device_variant(const char *args) { static void test_otp_write_device_variant(const char *args) {
#ifdef USE_OPTIGA #ifdef USE_OPTIGA
// if (sectrue != is_optiga_locked()) { if (sectrue != is_optiga_locked()) {
// vcp_printf("ERROR: NOT LOCKED"); vcp_printf("ERROR: NOT LOCKED");
// return; return;
// } }
#endif #endif
volatile char data[32]; volatile char data[32];
@ -622,7 +624,7 @@ static const uint16_t OID_KEY_FIDO = 0xE0F2;
static const uint16_t OID_KEY_PAIRING = 0xE140; static const uint16_t OID_KEY_PAIRING = 0xE140;
static const uint16_t OID_OPTIGA_UID = 0xE0C2; static const uint16_t OID_OPTIGA_UID = 0xE0C2;
bool set_metadata(uint16_t oid, const optiga_metadata *metadata) { static bool set_metadata(uint16_t oid, const optiga_metadata *metadata) {
uint8_t serialized[258] = {0}; uint8_t serialized[258] = {0};
size_t size = 0; size_t size = 0;
optiga_result ret = optiga_serialize_metadata(metadata, serialized, optiga_result ret = optiga_serialize_metadata(metadata, serialized,
@ -657,7 +659,7 @@ bool set_metadata(uint16_t oid, const optiga_metadata *metadata) {
return true; return true;
} }
bool pair_optiga(void) { static bool pair_optiga(void) {
// The pairing key may already be written and locked. The success of the // The pairing key may already be written and locked. The success of the
// pairing procedure is determined by optiga_sec_chan_handshake(). Therefore // pairing procedure is determined by optiga_sec_chan_handshake(). Therefore
// it is OK for some of the intermediate operations to fail. // it is OK for some of the intermediate operations to fail.
@ -707,7 +709,7 @@ bool pair_optiga(void) {
return true; return true;
} }
void optiga_lock(void) { static void optiga_lock(void) {
if (!pair_optiga()) { if (!pair_optiga()) {
return; return;
} }
@ -783,7 +785,41 @@ void optiga_lock(void) {
vcp_printf("OK"); vcp_printf("OK");
} }
void optigaid_read(void) { static secbool is_optiga_locked(void) {
const uint16_t oids[] = {OID_CERT_DEV, OID_CERT_FIDO, OID_KEY_DEV,
OID_KEY_FIDO, OID_KEY_PAIRING};
optiga_metadata locked_metadata = {0};
locked_metadata.lcso = OPTIGA_LCS_OPERATIONAL;
for (size_t i = 0; i < sizeof(oids) / sizeof(oids[0]); ++i) {
uint8_t metadata_buffer[258] = {0};
size_t metadata_size = 0;
optiga_result ret =
optiga_get_data_object(oids[i], true, metadata_buffer,
sizeof(metadata_buffer), &metadata_size);
if (OPTIGA_SUCCESS != ret) {
vcp_printf("ERROR: optiga_get_metadata error %d for OID 0x%04x.", ret,
oids[i]);
return secfalse;
}
optiga_metadata stored_metadata = {0};
ret =
optiga_parse_metadata(metadata_buffer, metadata_size, &stored_metadata);
if (OPTIGA_SUCCESS != ret) {
vcp_printf("ERROR: optiga_parse_metadata error %d.", ret);
return secfalse;
}
if (!optiga_compare_metadata(&locked_metadata, &stored_metadata)) {
return secfalse;
}
}
return sectrue;
}
static void optigaid_read(void) {
uint8_t optiga_id[27] = {0}; uint8_t optiga_id[27] = {0};
size_t optiga_id_size = 0; size_t optiga_id_size = 0;
@ -799,7 +835,7 @@ void optigaid_read(void) {
vcp_write_as_hex(optiga_id, optiga_id_size); vcp_write_as_hex(optiga_id, optiga_id_size);
} }
void cert_read(uint16_t oid) { static void cert_read(uint16_t oid) {
uint8_t cert[1024] = {0}; uint8_t cert[1024] = {0};
size_t cert_size = 0; size_t cert_size = 0;
optiga_result ret = optiga_result ret =
@ -813,7 +849,7 @@ void cert_read(uint16_t oid) {
vcp_write_as_hex(cert, cert_size); vcp_write_as_hex(cert, cert_size);
} }
void cert_write(uint16_t oid, char *data) { static void cert_write(uint16_t oid, char *data) {
// Enable writing to the certificate slot. // Enable writing to the certificate slot.
optiga_metadata metadata = {0}; optiga_metadata metadata = {0};
metadata.change = OPTIGA_ACCESS_ALWAYS; metadata.change = OPTIGA_ACCESS_ALWAYS;
@ -836,7 +872,7 @@ void cert_write(uint16_t oid, char *data) {
vcp_printf("OK"); vcp_printf("OK");
} }
void pubkey_read(uint16_t oid) { static void pubkey_read(uint16_t oid) {
// Enable key agreement usage. // Enable key agreement usage.
optiga_metadata metadata = {0}; optiga_metadata metadata = {0};
@ -871,7 +907,7 @@ void pubkey_read(uint16_t oid) {
vcp_write_as_hex(public_key, public_key_size); vcp_write_as_hex(public_key, public_key_size);
} }
void keyfido_write(char *data) { static void keyfido_write(char *data) {
static const size_t EPH_PUB_KEY_SIZE = 33; static const size_t EPH_PUB_KEY_SIZE = 33;
static const size_t PAYLOAD_SIZE = 32; static const size_t PAYLOAD_SIZE = 32;
static const size_t CIPHERTEXT_OFFSET = EPH_PUB_KEY_SIZE; static const size_t CIPHERTEXT_OFFSET = EPH_PUB_KEY_SIZE;