mirror of
https://github.com/trezor/trezor-firmware.git
synced 2024-11-19 05:58:09 +00:00
fix(core): disable access to secret in flash after boot
[no changelog]
This commit is contained in:
parent
686aa78aa7
commit
f881fab797
@ -116,6 +116,12 @@ int main(void) {
|
||||
|
||||
unit_variant_init();
|
||||
|
||||
#ifdef USE_OPTIGA
|
||||
uint8_t secret[SECRET_OPTIGA_KEY_LEN] = {0};
|
||||
secbool secret_ok =
|
||||
secret_read(secret, SECRET_OPTIGA_KEY_OFFSET, SECRET_OPTIGA_KEY_LEN);
|
||||
#endif
|
||||
|
||||
#if PRODUCTION || BOOTLOADER_QA
|
||||
check_and_replace_bootloader();
|
||||
#endif
|
||||
@ -166,10 +172,7 @@ int main(void) {
|
||||
#ifdef USE_OPTIGA
|
||||
optiga_init();
|
||||
optiga_open_application();
|
||||
|
||||
uint8_t secret[SECRET_OPTIGA_KEY_LEN] = {0};
|
||||
if (secret_read(secret, SECRET_OPTIGA_KEY_OFFSET, SECRET_OPTIGA_KEY_LEN) ==
|
||||
sectrue) {
|
||||
if (sectrue == secret_ok) {
|
||||
optiga_sec_chan_handshake(secret, sizeof(secret));
|
||||
}
|
||||
memzero(secret, sizeof(secret));
|
||||
|
@ -125,13 +125,12 @@ void mpu_config_firmware(void) {
|
||||
MPU->RASR = MPU_RASR_ENABLE_Msk | MPU_RASR_ATTR_FLASH |
|
||||
LL_MPU_REGION_SIZE_64KB | LL_MPU_REGION_FULL_ACCESS |
|
||||
MPU_RASR_XN_Msk;
|
||||
// Secret + Storage#2 (0x08100000 - 0x0811FFFF, 16 Kib + 64 KiB, read-write,
|
||||
// execute never)
|
||||
// Storage#2 (0x08110000 - 0x0811FFFF, 64 KiB, read-write, execute never)
|
||||
MPU->RNR = MPU_REGION_NUMBER2;
|
||||
MPU->RBAR = FLASH_BASE + 0x110000;
|
||||
MPU->RASR = MPU_RASR_ENABLE_Msk | MPU_RASR_ATTR_FLASH |
|
||||
LL_MPU_REGION_SIZE_128KB | LL_MPU_REGION_FULL_ACCESS |
|
||||
MPU_RASR_XN_Msk | MPU_SUBREGION_DISABLE(0x0E);
|
||||
LL_MPU_REGION_SIZE_64KB | LL_MPU_REGION_FULL_ACCESS |
|
||||
MPU_RASR_XN_Msk;
|
||||
|
||||
// Firmware (0x08040000 - 0x080FFFFF, 6 * 128 KiB = 1024 KiB except 2/8 at
|
||||
// start = 768 KiB, read-only)
|
||||
|
Loading…
Reference in New Issue
Block a user