arno
/
trezor-firmware
mirror of https://github.com/trezor/trezor-firmware.git
1
0
Fork 0
Code Issues Releases Wiki Activity

feat(core/prodtest): do not lock Optiga in non-production builds

Browse Source
pull/3335/head
matejcik 5 months ago
parent f2c34e9e2e
commit 93b14046b2
1 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File

16
core/embed/prodtest/optiga_prodtest.c
Unescape View File

@ -168,6 +168,12 @@ void pair_optiga(void) {
return;
}
#if PRODUCTION
#define METADATA_SET_LOCKED(metadata) { metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; }
#else
#define METADATA_SET_LOCKED(metadata)
#endif
void optiga_lock(void) {
if (!optiga_paired()) return;
@ -185,7 +191,7 @@ void optiga_lock(void) {
// Set metadata for device certificate.
memzero(&metadata, sizeof(metadata));
metadata.lcso = OPTIGA_META_LCS_OPERATIONAL;
METADATA_SET_LOCKED(metadata);
metadata.change = OPTIGA_META_ACCESS_NEVER;
metadata.read = OPTIGA_META_ACCESS_ALWAYS;
metadata.execute = OPTIGA_META_ACCESS_ALWAYS;
@ -195,7 +201,7 @@ void optiga_lock(void) {
// Set metadata for FIDO attestation certificate.
memzero(&metadata, sizeof(metadata));
metadata.lcso = OPTIGA_META_LCS_OPERATIONAL;
METADATA_SET_LOCKED(metadata);
metadata.change = OPTIGA_META_ACCESS_NEVER;
metadata.read = OPTIGA_META_ACCESS_ALWAYS;
metadata.execute = OPTIGA_META_ACCESS_ALWAYS;
@ -205,7 +211,7 @@ void optiga_lock(void) {
// Set metadata for device private key.
memzero(&metadata, sizeof(metadata));
metadata.lcso = OPTIGA_META_LCS_OPERATIONAL;
METADATA_SET_LOCKED(metadata);
metadata.change = OPTIGA_META_ACCESS_NEVER;
metadata.read = OPTIGA_META_ACCESS_NEVER;
metadata.execute = ACCESS_PAIRED;
@ -216,7 +222,7 @@ void optiga_lock(void) {
// Set metadata for FIDO attestation private key.
memzero(&metadata, sizeof(metadata));
metadata.lcso = OPTIGA_META_LCS_OPERATIONAL;
METADATA_SET_LOCKED(metadata);
metadata.change = OPTIGA_META_ACCESS_NEVER;
metadata.read = OPTIGA_META_ACCESS_NEVER;
metadata.execute = ACCESS_PAIRED;
@ -227,7 +233,7 @@ void optiga_lock(void) {
// Set metadata for pairing key.
memzero(&metadata, sizeof(metadata));
metadata.lcso = OPTIGA_META_LCS_OPERATIONAL;
METADATA_SET_LOCKED(metadata);
metadata.change = OPTIGA_META_ACCESS_NEVER;
metadata.read = OPTIGA_META_ACCESS_NEVER;
metadata.execute = OPTIGA_META_ACCESS_ALWAYS;

Write Preview
Loading…
Cancel
Save