From 8a18cfe0d4e6859bff7acaf18113a53f05c46d67 Mon Sep 17 00:00:00 2001
From: tychovrahe <brunam@seznam.cz>
Date: Wed, 6 Mar 2024 15:53:50 +0100
Subject: [PATCH] feat(core): use U5 DHUK to encrypt optiga pairing secret in
flash
[no changelog]
---
core/embed/bootloader/main.c | 4 --
core/embed/firmware/main.c | 10 ++--
core/embed/prodtest/main.c | 4 ++
core/embed/prodtest/optiga_prodtest.c | 85 +++++++++++++++++----------
core/embed/trezorhal/secret.h | 8 ++-
core/embed/trezorhal/stm32f4/secret.c | 11 +++-
core/embed/trezorhal/stm32u5/secret.c | 37 +++++++++---
7 files changed, 106 insertions(+), 53 deletions(-)
diff --git a/core/embed/bootloader/main.c b/core/embed/bootloader/main.c
index 49268983b1..1153cce6ef 100644
--- a/core/embed/bootloader/main.c
+++ b/core/embed/bootloader/main.c
@@ -442,10 +442,6 @@ int bootloader_main(void) {
#endif
#endif
-#ifdef STM32U5
- ensure(secret_ensure_initialized(), "secret reinitialized");
-#endif
-
ui_screen_boot_empty(false);
mpu_config_bootloader();
diff --git a/core/embed/firmware/main.c b/core/embed/firmware/main.c
index db1d244eb9..61769b0001 100644
--- a/core/embed/firmware/main.c
+++ b/core/embed/firmware/main.c
@@ -141,9 +141,13 @@ int main(void) {
unit_variant_init();
+#ifdef STM32U5
+ secure_aes_init();
+#endif
+
#ifdef USE_OPTIGA
uint8_t secret[SECRET_OPTIGA_KEY_LEN] = {0};
- secbool secret_ok = secret_optiga_extract(secret);
+ secbool secret_ok = secret_optiga_get(secret);
#endif
mpu_config_firmware_initial();
@@ -166,10 +170,6 @@ int main(void) {
set_core_clock(CLOCK_180_MHZ);
#endif
-#ifdef STM32U5
- secure_aes_init();
-#endif
-
#ifdef USE_BUTTON
button_init();
#endif
diff --git a/core/embed/prodtest/main.c b/core/embed/prodtest/main.c
index c6a7144d45..7897fea989 100644
--- a/core/embed/prodtest/main.c
+++ b/core/embed/prodtest/main.c
@@ -59,6 +59,7 @@
#include "memzero.h"
#ifdef STM32U5
+#include "secure_aes.h"
#include "stm32u5xx_ll_utils.h"
#else
#include "stm32f4xx_ll_utils.h"
@@ -584,6 +585,9 @@ int main(void) {
display_reinit();
display_orientation(0);
random_delays_init();
+#ifdef STM32U5
+ secure_aes_init();
+#endif
#ifdef USE_HASH_PROCESSOR
hash_processor_init();
#endif
diff --git a/core/embed/prodtest/optiga_prodtest.c b/core/embed/prodtest/optiga_prodtest.c
index 87e45317ef..05fbcb1289 100644
--- a/core/embed/prodtest/optiga_prodtest.c
+++ b/core/embed/prodtest/optiga_prodtest.c
@@ -33,12 +33,21 @@
#include "secret.h"
#include "sha2.h"
+#include TREZOR_BOARD
+
+#ifdef STM32U5
+#include "secure_aes.h"
+#endif
+
typedef enum {
OPTIGA_PAIRING_UNPAIRED = 0,
OPTIGA_PAIRING_PAIRED,
OPTIGA_PAIRING_ERR_RNG,
- OPTIGA_PAIRING_ERR_READ,
- OPTIGA_PAIRING_ERR_HANDSHAKE,
+ OPTIGA_PAIRING_ERR_READ_FLASH,
+ OPTIGA_PAIRING_ERR_WRITE_FLASH,
+ OPTIGA_PAIRING_ERR_WRITE_OPTIGA,
+ OPTIGA_PAIRING_ERR_HANDSHAKE1,
+ OPTIGA_PAIRING_ERR_HANDSHAKE2,
} optiga_pairing;
static optiga_pairing optiga_pairing_state = OPTIGA_PAIRING_UNPAIRED;
@@ -72,11 +81,20 @@ static bool optiga_paired(void) {
case OPTIGA_PAIRING_ERR_RNG:
details = "optiga_get_random error";
break;
- case OPTIGA_PAIRING_ERR_READ:
- details = "failed to read pairing secret";
+ case OPTIGA_PAIRING_ERR_READ_FLASH:
+ details = "failed to read pairing secret from flash";
break;
- case OPTIGA_PAIRING_ERR_HANDSHAKE:
- details = "optiga_sec_chan_handshake";
+ case OPTIGA_PAIRING_ERR_WRITE_FLASH:
+ details = "failed to write pairing secret to flash";
+ break;
+ case OPTIGA_PAIRING_ERR_WRITE_OPTIGA:
+ details = "failed to write pairing secret to Optiga";
+ break;
+ case OPTIGA_PAIRING_ERR_HANDSHAKE1:
+ details = "failed optiga_sec_chan_handshake 1";
+ break;
+ case OPTIGA_PAIRING_ERR_HANDSHAKE2:
+ details = "failed optiga_sec_chan_handshake 2";
break;
default:
break;
@@ -122,50 +140,57 @@ static bool set_metadata(uint16_t oid, const optiga_metadata *metadata) {
}
void pair_optiga(void) {
- // The pairing key may already be written and locked. The success of the
- // pairing procedure is determined by optiga_sec_chan_handshake(). Therefore
- // it is OK for some of the intermediate operations to fail.
-
uint8_t secret[SECRET_OPTIGA_KEY_LEN] = {0};
- optiga_result ret = OPTIGA_SUCCESS;
- if (secret_optiga_extract(secret) != sectrue) {
+ if (secret_optiga_get(secret) != sectrue) {
+ // Generate the pairing secret.
+ if (OPTIGA_SUCCESS != optiga_get_random(secret, sizeof(secret))) {
+ optiga_pairing_state = OPTIGA_PAIRING_ERR_RNG;
+ return;
+ }
+ random_xor(secret, sizeof(secret));
+
// Enable writing the pairing secret to OPTIGA.
optiga_metadata metadata = {0};
metadata.change = OPTIGA_META_ACCESS_ALWAYS;
metadata.execute = OPTIGA_META_ACCESS_ALWAYS;
metadata.data_type = TYPE_PTFBIND;
- set_metadata(OID_KEY_PAIRING, &metadata); // Ignore result.
+ (void)set_metadata(OID_KEY_PAIRING, &metadata);
- // Generate pairing secret.
- ret = optiga_get_random(secret, sizeof(secret));
- if (OPTIGA_SUCCESS != ret) {
- optiga_pairing_state = OPTIGA_PAIRING_ERR_RNG;
+ // Store the pairing secret in OPTIGA.
+ if (OPTIGA_SUCCESS != optiga_set_data_object(OID_KEY_PAIRING, false, secret,
+ sizeof(secret))) {
+ optiga_pairing_state = OPTIGA_PAIRING_ERR_WRITE_OPTIGA;
return;
}
- // Store pairing secret.
- ret =
- optiga_set_data_object(OID_KEY_PAIRING, false, secret, sizeof(secret));
- if (OPTIGA_SUCCESS == ret) {
- secret_erase();
- secret_write_header();
- secret_write(secret, SECRET_OPTIGA_KEY_OFFSET, SECRET_OPTIGA_KEY_LEN);
+ // Execute the handshake to verify that the secret was stored correctly in
+ // Optiga.
+ if (OPTIGA_SUCCESS != optiga_sec_chan_handshake(secret, sizeof(secret))) {
+ optiga_pairing_state = OPTIGA_PAIRING_ERR_HANDSHAKE1;
+ return;
}
- // Verify whether the secret was stored correctly in flash and OPTIGA.
+ // Store the pairing secret in the flash memory.
+ if (sectrue != secret_optiga_set(secret)) {
+ optiga_pairing_state = OPTIGA_PAIRING_ERR_WRITE_FLASH;
+ return;
+ }
+
+ // Reload the pairing secret from the flash memory.
memzero(secret, sizeof(secret));
- if (secret_read(secret, SECRET_OPTIGA_KEY_OFFSET, SECRET_OPTIGA_KEY_LEN) !=
- sectrue) {
- optiga_pairing_state = OPTIGA_PAIRING_ERR_READ;
+ if (sectrue != secret_optiga_get(secret)) {
+ optiga_pairing_state = OPTIGA_PAIRING_ERR_READ_FLASH;
return;
}
}
- ret = optiga_sec_chan_handshake(secret, sizeof(secret));
+ // Execute the handshake to verify that the secret is stored correctly in both
+ // Optiga and MCU flash.
+ optiga_result ret = optiga_sec_chan_handshake(secret, sizeof(secret));
memzero(secret, sizeof(secret));
if (OPTIGA_SUCCESS != ret) {
- optiga_pairing_state = OPTIGA_PAIRING_ERR_HANDSHAKE;
+ optiga_pairing_state = OPTIGA_PAIRING_ERR_HANDSHAKE2;
return;
}
diff --git a/core/embed/trezorhal/secret.h b/core/embed/trezorhal/secret.h
index 202d5952cb..054a8b407e 100644
--- a/core/embed/trezorhal/secret.h
+++ b/core/embed/trezorhal/secret.h
@@ -15,7 +15,7 @@
secbool secret_bootloader_locked(void);
-void secret_write(uint8_t* data, uint32_t offset, uint32_t len);
+void secret_write(const uint8_t* data, uint32_t offset, uint32_t len);
secbool secret_read(uint8_t* data, uint32_t offset, uint32_t len);
@@ -31,12 +31,14 @@ void secret_hide(void);
void secret_write_header(void);
+secbool secret_optiga_set(const uint8_t secret[SECRET_OPTIGA_KEY_LEN]);
+
+secbool secret_optiga_get(uint8_t dest[SECRET_OPTIGA_KEY_LEN]);
+
void secret_optiga_backup(void);
void secret_optiga_hide(void);
-secbool secret_optiga_extract(uint8_t* dest);
-
void secret_bhk_lock(void);
secbool secret_bhk_locked(void);
diff --git a/core/embed/trezorhal/stm32f4/secret.c b/core/embed/trezorhal/stm32f4/secret.c
index 3e274fe9df..e29fba097c 100644
--- a/core/embed/trezorhal/stm32f4/secret.c
+++ b/core/embed/trezorhal/stm32f4/secret.c
@@ -37,7 +37,7 @@ void secret_write_header(void) {
secret_write(header, 0, SECRET_HEADER_LEN);
}
-void secret_write(uint8_t* data, uint32_t offset, uint32_t len) {
+void secret_write(const uint8_t* data, uint32_t offset, uint32_t len) {
ensure(flash_unlock_write(), "secret write");
for (int i = 0; i < len; i++) {
ensure(flash_area_write_byte(&SECRET_AREA, offset + i, data[i]),
@@ -76,6 +76,13 @@ void secret_erase(void) {
ensure(flash_area_erase(&SECRET_AREA, NULL), "secret erase");
}
-secbool secret_optiga_extract(uint8_t* dest) {
+secbool secret_optiga_set(const uint8_t secret[SECRET_OPTIGA_KEY_LEN]) {
+ secret_erase();
+ secret_write_header();
+ secret_write(secret, SECRET_OPTIGA_KEY_OFFSET, SECRET_OPTIGA_KEY_LEN);
+ return sectrue;
+}
+
+secbool secret_optiga_get(uint8_t dest[SECRET_OPTIGA_KEY_LEN]) {
return secret_read(dest, SECRET_OPTIGA_KEY_OFFSET, SECRET_OPTIGA_KEY_LEN);
}
diff --git a/core/embed/trezorhal/stm32u5/secret.c b/core/embed/trezorhal/stm32u5/secret.c
index 9f2efdebfc..2dbe2a0724 100644
--- a/core/embed/trezorhal/stm32u5/secret.c
+++ b/core/embed/trezorhal/stm32u5/secret.c
@@ -6,6 +6,7 @@
#include "memzero.h"
#include "model.h"
#include "rng.h"
+#include "secure_aes.h"
static secbool bootloader_locked = secfalse;
@@ -48,7 +49,7 @@ void secret_write_header(void) {
secret_write(header, 0, SECRET_HEADER_LEN);
}
-void secret_write(uint8_t *data, uint32_t offset, uint32_t len) {
+void secret_write(const uint8_t *data, uint32_t offset, uint32_t len) {
ensure(flash_unlock_write(), "secret write");
for (int i = 0; i < len / 16; i++) {
ensure(flash_area_write_quadword(&SECRET_AREA, offset + (i * 16),
@@ -142,6 +143,18 @@ secbool secret_optiga_present(void) {
return secret_present(SECRET_OPTIGA_KEY_OFFSET, SECRET_OPTIGA_KEY_LEN);
}
+secbool secret_optiga_set(const uint8_t secret[SECRET_OPTIGA_KEY_LEN]) {
+ uint8_t secret_enc[SECRET_OPTIGA_KEY_LEN] = {0};
+ if (sectrue != secure_aes_ecb_encrypt_hw(secret, sizeof(secret_enc),
+ secret_enc, SECURE_AES_KEY_DHUK)) {
+ return secfalse;
+ }
+ secret_write(secret_enc, SECRET_OPTIGA_KEY_OFFSET, SECRET_OPTIGA_KEY_LEN);
+ memzero(secret_enc, sizeof(secret_enc));
+ secret_optiga_backup();
+ return sectrue;
+}
+
void secret_optiga_backup(void) {
uint32_t secret[SECRET_OPTIGA_KEY_LEN / sizeof(uint32_t)] = {0};
secbool ok = secret_read((uint8_t *)secret, SECRET_OPTIGA_KEY_OFFSET,
@@ -162,22 +175,28 @@ void secret_optiga_backup(void) {
memzero(secret, sizeof(secret));
}
-secbool secret_optiga_extract(uint8_t *dest) {
+secbool secret_optiga_get(uint8_t dest[SECRET_OPTIGA_KEY_LEN]) {
+ uint32_t secret[SECRET_OPTIGA_KEY_LEN / sizeof(uint32_t)] = {0};
+
bool all_zero = true;
volatile uint32_t *reg1 = &TAMP->BKP8R;
for (int i = 0; i < 8; i++) {
- uint32_t val = *reg1++;
+ secret[i] = reg1[i];
- if (val != 0) {
+ if (secret[i] != 0) {
all_zero = false;
}
-
- for (int j = 0; j < 4; j++) {
- dest[i * 4 + j] = (val >> (j * 8)) & 0xFF;
- }
}
- return all_zero ? secfalse : sectrue;
+ if (all_zero) {
+ return secfalse;
+ }
+
+ secbool res = secure_aes_ecb_decrypt_hw(
+ (uint8_t *)secret, SECRET_OPTIGA_KEY_LEN, dest, SECURE_AES_KEY_DHUK);
+
+ memzero(secret, sizeof(secret));
+ return res;
}
void secret_optiga_hide(void) {