From 3a5aecf6cd80cf388d41bdb035fa9c99e2b8cdf0 Mon Sep 17 00:00:00 2001
From: Andrew Kozlik <andrew.kozlik@gmail.com>
Date: Thu, 30 Nov 2023 16:06:53 +0100
Subject: [PATCH] feat(core/prodtest): Add SEC READ command.

[no changelog]
---
 core/embed/prodtest/README.md          | 90 +++++++++++++++++++++++---
 core/embed/prodtest/main.c             |  2 +
 core/embed/prodtest/optiga_prodtest.c  | 18 ++++++
 core/embed/prodtest/optiga_prodtest.h  |  1 +
 core/embed/trezorhal/optiga_commands.h |  1 +
 5 files changed, 102 insertions(+), 10 deletions(-)

diff --git a/core/embed/prodtest/README.md b/core/embed/prodtest/README.md
index fc19b440f5..90e3c28d44 100644
--- a/core/embed/prodtest/README.md
+++ b/core/embed/prodtest/README.md
@@ -201,32 +201,102 @@ OK
 ```
 
 ### OPTIGAID READ
-TBD
+Returns the coprocessor UID of the Optiga chip as a 27 byte hexadecimal string.
+
+Example:
+```
+OPTIGAID READ
+OK CD16339401001C000100000A023EA600190057006E801010712440
+```
 
 ### CERTINF READ
-TBD
+Returns the X.509 certificate issued by Infineon for the Optiga chip.
+
+Example:
+```
+CERTINF READ
+OK <hexadecimal string>
+```
 
 ### CERTDEV WRITE
-TBD
+Writes the X.509 certificate issued by the Trezor Company for the device.
+
+Example:
+```
+CERTDEV WRITE <hexadecimal string>
+OK
+```
 
 ### CERTDEV READ
-TBD
+Returns the X.509 certificate issued by the Trezor Company for the device.
+
+Example:
+```
+CERTDEV READ
+OK <hexadecimal string>
+```
 
 ### CERTFIDO WRITE
-TBD
+Writes the X.509 certificate issued by the Trezor Company for the FIDO attestation key.
+
+Example:
+```
+CERTFIDO WRITE <hexadecimal string>
+OK
+```
 
 ### CERTFIDO READ
-TBD
+Returns the X.509 certificate issued by the Trezor Company for the FIDO attestation key.
+
+Example:
+```
+CERTFIDO READ
+OK <hexadecimal string>
+```
 
 ### KEYFIDO WRITE
-TBD
+Decrypts and stores an encrypted FIDO attestation private key into Optiga. No return value.
+
+Example:
+```
+KEYFIDO WRITE <hexadecimal string>
+OK
+```
 
 ### KEYFIDO READ
-TBD
+Returns the x-coordinate of the FIDO attestation public key stored in Optiga. Can be executed only before the LOCK command is called.
+
+This command can be used to verify that the FIDO attestation key was decrypted and stored correctly by verifying that the returned string of bytes appears in the FIDO attestation certificate.
+
+Example:
+```
+KEYFIDO READ
+OK 0D35A613358EDAB4CA04D05DD716546CD97973DE58516AF6A8F69BEE89BEFAA1
+```
 
 ### LOCK
-TBD
+Configures the metadata for Optiga's data objects that should be set up during provisioning and locks them. No return value.
+
+Example:
+```
+LOCK
+OK
+```
 
 ### CHECK LOCKED
-TBD
+Returns `YES` if all of Optiga's data objects that should be set up during provisioning are locked. If not, then `NO` is returned.
 
+Example:
+```
+CHECK LOCKED
+OK YES
+```
+
+### SEC READ
+Returns the value of Optiga's security event counter as a 1 byte hexadecimal value.
+
+Example:
+```
+SEC READ
+OK 0E
+```
diff --git a/core/embed/prodtest/main.c b/core/embed/prodtest/main.c
index b1121f9f6a..b78a9d2b48 100644
--- a/core/embed/prodtest/main.c
+++ b/core/embed/prodtest/main.c
@@ -644,6 +644,8 @@ int main(void) {
       optiga_lock();
     } else if (startswith(line, "CHECK LOCKED")) {
       check_locked();
+    } else if (startswith(line, "SEC READ")) {
+      sec_read();
 
 #endif
 
diff --git a/core/embed/prodtest/optiga_prodtest.c b/core/embed/prodtest/optiga_prodtest.c
index b27b76a6fd..c59a0553af 100644
--- a/core/embed/prodtest/optiga_prodtest.c
+++ b/core/embed/prodtest/optiga_prodtest.c
@@ -494,3 +494,21 @@ void keyfido_write(char *data) {
 
   vcp_println("OK");
 }
+
+void sec_read(void) {
+  if (!optiga_paired()) return;
+
+  uint8_t sec = 0;
+  size_t size = 0;
+
+  optiga_result ret =
+      optiga_get_data_object(OPTIGA_OID_SEC, false, &sec, sizeof(sec), &size);
+  if (OPTIGA_SUCCESS != ret || sizeof(sec) != size) {
+    vcp_println("ERROR optiga_get_data_object error %d for 0x%04x.", ret,
+                OPTIGA_OID_SEC);
+    return;
+  }
+
+  vcp_print("OK ");
+  vcp_println_hex(&sec, sizeof(sec));
+}
diff --git a/core/embed/prodtest/optiga_prodtest.h b/core/embed/prodtest/optiga_prodtest.h
index 516e1b8459..6c4f34e80e 100644
--- a/core/embed/prodtest/optiga_prodtest.h
+++ b/core/embed/prodtest/optiga_prodtest.h
@@ -47,5 +47,6 @@ void pubkey_read(uint16_t oid);
 void optiga_lock(void);
 optiga_locked_status get_optiga_locked_status(void);
 void check_locked(void);
+void sec_read(void);
 
 #endif
diff --git a/core/embed/trezorhal/optiga_commands.h b/core/embed/trezorhal/optiga_commands.h
index 3992b2637b..5b0fda968d 100644
--- a/core/embed/trezorhal/optiga_commands.h
+++ b/core/embed/trezorhal/optiga_commands.h
@@ -28,6 +28,7 @@
 // Data object identifiers.
 typedef enum {
   OPTIGA_OID_COPROC_UID = 0xE0C2,      // Coprocessor UID.
+  OPTIGA_OID_SEC = 0xE0C5,             // Security event counter.
   OPTIGA_OID_CERT = 0xE0E0,            // Public key certificates [1-4].
   OPTIGA_OID_CA_CERT = 0xE0E8,         // Root CA public key certificates [1-2].
   OPTIGA_OID_ECC_KEY = 0xE0F0,         // Private ECC keys [1-4].