feat(core): Implement DebugLinkOptigaSetSecMax.

2024-12-19 04:48:12 +00:00 · 2024-07-09 14:30:18 +02:00 · 2024-07-09 14:30:18 +02:00 · e84f969f4f
commit e84f969f4f
parent b6b1ad8825
6 changed files with 57 additions and 0 deletions
--- a/core/embed/extmod/modtrezorcrypto/modtrezorcrypto-optiga.h
+++ b/core/embed/extmod/modtrezorcrypto/modtrezorcrypto-optiga.h
@ -122,6 +122,19 @@ STATIC mp_obj_t mod_trezorcrypto_optiga_get_sec() {
 STATIC MP_DEFINE_CONST_FUN_OBJ_0(mod_trezorcrypto_optiga_get_sec_obj,
                                 mod_trezorcrypto_optiga_get_sec);

+#if PYOPT == 0
+/// def set_sec_max() -> None:
+///     """
+///     Set Optiga's security event counter to maximum.
+///     """
+STATIC mp_obj_t mod_trezorcrypto_optiga_set_sec_max() {
+  optiga_set_sec_max();
+  return mp_const_none;
+}
+STATIC MP_DEFINE_CONST_FUN_OBJ_0(mod_trezorcrypto_optiga_set_sec_max_obj,
+                                 mod_trezorcrypto_optiga_set_sec_max);
+#endif
+
 /// DEVICE_CERT_INDEX: int
 /// DEVICE_ECC_KEY_INDEX: int

@ -132,6 +145,10 @@ STATIC const mp_rom_map_elem_t mod_trezorcrypto_optiga_globals_table[] = {
    {MP_ROM_QSTR(MP_QSTR_sign), MP_ROM_PTR(&mod_trezorcrypto_optiga_sign_obj)},
    {MP_ROM_QSTR(MP_QSTR_get_sec),
     MP_ROM_PTR(&mod_trezorcrypto_optiga_get_sec_obj)},
+#if PYOPT == 0
+    {MP_ROM_QSTR(MP_QSTR_set_sec_max),
+     MP_ROM_PTR(&mod_trezorcrypto_optiga_set_sec_max_obj)},
+#endif
    {MP_ROM_QSTR(MP_QSTR_DEVICE_CERT_INDEX),
     MP_ROM_INT(OPTIGA_DEVICE_CERT_INDEX)},
    {MP_ROM_QSTR(MP_QSTR_DEVICE_ECC_KEY_INDEX),
--- a/core/embed/trezorhal/optiga.h
+++ b/core/embed/trezorhal/optiga.h
@ -57,6 +57,8 @@ bool __wur optiga_read_cert(uint8_t index, uint8_t *cert, size_t max_cert_size,

 bool __wur optiga_read_sec(uint8_t *sec);

+void optiga_set_sec_max(void);
+
 bool __wur optiga_random_buffer(uint8_t *dest, size_t size);

 bool __wur optiga_pin_set(optiga_ui_progress_t ui_progress,
--- a/core/embed/trezorhal/optiga/optiga.c
+++ b/core/embed/trezorhal/optiga/optiga.c
@ -176,6 +176,20 @@ bool optiga_read_sec(uint8_t *sec) {
  return ret == OPTIGA_SUCCESS && size == sizeof(uint8_t);
 }

+void optiga_set_sec_max(void) {
+  uint8_t invalid_point[] = {
+      0x03, 0x42, 0x00, 0x04, 0xe2, 0x67, 0x5b, 0xe0, 0xbb, 0xf4, 0xfb, 0x9d,
+      0xec, 0xaa, 0x1e, 0x96, 0xac, 0xc8, 0xa7, 0xca, 0xd0, 0x05, 0x84, 0xfe,
+      0xfd, 0x7f, 0x24, 0xc6, 0xe7, 0x72, 0x5b, 0x56, 0xb3, 0x45, 0x06, 0x67,
+      0xbc, 0x73, 0xe3, 0xb8, 0xf5, 0x5d, 0x1c, 0xad, 0xa0, 0x3e, 0x59, 0x1b,
+      0x3b, 0x9c, 0x6e, 0xc4, 0xb6, 0xd1, 0x05, 0xf7, 0xd8, 0xc0, 0x67, 0x0d,
+      0xfb, 0xcc, 0xea, 0xb1, 0x65, 0xdb, 0xa6, 0x5f};
+  uint8_t buffer[32] = {0};
+  size_t size = 0;
+  optiga_calc_ssec(OPTIGA_CURVE_P256, OID_PIN_ECDH, invalid_point,
+                   sizeof(invalid_point), buffer, sizeof(buffer), &size);
+}
+
 uint32_t optiga_estimate_time_ms(storage_pin_op_t op) {
  uint8_t sec = 0;
  if (!optiga_read_sec(&sec)) {
--- a/core/embed/trezorhal/unix/optiga.c
+++ b/core/embed/trezorhal/unix/optiga.c
@ -88,6 +88,8 @@ bool optiga_read_sec(uint8_t *sec) {
  return true;
 }

+void optiga_set_sec_max(void) {}
+
 uint32_t optiga_estimate_time_ms(storage_pin_op_t op) { return 0; }

 bool optiga_random_buffer(uint8_t *dest, size_t size) {
--- a/core/mocks/generated/trezorcrypto/optiga.pyi
+++ b/core/mocks/generated/trezorcrypto/optiga.pyi
@ -36,5 +36,12 @@ def get_sec() -> int | None:
    """
    Returns the value of Optiga's security event counter.
    """
+
+
+# extmod/modtrezorcrypto/modtrezorcrypto-optiga.h
+def set_sec_max() -> None:
+    """
+    Set Optiga's security event counter to maximum.
+    """
 DEVICE_CERT_INDEX: int
 DEVICE_ECC_KEY_INDEX: int
--- a/core/src/apps/debug/init.py
+++ b/core/src/apps/debug/init.py
@ -22,6 +22,7 @@ if __debug__:
            DebugLinkDecision,
            DebugLinkEraseSdCard,
            DebugLinkGetState,
+            DebugLinkOptigaSetSecMax,
            DebugLinkRecordScreen,
            DebugLinkReseedRandom,
            DebugLinkResetDebugEvents,
@ -274,7 +275,21 @@ if __debug__:
        register(
            MessageType.DebugLinkResetDebugEvents, dispatch_DebugLinkResetDebugEvents
        )
+        register(
+            MessageType.DebugLinkOptigaSetSecMax, dispatch_DebugLinkOptigaSetSecMax
+        )

        loop.schedule(debuglink_decision_dispatcher())
        if storage.layout_watcher is not LAYOUT_WATCHER_NONE:
            loop.schedule(return_layout_change())
+
+    async def dispatch_DebugLinkOptigaSetSecMax(
+        msg: DebugLinkOptigaSetSecMax,
+    ) -> Success:
+        if utils.USE_OPTIGA:
+            from trezor.crypto import optiga
+
+            optiga.set_sec_max()
+            return Success()
+        else:
+            raise wire.UnexpectedMessage("Optiga not supported")