fixup! feat(core): add prodtest and secret handling for T2B1

10 months ago · d822bce2a5
parent 213e9aa2b7
commit d822bce2a5
10 changed files with 108 additions and 10 deletions
--- a/core/embed/bootloader/bootui.c
+++ b/core/embed/bootloader/bootui.c
@ -19,6 +19,8 @@

 #include <string.h>

+#include TREZOR_BOARD
+
 #include "bootui.h"
 #include "display.h"
 #ifdef TREZOR_EMULATOR
@ -233,6 +235,12 @@ void ui_screen_boot_empty(bool fading) { screen_boot_empty(fading); }
 // error UI
 void ui_screen_fail(void) { screen_install_fail(); }

+#ifdef USE_OPTIGA
+uint32_t ui_screen_attestation_delete_confirm(void) {
+  return screen_attestation_delete_confirm();
+}
+#endif
+
 // general functions

 void ui_fadein(void) { display_fade(0, BACKLIGHT_NORMAL, 1000); }
--- a/core/embed/bootloader/bootui.h
+++ b/core/embed/bootloader/bootui.h
@ -23,6 +23,7 @@
 #include "image.h"
 #include "secbool.h"
 #include "stdbool.h"
+#include TREZOR_BOARD

 typedef enum {
  SCREEN_INTRO = 0,
@ -68,6 +69,10 @@ void ui_set_initial_setup(bool initial);

 void ui_screen_boot_empty(bool fading);

+#ifdef USE_OPTIGA
+uint32_t ui_screen_attestation_delete_confirm(void);
+#endif
+
 // clang-format off
 #define INPUT_CANCEL 0x01        // Cancel button
 #define INPUT_CONFIRM 0x02       // Confirm button
--- a/core/embed/bootloader/main.c
+++ b/core/embed/bootloader/main.c
@ -24,6 +24,7 @@
 #include "display.h"
 #include "flash.h"
 #include "image.h"
+#include "messages.pb.h"
 #include "random_delays.h"
 #include "secbool.h"
 #include "secret.h"
@ -150,13 +151,13 @@ static usb_result_t bootloader_usb_loop(const vendor_header *const vhdr,
      continue;
    }
    switch (msg_id) {
-      case 0:  // Initialize
+      case MessageType_MessageType_Initialize:
        process_msg_Initialize(USB_IFACE_NUM, msg_size, buf, vhdr, hdr);
        break;
-      case 1:  // Ping
+      case MessageType_MessageType_Ping:
        process_msg_Ping(USB_IFACE_NUM, msg_size, buf);
        break;
-      case 5:  // WipeDevice
+      case MessageType_MessageType_WipeDevice:
        response = ui_screen_wipe_confirm();
        if (INPUT_CANCEL == response) {
          send_user_abort(USB_IFACE_NUM, "Wipe cancelled");
@ -181,10 +182,10 @@ static usb_result_t bootloader_usb_loop(const vendor_header *const vhdr,
          return SHUTDOWN;
        }
        break;
-      case 6:  // FirmwareErase
+      case MessageType_MessageType_FirmwareErase:
        process_msg_FirmwareErase(USB_IFACE_NUM, msg_size, buf);
        break;
-      case 7:  // FirmwareUpload
+      case MessageType_MessageType_FirmwareUpload:
        r = process_msg_FirmwareUpload(USB_IFACE_NUM, msg_size, buf);
        if (r < 0 && r != UPLOAD_ERR_USER_ABORT) {  // error, but not user abort
          ui_screen_fail();
@ -211,9 +212,26 @@ static usb_result_t bootloader_usb_loop(const vendor_header *const vhdr,
          return CONTINUE;
        }
        break;
-      case 55:  // GetFeatures
+      case MessageType_MessageType_GetFeatures:
        process_msg_GetFeatures(USB_IFACE_NUM, msg_size, buf, vhdr, hdr);
        break;
+#ifdef USE_OPTIGA
+      case MessageType_MessageType_AttestationDelete:
+        response = ui_screen_attestation_delete_confirm();
+        if (INPUT_CANCEL == response) {
+          send_user_abort(USB_IFACE_NUM, "Attestation delete cancelled");
+          hal_delay(100);
+          usb_stop();
+          usb_deinit();
+          return RETURN;
+        }
+        process_msg_AttestationDelete(USB_IFACE_NUM, msg_size, buf);
+        hal_delay(100);
+        usb_stop();
+        usb_deinit();
+        return RETURN;
+        break;
+#endif
      default:
        process_msg_unknown(USB_IFACE_NUM, msg_size, buf);
        break;
@ -537,7 +555,6 @@ int bootloader_main(void) {
 #endif

  // if all VTRUST flags are unset = ultimate trust => skip the procedure
-
  if ((vhdr.vtrust & VTRUST_ALL) != VTRUST_ALL) {
    ui_fadeout();
    ui_screen_boot(&vhdr, hdr);
--- a/core/embed/bootloader/messages.c
+++ b/core/embed/bootloader/messages.c
@ -28,6 +28,7 @@
 #include "flash.h"
 #include "image.h"
 #include "secbool.h"
+#include "secret.h"
 #include "unit_variant.h"
 #include "usb.h"
 #include "version.h"
@ -572,6 +573,16 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size,
                            &should_keep_seed, &is_newvendor);
      }

+#ifdef USE_OPTIGA
+      if (sectrue != secret_wiped() && ((vhdr.vtrust & VTRUST_SECRET) != 0)) {
+        MSG_SEND_INIT(Failure);
+        MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
+        MSG_SEND_ASSIGN_STRING(message, "Attestation present");
+        MSG_SEND(Failure);
+        return UPLOAD_ERR_ATTESTATION_PRESENT;
+      }
+#endif
+
      uint32_t response = INPUT_CANCEL;
      if (sectrue == is_new) {
        // new installation - auto confirm
@ -722,3 +733,12 @@ void process_msg_unknown(uint8_t iface_num, uint32_t msg_size, uint8_t *buf) {
  MSG_SEND_ASSIGN_STRING(message, "Unexpected message");
  MSG_SEND(Failure);
 }
+
+#ifdef USE_OPTIGA
+void process_msg_AttestationDelete(uint8_t iface_num, uint32_t msg_size,
+                                   uint8_t *buf) {
+  secret_erase();
+  MSG_SEND_INIT(Success);
+  MSG_SEND(Success);
+}
+#endif
--- a/core/embed/bootloader/messages.h
+++ b/core/embed/bootloader/messages.h
@ -23,6 +23,7 @@
 #include <stdint.h>
 #include "image.h"
 #include "secbool.h"
+#include TREZOR_BOARD

 #define USB_TIMEOUT 500
 #define USB_PACKET_SIZE 64
@ -40,6 +41,7 @@ enum {
  UPLOAD_ERR_USER_ABORT = -7,
  UPLOAD_ERR_FIRMWARE_TOO_BIG = -8,
  UPLOAD_ERR_INVALID_CHUNK_HASH = -9,
+  UPLOAD_ERR_ATTESTATION_PRESENT = -10,
 };

 enum {
@ -66,6 +68,11 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size,
 int process_msg_WipeDevice(uint8_t iface_num, uint32_t msg_size, uint8_t *buf);
 void process_msg_unknown(uint8_t iface_num, uint32_t msg_size, uint8_t *buf);

+#ifdef USE_OPTIGA
+void process_msg_AttestationDelete(uint8_t iface_num, uint32_t msg_size,
+                                   uint8_t *buf);
+#endif
+
 secbool bootloader_WipeDevice(void);

 #endif
--- a/core/embed/bootloader/protob/messages.pb.c
+++ b/core/embed/bootloader/protob/messages.pb.c
@ -39,6 +39,9 @@ PB_BIND(FirmwareRequest, FirmwareRequest, AUTO)
 PB_BIND(FirmwareUpload, FirmwareUpload, AUTO)


+PB_BIND(AttestationDelete, AttestationDelete, AUTO)
+
+



--- a/core/embed/bootloader/protob/messages.pb.h
+++ b/core/embed/bootloader/protob/messages.pb.h
@ -15,13 +15,15 @@ typedef enum _MessageType {
    MessageType_MessageType_Ping = 1,
    MessageType_MessageType_Success = 2,
    MessageType_MessageType_Failure = 3,
+    MessageType_MessageType_WipeDevice = 5,
    MessageType_MessageType_FirmwareErase = 6,
    MessageType_MessageType_FirmwareUpload = 7,
    MessageType_MessageType_FirmwareRequest = 8,
    MessageType_MessageType_Features = 17,
    MessageType_MessageType_ButtonRequest = 26,
    MessageType_MessageType_ButtonAck = 27,
-    MessageType_MessageType_GetFeatures = 55
+    MessageType_MessageType_GetFeatures = 55,
+    MessageType_MessageType_AttestationDelete = 96
 } MessageType;

 typedef enum _FailureType {
@ -36,6 +38,10 @@ typedef enum _ButtonRequestType {
 } ButtonRequestType;

 /* Struct definitions */
+typedef struct _AttestationDelete {
+    char dummy_field;
+} AttestationDelete;
+
 typedef struct _ButtonAck {
    char dummy_field;
 } ButtonAck;
@ -129,8 +135,8 @@ typedef struct _Success {

 /* Helper constants for enums */
 #define _MessageType_MIN MessageType_MessageType_Initialize
-#define _MessageType_MAX MessageType_MessageType_GetFeatures
-#define _MessageType_ARRAYSIZE ((MessageType)(MessageType_MessageType_GetFeatures+1))
+#define _MessageType_MAX MessageType_MessageType_AttestationDelete
+#define _MessageType_ARRAYSIZE ((MessageType)(MessageType_MessageType_AttestationDelete+1))

 #define _FailureType_MIN FailureType_Failure_UnexpectedMessage
 #define _FailureType_MAX FailureType_Failure_ProcessError
@ -157,6 +163,7 @@ extern "C" {
 #define FirmwareErase_init_default               {false, 0}
 #define FirmwareRequest_init_default             {0, 0}
 #define FirmwareUpload_init_default              {{{NULL}, NULL}, false, {0, {0}}}
+#define AttestationDelete_init_default           {0}
 #define Initialize_init_zero                     {0}
 #define GetFeatures_init_zero                    {0}
 #define Features_init_zero                       {false, "", 0, 0, 0, false, 0, false, "", false, "", false, "", false, 0, false, {0, {0}}, false, 0, false, "", false, 0, false, 0, false, 0, false, "", false, "", false, 0, false, 0}
@ -168,6 +175,7 @@ extern "C" {
 #define FirmwareErase_init_zero                  {false, 0}
 #define FirmwareRequest_init_zero                {0, 0}
 #define FirmwareUpload_init_zero                 {{{NULL}, NULL}, false, {0, {0}}}
+#define AttestationDelete_init_zero              {0}

 /* Field tags (for use in manual encoding/decoding) */
 #define ButtonRequest_code_tag                   1
@ -277,6 +285,11 @@ X(a, STATIC,   OPTIONAL, BYTES,    hash,              2)
 #define FirmwareUpload_CALLBACK pb_default_field_callback
 #define FirmwareUpload_DEFAULT NULL

+#define AttestationDelete_FIELDLIST(X, a) \
+
+#define AttestationDelete_CALLBACK NULL
+#define AttestationDelete_DEFAULT NULL
+
 extern const pb_msgdesc_t Initialize_msg;
 extern const pb_msgdesc_t GetFeatures_msg;
 extern const pb_msgdesc_t Features_msg;
@ -288,6 +301,7 @@ extern const pb_msgdesc_t ButtonAck_msg;
 extern const pb_msgdesc_t FirmwareErase_msg;
 extern const pb_msgdesc_t FirmwareRequest_msg;
 extern const pb_msgdesc_t FirmwareUpload_msg;
+extern const pb_msgdesc_t AttestationDelete_msg;

 /* Defines for backwards compatibility with code written before nanopb-0.4.0 */
 #define Initialize_fields &Initialize_msg
@ -301,9 +315,11 @@ extern const pb_msgdesc_t FirmwareUpload_msg;
 #define FirmwareErase_fields &FirmwareErase_msg
 #define FirmwareRequest_fields &FirmwareRequest_msg
 #define FirmwareUpload_fields &FirmwareUpload_msg
+#define AttestationDelete_fields &AttestationDelete_msg

 /* Maximum encoded size of messages (where known) */
 /* FirmwareUpload_size depends on runtime parameters */
+#define AttestationDelete_size                   0
 #define ButtonAck_size                           0
 #define ButtonRequest_size                       2
 #define Failure_size                             260
--- a/core/embed/bootloader/protob/messages.proto
+++ b/core/embed/bootloader/protob/messages.proto
@ -9,6 +9,7 @@ enum MessageType {
    MessageType_Ping = 1;
    MessageType_Success = 2;
    MessageType_Failure = 3;
+    MessageType_WipeDevice = 5;
    MessageType_FirmwareErase = 6;
    MessageType_FirmwareUpload = 7;
    MessageType_FirmwareRequest = 8;
@ -16,6 +17,7 @@ enum MessageType {
    MessageType_ButtonRequest = 26;
    MessageType_ButtonAck = 27;
    MessageType_GetFeatures = 55;
+    MessageType_AttestationDelete = 96;
 }

 /**
@ -143,3 +145,12 @@ message FirmwareUpload {
    required bytes payload = 1; // firmware to be loaded into device
    optional bytes hash = 2;    // hash of the payload
 }
+
+/**
+ * Request: Delete attestation from the device, !irreversible!
+ * @start
+ * @next Success
+ * @next Failure
+ */
+message AttestationDelete {
+}
--- a/core/embed/rust/rust_ui.h
+++ b/core/embed/rust/rust_ui.h
@ -25,4 +25,5 @@ uint32_t screen_install_fail(void);
 void screen_welcome_model(void);
 void screen_welcome(void);
 void screen_boot_empty(bool fading);
+uint32_t screen_attestation_delete_confirm(void);
 void display_image(int16_t x, int16_t y, const uint8_t* data, uint32_t datalen);
--- a/core/embed/rust/src/ui/model_tr/bootloader/mod.rs
+++ b/core/embed/rust/src/ui/model_tr/bootloader/mod.rs
@ -165,6 +165,16 @@ extern "C" fn screen_wipe_confirm() -> u32 {
    run(&mut frame)
 }

+#[no_mangle]
+extern "C" fn screen_attestation_delete_confirm() -> u32 {
+    let message = Label::left_aligned("Delete attestation from the device?", theme::TEXT_NORMAL)
+        .vertically_centered();
+
+    let mut frame = Confirm::new(BLD_BG, "ATTESTATION ERASE", message, None, "ERASE");
+
+    run(&mut frame)
+}
+
 #[no_mangle]
 extern "C" fn screen_menu(_bld_version: *const cty::c_char) -> u32 {
    run(&mut Menu::new())