feat(core/prodtest): Add SEC READ command.

[no changelog]

core/embed/prodtest/README.md

@@ -201,32 +201,102 @@ OK
 ```
 
 ### OPTIGAID READ
-TBD
+Returns the coprocessor UID of the Optiga chip as a 27 byte hexadecimal string.
+
+Example:
+```
+OPTIGAID READ
+OK CD16339401001C000100000A023EA600190057006E801010712440
+```
 
 ### CERTINF READ
-TBD
+Returns the X.509 certificate issued by Infineon for the Optiga chip.
+
+Example:
+```
+CERTINF READ
+OK <hexadecimal string>
+```
 
 ### CERTDEV WRITE
-TBD
+Writes the X.509 certificate issued by the Trezor Company for the device.
+
+Example:
+```
+CERTDEV WRITE <hexadecimal string>
+OK
+```
 
 ### CERTDEV READ
-TBD
+Returns the X.509 certificate issued by the Trezor Company for the device.
+
+Example:
+```
+CERTDEV READ
+OK <hexadecimal string>
+```
 
 ### CERTFIDO WRITE
-TBD
+Writes the X.509 certificate issued by the Trezor Company for the FIDO attestation key.
+
+Example:
+```
+CERTFIDO WRITE <hexadecimal string>
+OK
+```
 
 ### CERTFIDO READ
-TBD
+Returns the X.509 certificate issued by the Trezor Company for the FIDO attestation key.
+
+Example:
+```
+CERTFIDO READ
+OK <hexadecimal string>
+```
 
 ### KEYFIDO WRITE
-TBD
+Decrypts and stores an encrypted FIDO attestation private key into Optiga. No return value.
+
+Example:
+```
+KEYFIDO WRITE <hexadecimal string>
+OK
+```
 
 ### KEYFIDO READ
-TBD
+Returns the x-coordinate of the FIDO attestation public key stored in Optiga. Can be executed only before the LOCK command is called.
+
+This command can be used to verify that the FIDO attestation key was decrypted and stored correctly by verifying that the returned string of bytes appears in the FIDO attestation certificate.
+
+Example:
+```
+KEYFIDO READ
+OK 0D35A613358EDAB4CA04D05DD716546CD97973DE58516AF6A8F69BEE89BEFAA1
+```
 
 ### LOCK
-TBD
+Configures the metadata for Optiga's data objects that should be set up during provisioning and locks them. No return value.
+
+Example:
+```
+LOCK
+OK
+```
 
 ### CHECK LOCKED
-TBD
+Returns `YES` if all of Optiga's data objects that should be set up during provisioning are locked. If not, then `NO` is returned.
 
+Example:
+```
+CHECK LOCKED
+OK YES
+```
+
+### SEC READ
+Returns the value of Optiga's security event counter as a 1 byte hexadecimal value.
+
+Example:
+```
+SEC READ
+OK 0E
+```

core/embed/prodtest/main.c

@@ -644,6 +644,8 @@ int main(void) {
       optiga_lock();
     } else if (startswith(line, "CHECK LOCKED")) {
       check_locked();
+    } else if (startswith(line, "SEC READ")) {
+      sec_read();
 
 #endif
 

core/embed/prodtest/optiga_prodtest.c

@@ -494,3 +494,21 @@ void keyfido_write(char *data) {
 
   vcp_println("OK");
 }
+
+void sec_read(void) {
+  if (!optiga_paired()) return;
+
+  uint8_t sec = 0;
+  size_t size = 0;
+
+  optiga_result ret =
+      optiga_get_data_object(OPTIGA_OID_SEC, false, &sec, sizeof(sec), &size);
+  if (OPTIGA_SUCCESS != ret || sizeof(sec) != size) {
+    vcp_println("ERROR optiga_get_data_object error %d for 0x%04x.", ret,
+                OPTIGA_OID_SEC);
+    return;
+  }
+
+  vcp_print("OK ");
+  vcp_println_hex(&sec, sizeof(sec));
+}

core/embed/prodtest/optiga_prodtest.h

@@ -47,5 +47,6 @@ void pubkey_read(uint16_t oid);
 void optiga_lock(void);
 optiga_locked_status get_optiga_locked_status(void);
 void check_locked(void);
+void sec_read(void);
 
 #endif

core/embed/trezorhal/optiga_commands.h

@@ -28,6 +28,7 @@
 // Data object identifiers.
 typedef enum {
   OPTIGA_OID_COPROC_UID = 0xE0C2,      // Coprocessor UID.
+  OPTIGA_OID_SEC = 0xE0C5,             // Security event counter.
   OPTIGA_OID_CERT = 0xE0E0,            // Public key certificates [1-4].
   OPTIGA_OID_CA_CERT = 0xE0E8,         // Root CA public key certificates [1-2].
   OPTIGA_OID_ECC_KEY = 0xE0F0,         // Private ECC keys [1-4].