mirror of
https://github.com/trezor/trezor-firmware.git
synced 2025-07-08 23:58:09 +00:00
chore(storage): make device secret and credential key counter persist reset
[no changelog]
This commit is contained in:
parent
135648423b
commit
9e7c1f6c83
@ -40,12 +40,23 @@ def init_unlocked() -> None:
|
|||||||
|
|
||||||
def reset(excluded: Tuple[bytes, bytes] | None) -> None:
|
def reset(excluded: Tuple[bytes, bytes] | None) -> None:
|
||||||
"""
|
"""
|
||||||
Wipes storage but keeps the device id unchanged.
|
Wipes storage but keeps the device id, device secret, and credential counter unchanged.
|
||||||
"""
|
"""
|
||||||
|
from trezor import utils
|
||||||
|
|
||||||
device_id = device.get_device_id()
|
device_id = device.get_device_id()
|
||||||
|
|
||||||
|
if utils.USE_THP:
|
||||||
|
device_secret = device.get_device_secret()
|
||||||
|
credential_counter = device.get_cred_auth_key_counter()
|
||||||
wipe(clear_cache=False)
|
wipe(clear_cache=False)
|
||||||
wipe_cache(excluded)
|
wipe_cache(excluded)
|
||||||
common.set(common.APP_DEVICE, device.DEVICE_ID, device_id.encode(), public=True)
|
common.set(common.APP_DEVICE, device.DEVICE_ID, device_id.encode(), public=True)
|
||||||
|
if utils.USE_THP:
|
||||||
|
common.set(common.APP_DEVICE, device.DEVICE_SECRET, device_secret, True)
|
||||||
|
common.set(
|
||||||
|
common.APP_DEVICE, device.CRED_AUTH_KEY_COUNTER, credential_counter, True
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
def _migrate_from_version_01() -> None:
|
def _migrate_from_version_01() -> None:
|
||||||
|
@ -36,8 +36,8 @@ _SAFETY_CHECK_LEVEL = const(0x14) # int
|
|||||||
_EXPERIMENTAL_FEATURES = const(0x15) # bool (0x01 or empty)
|
_EXPERIMENTAL_FEATURES = const(0x15) # bool (0x01 or empty)
|
||||||
_HIDE_PASSPHRASE_FROM_HOST = const(0x16) # bool (0x01 or empty)
|
_HIDE_PASSPHRASE_FROM_HOST = const(0x16) # bool (0x01 or empty)
|
||||||
if utils.USE_THP:
|
if utils.USE_THP:
|
||||||
_DEVICE_SECRET = const(0x17) # bytes
|
DEVICE_SECRET = const(0x17) # bytes
|
||||||
_CRED_AUTH_KEY_COUNTER = const(0x18) # bytes
|
CRED_AUTH_KEY_COUNTER = const(0x18) # bytes
|
||||||
# unused from python:
|
# unused from python:
|
||||||
# _BRIGHTNESS = const(0x19) # int
|
# _BRIGHTNESS = const(0x19) # int
|
||||||
_DISABLE_HAPTIC_FEEDBACK = const(0x20) # bool (0x01 or empty)
|
_DISABLE_HAPTIC_FEEDBACK = const(0x20) # bool (0x01 or empty)
|
||||||
@ -364,22 +364,22 @@ if utils.USE_THP:
|
|||||||
"""
|
"""
|
||||||
Device secret is used to derive keys that are independent of the seed.
|
Device secret is used to derive keys that are independent of the seed.
|
||||||
"""
|
"""
|
||||||
device_secret = common.get(_NAMESPACE, _DEVICE_SECRET, True)
|
device_secret = common.get(_NAMESPACE, DEVICE_SECRET, True)
|
||||||
if not device_secret:
|
if not device_secret:
|
||||||
from trezor.crypto import random
|
from trezor.crypto import random
|
||||||
|
|
||||||
device_secret = random.bytes(16, True)
|
device_secret = random.bytes(16, True)
|
||||||
common.set(_NAMESPACE, _DEVICE_SECRET, device_secret, True)
|
common.set(_NAMESPACE, DEVICE_SECRET, device_secret, True)
|
||||||
return device_secret
|
return device_secret
|
||||||
|
|
||||||
def get_cred_auth_key_counter() -> bytes:
|
def get_cred_auth_key_counter() -> bytes:
|
||||||
return common.get(_NAMESPACE, _CRED_AUTH_KEY_COUNTER, True) or bytes(4)
|
return common.get(_NAMESPACE, CRED_AUTH_KEY_COUNTER, True) or bytes(4)
|
||||||
|
|
||||||
def increment_cred_auth_key_counter() -> None:
|
def increment_cred_auth_key_counter() -> None:
|
||||||
counter = int.from_bytes(get_cred_auth_key_counter(), "big")
|
counter = int.from_bytes(get_cred_auth_key_counter(), "big")
|
||||||
utils.ensure(counter < 0xFFFFFFFF, "Overflow of cred_auth_key_counter")
|
utils.ensure(counter < 0xFFFFFFFF, "Overflow of cred_auth_key_counter")
|
||||||
common.set(
|
common.set(
|
||||||
_NAMESPACE, _CRED_AUTH_KEY_COUNTER, (counter + 1).to_bytes(4, "big"), True
|
_NAMESPACE, CRED_AUTH_KEY_COUNTER, (counter + 1).to_bytes(4, "big"), True
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@ -40,9 +40,9 @@ class TestConfig(unittest.TestCase):
|
|||||||
|
|
||||||
def test_cred_auth_key_counter_overflow(self):
|
def test_cred_auth_key_counter_overflow(self):
|
||||||
from storage import common
|
from storage import common
|
||||||
from storage.device import _CRED_AUTH_KEY_COUNTER, _NAMESPACE
|
from storage.device import _NAMESPACE, CRED_AUTH_KEY_COUNTER
|
||||||
|
|
||||||
common.set(_NAMESPACE, _CRED_AUTH_KEY_COUNTER, b"\xff\xff\xff\xfe", True)
|
common.set(_NAMESPACE, CRED_AUTH_KEY_COUNTER, b"\xff\xff\xff\xfe", True)
|
||||||
device.increment_cred_auth_key_counter()
|
device.increment_cred_auth_key_counter()
|
||||||
self.assertEqual(device.get_cred_auth_key_counter(), b"\xff\xff\xff\xff")
|
self.assertEqual(device.get_cred_auth_key_counter(), b"\xff\xff\xff\xff")
|
||||||
with self.assertRaises(AssertionError) as e:
|
with self.assertRaises(AssertionError) as e:
|
||||||
|
Loading…
Reference in New Issue
Block a user