diff --git a/core/embed/extmod/modtrezorcrypto/modtrezorcrypto-optiga.h b/core/embed/extmod/modtrezorcrypto/modtrezorcrypto-optiga.h index 08a77d8a4e..44a713879d 100644 --- a/core/embed/extmod/modtrezorcrypto/modtrezorcrypto-optiga.h +++ b/core/embed/extmod/modtrezorcrypto/modtrezorcrypto-optiga.h @@ -104,10 +104,23 @@ STATIC mp_obj_t mod_trezorcrypto_optiga_sign(mp_obj_t key_index, sig.len = sig_size; return mp_obj_new_str_from_vstr(&mp_type_bytes, &sig); } - STATIC MP_DEFINE_CONST_FUN_OBJ_2(mod_trezorcrypto_optiga_sign_obj, mod_trezorcrypto_optiga_sign); +/// def get_sec() -> int | None: +/// """ +/// Returns the value of Optiga's security event counter. +/// """ +STATIC mp_obj_t mod_trezorcrypto_optiga_get_sec() { + uint8_t sec = 0; + if (optiga_read_sec(&sec)) { + return mp_obj_new_int_from_uint(sec); + } + return mp_const_none; +} +STATIC MP_DEFINE_CONST_FUN_OBJ_0(mod_trezorcrypto_optiga_get_sec_obj, + mod_trezorcrypto_optiga_get_sec); + /// DEVICE_CERT_INDEX: int /// DEVICE_ECC_KEY_INDEX: int @@ -116,6 +129,8 @@ STATIC const mp_rom_map_elem_t mod_trezorcrypto_optiga_globals_table[] = { {MP_ROM_QSTR(MP_QSTR_get_certificate), MP_ROM_PTR(&mod_trezorcrypto_optiga_get_certificate_obj)}, {MP_ROM_QSTR(MP_QSTR_sign), MP_ROM_PTR(&mod_trezorcrypto_optiga_sign_obj)}, + {MP_ROM_QSTR(MP_QSTR_get_sec), + MP_ROM_PTR(&mod_trezorcrypto_optiga_get_sec_obj)}, {MP_ROM_QSTR(MP_QSTR_DEVICE_CERT_INDEX), MP_ROM_INT(OPTIGA_DEVICE_CERT_INDEX)}, {MP_ROM_QSTR(MP_QSTR_DEVICE_ECC_KEY_INDEX), diff --git a/core/embed/trezorhal/optiga.h b/core/embed/trezorhal/optiga.h index a58c223d7c..05ff3c8af4 100644 --- a/core/embed/trezorhal/optiga.h +++ b/core/embed/trezorhal/optiga.h @@ -59,6 +59,8 @@ bool __wur optiga_cert_size(uint8_t index, size_t *cert_size); bool __wur optiga_read_cert(uint8_t index, uint8_t *cert, size_t max_cert_size, size_t *cert_size); +bool __wur optiga_read_sec(uint8_t *sec); + bool __wur optiga_random_buffer(uint8_t *dest, size_t size); int __wur optiga_pin_set(OPTIGA_UI_PROGRESS ui_progress, diff --git a/core/embed/trezorhal/optiga/optiga.c b/core/embed/trezorhal/optiga/optiga.c index a4be9f1e88..0008ee4c92 100644 --- a/core/embed/trezorhal/optiga/optiga.c +++ b/core/embed/trezorhal/optiga/optiga.c @@ -159,6 +159,13 @@ bool optiga_read_cert(uint8_t index, uint8_t *cert, size_t max_cert_size, return OPTIGA_SUCCESS == ret; } +bool optiga_read_sec(uint8_t *sec) { + size_t size = 0; + optiga_result ret = optiga_get_data_object(OPTIGA_OID_SEC, false, sec, + sizeof(uint8_t), &size); + return ret == OPTIGA_SUCCESS && size == sizeof(uint8_t); +} + bool optiga_random_buffer(uint8_t *dest, size_t size) { while (size > OPTIGA_RANDOM_MAX_SIZE) { if (optiga_get_random(dest, OPTIGA_RANDOM_MAX_SIZE) != OPTIGA_SUCCESS) { diff --git a/core/embed/trezorhal/unix/optiga.c b/core/embed/trezorhal/unix/optiga.c index 8e63f7ffa2..c80e8bb852 100644 --- a/core/embed/trezorhal/unix/optiga.c +++ b/core/embed/trezorhal/unix/optiga.c @@ -149,6 +149,11 @@ bool optiga_read_cert(uint8_t index, uint8_t *cert, size_t max_cert_size, return true; } +bool optiga_read_sec(uint8_t *sec) { + *sec = 0; + return true; +} + bool optiga_random_buffer(uint8_t *dest, size_t size) { random_buffer(dest, size); return true; diff --git a/core/mocks/generated/trezorcrypto/optiga.pyi b/core/mocks/generated/trezorcrypto/optiga.pyi index 25af0f16c7..f4f2d2be40 100644 --- a/core/mocks/generated/trezorcrypto/optiga.pyi +++ b/core/mocks/generated/trezorcrypto/optiga.pyi @@ -29,5 +29,12 @@ def sign( Uses the private key at key_index to produce a DER-encoded signature of the digest. """ + + +# extmod/modtrezorcrypto/modtrezorcrypto-optiga.h +def get_sec() -> int | None: + """ + Returns the value of Optiga's security event counter. + """ DEVICE_CERT_INDEX: int DEVICE_ECC_KEY_INDEX: int