From 45a973b8f9b7ce935004010e64a85712786c3802 Mon Sep 17 00:00:00 2001 From: matejcik Date: Fri, 15 Dec 2023 11:49:34 +0100 Subject: [PATCH] feat(core/prodtest): do not lock Optiga in non-production builds [no changelog] --- core/embed/prodtest/optiga_prodtest.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/core/embed/prodtest/optiga_prodtest.c b/core/embed/prodtest/optiga_prodtest.c index 9fe08ba0dc..616a0d4465 100644 --- a/core/embed/prodtest/optiga_prodtest.c +++ b/core/embed/prodtest/optiga_prodtest.c @@ -198,6 +198,13 @@ void pair_optiga(void) { return; } +#if PRODUCTION +#define METADATA_SET_LOCKED(metadata) \ + { metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; } +#else +#define METADATA_SET_LOCKED(metadata) +#endif + void optiga_lock(void) { if (!optiga_paired()) return; @@ -215,7 +222,7 @@ void optiga_lock(void) { // Set metadata for device certificate. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + METADATA_SET_LOCKED(metadata); metadata.change = OPTIGA_META_ACCESS_NEVER; metadata.read = OPTIGA_META_ACCESS_ALWAYS; metadata.execute = OPTIGA_META_ACCESS_ALWAYS; @@ -225,7 +232,7 @@ void optiga_lock(void) { // Set metadata for FIDO attestation certificate. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + METADATA_SET_LOCKED(metadata); metadata.change = OPTIGA_META_ACCESS_NEVER; metadata.read = OPTIGA_META_ACCESS_ALWAYS; metadata.execute = OPTIGA_META_ACCESS_ALWAYS; @@ -235,7 +242,7 @@ void optiga_lock(void) { // Set metadata for device private key. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + METADATA_SET_LOCKED(metadata); metadata.change = OPTIGA_META_ACCESS_NEVER; metadata.read = OPTIGA_META_ACCESS_NEVER; metadata.execute = ACCESS_PAIRED; @@ -246,7 +253,7 @@ void optiga_lock(void) { // Set metadata for FIDO attestation private key. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + METADATA_SET_LOCKED(metadata); metadata.change = OPTIGA_META_ACCESS_NEVER; metadata.read = OPTIGA_META_ACCESS_NEVER; metadata.execute = ACCESS_PAIRED; @@ -257,7 +264,7 @@ void optiga_lock(void) { // Set metadata for pairing key. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + METADATA_SET_LOCKED(metadata); metadata.change = OPTIGA_META_ACCESS_NEVER; metadata.read = OPTIGA_META_ACCESS_NEVER; metadata.execute = OPTIGA_META_ACCESS_ALWAYS;