diff --git a/core/embed/prodtest/optiga_prodtest.c b/core/embed/prodtest/optiga_prodtest.c index 605a20793..ad4a3ec5b 100644 --- a/core/embed/prodtest/optiga_prodtest.c +++ b/core/embed/prodtest/optiga_prodtest.c @@ -168,6 +168,12 @@ void pair_optiga(void) { return; } +#if PRODUCTION +#define METADATA_SET_LOCKED(metadata) { metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; } +#else +#define METADATA_SET_LOCKED(metadata) +#endif + void optiga_lock(void) { if (!optiga_paired()) return; @@ -185,7 +191,7 @@ void optiga_lock(void) { // Set metadata for device certificate. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + METADATA_SET_LOCKED(metadata); metadata.change = OPTIGA_META_ACCESS_NEVER; metadata.read = OPTIGA_META_ACCESS_ALWAYS; metadata.execute = OPTIGA_META_ACCESS_ALWAYS; @@ -195,7 +201,7 @@ void optiga_lock(void) { // Set metadata for FIDO attestation certificate. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + METADATA_SET_LOCKED(metadata); metadata.change = OPTIGA_META_ACCESS_NEVER; metadata.read = OPTIGA_META_ACCESS_ALWAYS; metadata.execute = OPTIGA_META_ACCESS_ALWAYS; @@ -205,7 +211,7 @@ void optiga_lock(void) { // Set metadata for device private key. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + METADATA_SET_LOCKED(metadata); metadata.change = OPTIGA_META_ACCESS_NEVER; metadata.read = OPTIGA_META_ACCESS_NEVER; metadata.execute = ACCESS_PAIRED; @@ -216,7 +222,7 @@ void optiga_lock(void) { // Set metadata for FIDO attestation private key. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + METADATA_SET_LOCKED(metadata); metadata.change = OPTIGA_META_ACCESS_NEVER; metadata.read = OPTIGA_META_ACCESS_NEVER; metadata.execute = ACCESS_PAIRED; @@ -227,7 +233,7 @@ void optiga_lock(void) { // Set metadata for pairing key. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + METADATA_SET_LOCKED(metadata); metadata.change = OPTIGA_META_ACCESS_NEVER; metadata.read = OPTIGA_META_ACCESS_NEVER; metadata.execute = OPTIGA_META_ACCESS_ALWAYS;