arno/trezor-firmware
1
0
Fork 0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-11-19 14:08:11 +00:00
Code Issues Releases Wiki Activity

fix(core): disable access to secret in flash after boot

Browse Source 
[no changelog]
This commit is contained in:
tychovrahe 2023-09-14 16:52:45 +02:00 committed by TychoVrahe
parent 686aa78aa7
commit f881fab797
2 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
core/embed/firmware/main.c
View File

@ -116,6 +116,12 @@ int main(void) {
unit_variant_init(); unit_variant_init();
#ifdef USE_OPTIGA
uint8_t secret[SECRET_OPTIGA_KEY_LEN] = {0};
secbool secret_ok =
secret_read(secret, SECRET_OPTIGA_KEY_OFFSET, SECRET_OPTIGA_KEY_LEN);
#endif
#if PRODUCTION || BOOTLOADER_QA #if PRODUCTION || BOOTLOADER_QA
check_and_replace_bootloader(); check_and_replace_bootloader();
#endif #endif
@ -166,10 +172,7 @@ int main(void) {
#ifdef USE_OPTIGA #ifdef USE_OPTIGA
optiga_init(); optiga_init();
optiga_open_application(); optiga_open_application();
if (sectrue == secret_ok) {
uint8_t secret[SECRET_OPTIGA_KEY_LEN] = {0};
if (secret_read(secret, SECRET_OPTIGA_KEY_OFFSET, SECRET_OPTIGA_KEY_LEN) ==
sectrue) {
optiga_sec_chan_handshake(secret, sizeof(secret)); optiga_sec_chan_handshake(secret, sizeof(secret));
} }
memzero(secret, sizeof(secret)); memzero(secret, sizeof(secret));

7
core/embed/trezorhal/stm32f4/mpu.c
View File

@ -125,13 +125,12 @@ void mpu_config_firmware(void) {
MPU->RASR = MPU_RASR_ENABLE_Msk | MPU_RASR_ATTR_FLASH | MPU->RASR = MPU_RASR_ENABLE_Msk | MPU_RASR_ATTR_FLASH |
LL_MPU_REGION_SIZE_64KB | LL_MPU_REGION_FULL_ACCESS | LL_MPU_REGION_SIZE_64KB | LL_MPU_REGION_FULL_ACCESS |
MPU_RASR_XN_Msk; MPU_RASR_XN_Msk;
// Secret + Storage#2 (0x08100000 - 0x0811FFFF, 16 Kib + 64 KiB, read-write, // Storage#2 (0x08110000 - 0x0811FFFF, 64 KiB, read-write, execute never)
// execute never)
MPU->RNR = MPU_REGION_NUMBER2; MPU->RNR = MPU_REGION_NUMBER2;
MPU->RBAR = FLASH_BASE + 0x110000; MPU->RBAR = FLASH_BASE + 0x110000;
MPU->RASR = MPU_RASR_ENABLE_Msk | MPU_RASR_ATTR_FLASH | MPU->RASR = MPU_RASR_ENABLE_Msk | MPU_RASR_ATTR_FLASH |
LL_MPU_REGION_SIZE_128KB | LL_MPU_REGION_FULL_ACCESS | LL_MPU_REGION_SIZE_64KB | LL_MPU_REGION_FULL_ACCESS |
MPU_RASR_XN_Msk | MPU_SUBREGION_DISABLE(0x0E); MPU_RASR_XN_Msk;
// Firmware (0x08040000 - 0x080FFFFF, 6 * 128 KiB = 1024 KiB except 2/8 at // Firmware (0x08040000 - 0x080FFFFF, 6 * 128 KiB = 1024 KiB except 2/8 at
// start = 768 KiB, read-only) // start = 768 KiB, read-only)