Merge 217dd8c817 into ef02c4de5d

reduces the number of PIN iterations and avoids erasing the other
storage bank -- if a test ever overruns, it will probably RSOD out, but
that's unlikely to happen

core/.changelog.d/4410.fixed

@@ -0,0 +1 @@
+Add optional value parameter in brightness setting flow.

core/Makefile

@@ -31,6 +31,7 @@ PYOPT      ?= 1
 BITCOIN_ONLY ?= 0
 BOOTLOADER_QA ?= 0
 BOOTLOADER_DEVEL ?= 0
+DISABLE_OPTIGA ?= 0
 TREZOR_MODEL ?= T
 TREZOR_MEMPERF ?= 0
 ADDRESS_SANITIZER ?= 0
@@ -41,6 +42,8 @@ THP ?= 0
 BENCHMARK ?= 0
 TREZOR_EMULATOR_DEBUGGABLE ?= 0
 QUIET_MODE ?= 0
+TREZOR_DISABLE_ANIMATION ?= $(if $(filter 0,$(PYOPT)),1,0)
+STORAGE_INSECURE_TESTING_MODE ?= 0
 
 # OpenOCD interface default. Alternative: ftdi/olimex-arm-usb-tiny-h
 OPENOCD_INTERFACE ?= stlink
@@ -142,7 +145,9 @@ SCONS_VARS = \
 	PRODUCTION="$(PRODUCTION)" \
 	PYOPT="$(PYOPT)" \
 	QUIET_MODE="$(QUIET_MODE)" \
+	STORAGE_INSECURE_TESTING_MODE="$(STORAGE_INSECURE_TESTING_MODE)" \
 	THP="$(THP)" \
+	TREZOR_DISABLE_ANIMATION="$(TREZOR_DISABLE_ANIMATION)" \
 	TREZOR_EMULATOR_ASAN="$(ADDRESS_SANITIZER)" \
 	TREZOR_EMULATOR_DEBUGGABLE=$(TREZOR_EMULATOR_DEBUGGABLE) \
 	TREZOR_MEMPERF="$(TREZOR_MEMPERF)" \

core/SConscript.firmware

@@ -18,6 +18,14 @@ HW_REVISION = ARGUMENTS.get('HW_REVISION', None)
 THP = ARGUMENTS.get('THP', '0') == '1' # Trezor-Host Protocol
 MODEL_IDENTIFIER = models.get_model_identifier(TREZOR_MODEL)
 BENCHMARK = ARGUMENTS.get('BENCHMARK', '0') == '1'
+DISABLE_ANIMATION = ARGUMENTS.get('TREZOR_DISABLE_ANIMATION', '0') == '1'
+
+STORAGE_INSECURE_TESTING_MODE = ARGUMENTS.get('STORAGE_INSECURE_TESTING_MODE', '0') == '1'
+if STORAGE_INSECURE_TESTING_MODE and PRODUCTION:
+    raise RuntimeError("STORAGE_INSECURE_TESTING_MODE cannot be used in production")
+if STORAGE_INSECURE_TESTING_MODE:
+    DISABLE_OPTIGA = True
+    PYOPT = "0"
 
 if BENCHMARK and PYOPT != '0':
   print("BENCHMARK=1 works only with PYOPT=0.")
@@ -30,7 +38,9 @@ FEATURE_FLAGS = {
 }
 
 FEATURES_WANTED = ["input", "sd_card", "rgb_led", "dma2d", "consumption_mask", "usb" ,"optiga", "haptic"]
-if DISABLE_OPTIGA and PYOPT == '0':
+if DISABLE_OPTIGA:
+    if PYOPT != '0':
+        raise RuntimeError("DISABLE_OPTIGA requires PYOPT=0")
     FEATURES_WANTED.remove("optiga")
 
 CCFLAGS_MOD = ''
@@ -69,6 +79,7 @@ CPPDEFINES_MOD += [
     ('USE_CARDANO', '1' if EVERYTHING else '0'),
     ('USE_NEM', '1' if (EVERYTHING and TREZOR_MODEL == "T") else '0'),
     ('USE_EOS', '1' if (EVERYTHING and TREZOR_MODEL == "T") else '0'),
+    ('DISABLE_ANIMATION', '1' if DISABLE_ANIMATION else '0'),
 ]
 SOURCE_MOD += [
     'embed/upymod/trezorobj.c',
@@ -367,6 +378,9 @@ if THP:
         'vendor/trezor-crypto/elligator2.c',
     ]
 
+if STORAGE_INSECURE_TESTING_MODE:
+    CPPDEFINES_MOD += ['STORAGE_INSECURE_TESTING_MODE']
+
 ui.init_ui(TREZOR_MODEL, "firmware", CPPDEFINES_MOD, SOURCE_MOD, RUST_UI_FEATURES)
 
 SOURCE_QSTR = SOURCE_MOD + SOURCE_MICROPYTHON + SOURCE_MICROPYTHON_SPEED
@@ -873,6 +887,14 @@ elif 'STM32U5G9xx' in CPPDEFINES_HAL or 'STM32U585xx' in CPPDEFINES_HAL:
 else:
     raise Exception("Unknown MCU")
 
+if STORAGE_INSECURE_TESTING_MODE:
+    INSECURE_TESTING_MODE_STR = """
+#########################################################
+#   STORAGE_INSECURE_TESTING_MODE enabled, DO NOT USE   #
+#########################################################
+"""
+    action_bin.append(INSECURE_TESTING_MODE_STR)
+
 program_bin = env.Command(
     target='firmware.bin',
     source=program_elf,

core/SConscript.kernel

@@ -16,6 +16,13 @@ DISABLE_OPTIGA = ARGUMENTS.get('DISABLE_OPTIGA', '0') == '1'
 HW_REVISION = ARGUMENTS.get('HW_REVISION', None)
 THP = ARGUMENTS.get('THP', '0') == '1' # Trezor-Host Protocol
 
+STORAGE_INSECURE_TESTING_MODE = ARGUMENTS.get('STORAGE_INSECURE_TESTING_MODE', '0') == '1'
+if STORAGE_INSECURE_TESTING_MODE and PRODUCTION:
+    raise RuntimeError("STORAGE_INSECURE_TESTING_MODE cannot be used in production")
+if STORAGE_INSECURE_TESTING_MODE:
+    DISABLE_OPTIGA = True
+    PYOPT = "0"
+
 FEATURE_FLAGS = {
     "RDI": True,
     "SECP256K1_ZKP": True,  # required for trezor.crypto.curve.bip340 (BIP340/Taproot)
@@ -24,7 +31,10 @@ FEATURE_FLAGS = {
 }
 
 FEATURES_WANTED = ["input", "sd_card", "rgb_led", "dma2d", "consumption_mask", "usb" ,"optiga", "haptic"]
-if DISABLE_OPTIGA and PYOPT == '0':
+if DISABLE_OPTIGA:
+    # TODO use PYOPT instead of PRODUCTION, same as in firmware, blocked on #4253
+    if PRODUCTION:
+        raise RuntimeError("DISABLE_OPTIGA requires non-production build")
     FEATURES_WANTED.remove("optiga")
 
 CCFLAGS_MOD = ''
@@ -235,6 +245,8 @@ if THP:
         'vendor/trezor-crypto/elligator2.c',
     ]
 
+if STORAGE_INSECURE_TESTING_MODE:
+    CPPDEFINES_MOD += ['STORAGE_INSECURE_TESTING_MODE']
 
 env = Environment(
     ENV=os.environ,
@@ -411,6 +423,14 @@ action_bin=[
     '$CP $TARGET ' + BINARY_NAME,
 ]
 
+if STORAGE_INSECURE_TESTING_MODE:
+    INSECURE_TESTING_MODE_STR = """
+#########################################################
+#   STORAGE_INSECURE_TESTING_MODE enabled, DO NOT USE   #
+#########################################################
+"""
+    action_bin.append(INSECURE_TESTING_MODE_STR)
+
 program_bin = env.Command(
     target='kernel.bin',
     source=program_elf,

core/embed/upymod/modtrezorutils/modtrezorutils.c

@@ -410,6 +410,9 @@ STATIC mp_obj_tuple_t mod_trezorutils_version_obj = {
 /// """UI layout identifier ("tt" for model T, "tr" for models One and R)."""
 /// USE_THP: bool
 /// """Whether the firmware supports Trezor-Host Protocol (version 2)."""
+/// if __debug__:
+///     DISABLE_ANIMATION: bool
+///     """Whether the firmware should disable animations."""
 
 STATIC const mp_rom_map_elem_t mp_module_trezorutils_globals_table[] = {
     {MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_trezorutils)},
@@ -502,6 +505,13 @@ STATIC const mp_rom_map_elem_t mp_module_trezorutils_globals_table[] = {
 #else
 #error Unknown layout
 #endif
+#if !PYOPT
+#if DISABLE_ANIMATION
+    {MP_ROM_QSTR(MP_QSTR_DISABLE_ANIMATION), mp_const_true},
+#else
+    {MP_ROM_QSTR(MP_QSTR_DISABLE_ANIMATION), mp_const_false},
+#endif  // TREZOR_DISABLE_ANIMATION
+#endif  // PYOPT
 };
 
 STATIC MP_DEFINE_CONST_DICT(mp_module_trezorutils_globals,

core/mocks/generated/trezorutils.pyi

@@ -152,3 +152,6 @@ UI_LAYOUT: str
 """UI layout identifier ("tt" for model T, "tr" for models One and R)."""
 USE_THP: bool
 """Whether the firmware supports Trezor-Host Protocol (version 2)."""
+if __debug__:
+    DISABLE_ANIMATION: bool
+    """Whether the firmware should disable animations."""

core/src/apps/management/set_brightness.py

@@ -4,7 +4,7 @@ if TYPE_CHECKING:
     from trezor.messages import SetBrightness, Success
 
 
-async def set_brightness(_msg: SetBrightness) -> Success:
+async def set_brightness(msg: SetBrightness) -> Success:
     import storage.device as storage_device
     from trezor.messages import Success
     from trezor.ui.layouts import set_brightness
@@ -13,5 +13,5 @@ async def set_brightness(_msg: SetBrightness) -> Success:
     if not storage_device.is_initialized():
         raise NotInitialized("Device is not initialized")
 
-    await set_brightness()
+    await set_brightness(msg.value)
     return Success(message="Settings applied")

core/src/trezor/ui/__init__.py

@@ -24,7 +24,7 @@ else:
 
 
 if __debug__:
-    trezorui2.disable_animation(bool(utils.DISABLE_ANIMATION))
+    trezorui2.disable_animation(utils.DISABLE_ANIMATION)
 
 
 # all rendering is done through a singleton of `Display`

core/src/trezor/utils.py

@@ -33,17 +33,20 @@ from trezorutils import (  # noqa: F401
 )
 from typing import TYPE_CHECKING
 
-DISABLE_ANIMATION = 0
-
 if __debug__:
     if EMULATOR:
         import uos
 
-        DISABLE_ANIMATION = int(uos.getenv("TREZOR_DISABLE_ANIMATION") or "0")
+        DISABLE_ANIMATION = uos.getenv("TREZOR_DISABLE_ANIMATION") == "1"
-        LOG_MEMORY = int(uos.getenv("TREZOR_LOG_MEMORY") or "0")
+        LOG_MEMORY = uos.getenv("TREZOR_LOG_MEMORY") == "1"
     else:
+        from trezorutils import DISABLE_ANIMATION  # noqa: F401
+
         LOG_MEMORY = 0
 
+else:
+    DISABLE_ANIMATION = False
+
 if TYPE_CHECKING:
     from typing import Any, Iterator, Protocol, Sequence, TypeVar
 

storage/norcow.c

@@ -284,11 +284,15 @@ void norcow_wipe(void) {
   // Erase the active sector first, because it contains sensitive data.
   erase_sector(norcow_active_sector, sectrue);
 
+#if STORAGE_INSECURE_TESTING_MODE && !PRODUCTION
+  // skip erasing inactive sectors
+#else
   for (uint8_t i = 0; i < NORCOW_SECTOR_COUNT; i++) {
     if (i != norcow_active_sector) {
       erase_sector(i, secfalse);
     }
   }
+#endif
   norcow_active_version = NORCOW_VERSION;
   norcow_write_sector = norcow_active_sector;
   norcow_free_offset = NORCOW_STORAGE_START;

storage/storage.c

@@ -86,8 +86,12 @@ const uint32_t V0_PIN_EMPTY = 1;
 // up constant storage space.
 #define MAX_WIPE_CODE_LEN 50
 
+#if STORAGE_INSECURE_TESTING_MODE && !PRODUCTION
+#define PIN_ITER_COUNT 1
+#else
 // The total number of iterations to use in PBKDF2.
 #define PIN_ITER_COUNT 20000
+#endif
 
 // The minimum number of milliseconds between progress updates.
 #define MIN_PROGRESS_UPDATE_MS 100

storage/storage_utils.h

@@ -2,3 +2,15 @@
 #include <stdint.h>
 
 uint32_t hamming_weight(uint32_t value);
+
+#ifndef STORAGE_INSECURE_TESTING_MODE
+#define STORAGE_INSECURE_TESTING_MODE 0
+#endif
+
+#if STORAGE_INSECURE_TESTING_MODE
+#if PRODUCTION
+#error "STORAGE_INSECURE_TESTING_MODE can't be used in production"
+#else
+#pragma message("STORAGE IS INSECURE DO NOT USE THIS IN PRODUCTION")
+#endif
+#endif

tests/device_tests/test_msg_applysettings.py

@@ -424,13 +424,32 @@ def test_label_too_long(client: Client):
 
 
 @pytest.mark.models(skip=["legacy", "safe3"])
+@pytest.mark.parametrize(
+    "value",
+    [
+        pytest.param(None, id="none_default"),
+        pytest.param(
+            -1,
+            marks=pytest.mark.xfail(),
+            id="negative_value",
+        ),
+        pytest.param(0, id="0_min_value"),
+        pytest.param(128, id="128"),
+        pytest.param(255, id="255_max_value"),
+        pytest.param(
+            256,
+            marks=pytest.mark.xfail(),
+            id="256_too_high",
+        ),
+    ],
+)
 @pytest.mark.setup_client(pin=None)
-def test_set_brightness(client: Client):
+def test_set_brightness(client: Client, value: int | None):
     with client:
         assert (
             device.set_brightness(
                 client,
-                None,
+                value,
             )
             == "Settings applied"
         )