From 6ca1182d85ef04938b865e3f1cdbe735ccd32800 Mon Sep 17 00:00:00 2001 From: Andrew Kozlik Date: Fri, 15 Sep 2023 10:40:46 +0200 Subject: [PATCH] refactor(core): Add "META" to metadate-related Optiga constants. [no changelog] --- core/embed/prodtest/optiga_prodtest.c | 56 +++++++++---------- core/embed/trezorhal/optiga/optiga_commands.c | 22 ++++---- core/embed/trezorhal/optiga_commands.h | 8 ++- 3 files changed, 43 insertions(+), 43 deletions(-) diff --git a/core/embed/prodtest/optiga_prodtest.c b/core/embed/prodtest/optiga_prodtest.c index 924659a650..b27b76a6fd 100644 --- a/core/embed/prodtest/optiga_prodtest.c +++ b/core/embed/prodtest/optiga_prodtest.c @@ -112,8 +112,8 @@ void pair_optiga(void) { // Enable writing the pairing secret to OPTIGA. optiga_metadata metadata = {0}; - metadata.change = OPTIGA_ACCESS_ALWAYS; - metadata.execute = OPTIGA_ACCESS_ALWAYS; + metadata.change = OPTIGA_META_ACCESS_ALWAYS; + metadata.execute = OPTIGA_META_ACCESS_ALWAYS; metadata.data_type = TYPE_PTFBIND; set_metadata(OID_KEY_PAIRING, &metadata); // Ignore result. @@ -169,29 +169,29 @@ void optiga_lock(void) { // Set metadata for device certificate. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_LCS_OPERATIONAL; - metadata.change = OPTIGA_ACCESS_NEVER; - metadata.read = OPTIGA_ACCESS_ALWAYS; - metadata.execute = OPTIGA_ACCESS_ALWAYS; + metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + metadata.change = OPTIGA_META_ACCESS_NEVER; + metadata.read = OPTIGA_META_ACCESS_ALWAYS; + metadata.execute = OPTIGA_META_ACCESS_ALWAYS; if (!set_metadata(OID_CERT_DEV, &metadata)) { return; } // Set metadata for FIDO attestation certificate. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_LCS_OPERATIONAL; - metadata.change = OPTIGA_ACCESS_NEVER; - metadata.read = OPTIGA_ACCESS_ALWAYS; - metadata.execute = OPTIGA_ACCESS_ALWAYS; + metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + metadata.change = OPTIGA_META_ACCESS_NEVER; + metadata.read = OPTIGA_META_ACCESS_ALWAYS; + metadata.execute = OPTIGA_META_ACCESS_ALWAYS; if (!set_metadata(OID_CERT_FIDO, &metadata)) { return; } // Set metadata for device private key. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_LCS_OPERATIONAL; - metadata.change = OPTIGA_ACCESS_NEVER; - metadata.read = OPTIGA_ACCESS_NEVER; + metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + metadata.change = OPTIGA_META_ACCESS_NEVER; + metadata.read = OPTIGA_META_ACCESS_NEVER; metadata.execute = ACCESS_PAIRED; metadata.key_usage = KEY_USE_SIGN; if (!set_metadata(OID_KEY_DEV, &metadata)) { @@ -200,9 +200,9 @@ void optiga_lock(void) { // Set metadata for FIDO attestation private key. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_LCS_OPERATIONAL; - metadata.change = OPTIGA_ACCESS_NEVER; - metadata.read = OPTIGA_ACCESS_NEVER; + metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + metadata.change = OPTIGA_META_ACCESS_NEVER; + metadata.read = OPTIGA_META_ACCESS_NEVER; metadata.execute = ACCESS_PAIRED; metadata.key_usage = KEY_USE_SIGN; if (!set_metadata(OID_KEY_FIDO, &metadata)) { @@ -211,10 +211,10 @@ void optiga_lock(void) { // Set metadata for pairing key. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_LCS_OPERATIONAL; - metadata.change = OPTIGA_ACCESS_NEVER; - metadata.read = OPTIGA_ACCESS_NEVER; - metadata.execute = OPTIGA_ACCESS_ALWAYS; + metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + metadata.change = OPTIGA_META_ACCESS_NEVER; + metadata.read = OPTIGA_META_ACCESS_NEVER; + metadata.execute = OPTIGA_META_ACCESS_ALWAYS; metadata.data_type = TYPE_PTFBIND; if (!set_metadata(OID_KEY_PAIRING, &metadata)) { return; @@ -230,7 +230,7 @@ optiga_locked_status get_optiga_locked_status(void) { OID_KEY_FIDO, OID_KEY_PAIRING}; optiga_metadata locked_metadata = {0}; - locked_metadata.lcso = OPTIGA_LCS_OPERATIONAL; + locked_metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; for (size_t i = 0; i < sizeof(oids) / sizeof(oids[0]); ++i) { uint8_t metadata_buffer[OPTIGA_MAX_METADATA_SIZE] = {0}; size_t metadata_size = 0; @@ -334,7 +334,7 @@ void cert_write(uint16_t oid, char *data) { // Enable writing to the certificate slot. optiga_metadata metadata = {0}; - metadata.change = OPTIGA_ACCESS_ALWAYS; + metadata.change = OPTIGA_META_ACCESS_ALWAYS; set_metadata(oid, &metadata); // Ignore result. uint8_t data_bytes[1024]; @@ -360,10 +360,8 @@ void pubkey_read(uint16_t oid) { // Enable key agreement usage. optiga_metadata metadata = {0}; - uint8_t key_usage = OPTIGA_KEY_USAGE_KEYAGREE; - metadata.key_usage.ptr = &key_usage; - metadata.key_usage.len = 1; - metadata.execute = OPTIGA_ACCESS_ALWAYS; + metadata.key_usage = OPTIGA_META_KEY_USE_KEYAGREE; + metadata.execute = OPTIGA_META_ACCESS_ALWAYS; if (!set_metadata(oid, &metadata)) { return; @@ -402,10 +400,8 @@ void keyfido_write(char *data) { // Enable key agreement usage for device key. optiga_metadata metadata = {0}; - uint8_t key_usage = OPTIGA_KEY_USAGE_KEYAGREE; - metadata.key_usage.ptr = &key_usage; - metadata.key_usage.len = 1; - metadata.execute = OPTIGA_ACCESS_ALWAYS; + metadata.key_usage = OPTIGA_META_KEY_USE_KEYAGREE; + metadata.execute = OPTIGA_META_ACCESS_ALWAYS; if (!set_metadata(OID_KEY_DEV, &metadata)) { return; diff --git a/core/embed/trezorhal/optiga/optiga_commands.c b/core/embed/trezorhal/optiga/optiga_commands.c index 2aa4c12a46..8ebf28ff76 100644 --- a/core/embed/trezorhal/optiga/optiga_commands.c +++ b/core/embed/trezorhal/optiga/optiga_commands.c @@ -36,13 +36,15 @@ static uint8_t tx_buffer[OPTIGA_MAX_APDU_SIZE] = {0}; static size_t tx_size = 0; -const optiga_metadata_item OPTIGA_LCS_OPERATIONAL = {(const uint8_t *)"\x07", - 1}; -const optiga_metadata_item OPTIGA_ACCESS_ALWAYS = { +const optiga_metadata_item OPTIGA_META_LCS_OPERATIONAL = { + (const uint8_t *)"\x07", 1}; +const optiga_metadata_item OPTIGA_META_ACCESS_ALWAYS = { (const uint8_t[]){OPTIGA_ACCESS_COND_ALW}, 1}; -const optiga_metadata_item OPTIGA_ACCESS_NEVER = { +const optiga_metadata_item OPTIGA_META_ACCESS_NEVER = { (const uint8_t[]){OPTIGA_ACCESS_COND_NEV}, 1}; -const optiga_metadata_item OPTIGA_VERSION_DEFAULT = { +const optiga_metadata_item OPTIGA_META_KEY_USE_KEYAGREE = { + (const uint8_t[]){OPTIGA_KEY_USAGE_KEYAGREE}, 1}; +static const optiga_metadata_item OPTIGA_META_VERSION_DEFAULT = { (const uint8_t *)"\xC1\x02\x00\x00", 4}; static optiga_result process_output_fixedlen(uint8_t *data, size_t data_size) { @@ -113,13 +115,13 @@ static const struct { uint8_t tag; const optiga_metadata_item *default_value; } METADATA_OFFSET_TAG_MAP[] = { - {offsetof(optiga_metadata, lcso), 0xC0, &OPTIGA_LCS_OPERATIONAL}, - {offsetof(optiga_metadata, version), 0xC1, &OPTIGA_VERSION_DEFAULT}, + {offsetof(optiga_metadata, lcso), 0xC0, &OPTIGA_META_LCS_OPERATIONAL}, + {offsetof(optiga_metadata, version), 0xC1, &OPTIGA_META_VERSION_DEFAULT}, {offsetof(optiga_metadata, max_size), 0xC4, NULL}, {offsetof(optiga_metadata, used_size), 0xC5, NULL}, - {offsetof(optiga_metadata, change), 0xD0, &OPTIGA_ACCESS_NEVER}, - {offsetof(optiga_metadata, read), 0xD1, &OPTIGA_ACCESS_NEVER}, - {offsetof(optiga_metadata, execute), 0xD3, &OPTIGA_ACCESS_NEVER}, + {offsetof(optiga_metadata, change), 0xD0, &OPTIGA_META_ACCESS_NEVER}, + {offsetof(optiga_metadata, read), 0xD1, &OPTIGA_META_ACCESS_NEVER}, + {offsetof(optiga_metadata, execute), 0xD3, &OPTIGA_META_ACCESS_NEVER}, {offsetof(optiga_metadata, meta_update), 0xD8, NULL}, {offsetof(optiga_metadata, algorithm), 0xE0, NULL}, {offsetof(optiga_metadata, key_usage), 0xE1, NULL}, diff --git a/core/embed/trezorhal/optiga_commands.h b/core/embed/trezorhal/optiga_commands.h index df4f8169aa..b75547959f 100644 --- a/core/embed/trezorhal/optiga_commands.h +++ b/core/embed/trezorhal/optiga_commands.h @@ -131,9 +131,11 @@ typedef struct { #define OPTIGA_ACCESS_CONDITION(ac_id, oid) \ { (const uint8_t[]){ac_id, oid >> 8, oid & 0xff}, 3 } -extern const optiga_metadata_item OPTIGA_LCS_OPERATIONAL; -extern const optiga_metadata_item OPTIGA_ACCESS_ALWAYS; -extern const optiga_metadata_item OPTIGA_ACCESS_NEVER; +// Commonly used data object access conditions. +extern const optiga_metadata_item OPTIGA_META_LCS_OPERATIONAL; +extern const optiga_metadata_item OPTIGA_META_ACCESS_ALWAYS; +extern const optiga_metadata_item OPTIGA_META_ACCESS_NEVER; +extern const optiga_metadata_item OPTIGA_META_KEY_USE_KEYAGREE; optiga_result optiga_parse_metadata(const uint8_t *serialized, size_t serialized_size,