From 567f582d7edfcc6544e3c2dc5c42d970c605a2c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Thu, 4 Apr 2024 17:33:06 +0200 Subject: [PATCH 1/7] Automatically enable the se050 for opcard if opcard has never been used --- Cargo.lock | 8 ++--- Cargo.toml | 9 +++--- components/apps/src/dispatch.rs | 12 ++++--- components/apps/src/lib.rs | 57 ++++++++++++++++++++++++++++----- components/boards/src/init.rs | 12 ++++--- 5 files changed, 73 insertions(+), 25 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 7e25efd3..7ff3cd25 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5,7 +5,7 @@ version = 3 [[package]] name = "admin-app" version = "0.1.0" -source = "git+https://github.com/Nitrokey/admin-app.git?rev=v0.1.0-nitrokey.12#c134517557accee32370e34d1527681b38932e41" +source = "git+https://github.com/Nitrokey/admin-app.git?rev=da6ccda351c4b7edbd7677ff636b7d0c9edb5199#da6ccda351c4b7edbd7677ff636b7d0c9edb5199" dependencies = [ "apdu-dispatch", "cbor-smol", @@ -3173,7 +3173,7 @@ dependencies = [ [[package]] name = "trussed" version = "0.1.0" -source = "git+https://github.com/Nitrokey/trussed.git?rev=371e8f7a07817c2ed57978bd86e3412bd9877647#371e8f7a07817c2ed57978bd86e3412bd9877647" +source = "git+https://github.com/Nitrokey/trussed.git?tag=v0.1.0-nitrokey.19#2e7dd7c30bde38ff11f653b9f41a1780e7948bf7" dependencies = [ "aes", "bitflags 2.4.2", @@ -3210,7 +3210,7 @@ dependencies = [ [[package]] name = "trussed-auth" version = "0.3.0" -source = "git+https://github.com/Nitrokey/trussed-auth?tag=v0.3.0-nitrokey.1#a725ae6d42b88a89599f7d9f0b5c78e21e8352b2" +source = "git+https://github.com/trussed-dev/trussed-auth?rev=deeba516cdfc280170d8b4f4cd1e024bac21ee13#deeba516cdfc280170d8b4f4cd1e024bac21ee13" dependencies = [ "chacha20poly1305", "hkdf", @@ -3269,7 +3269,7 @@ dependencies = [ [[package]] name = "trussed-se050-backend" version = "0.3.0" -source = "git+https://github.com/Nitrokey/trussed-se050-backend.git?rev=46b5af1842ccae7db76171aca5813f13991054c9#46b5af1842ccae7db76171aca5813f13991054c9" +source = "git+https://github.com/Nitrokey/trussed-se050-backend.git?rev=23d3511276176da396b6c3e788cd1c2f4dd37c9d#23d3511276176da396b6c3e788cd1c2f4dd37c9d" dependencies = [ "admin-app", "cbor-smol", diff --git a/Cargo.toml b/Cargo.toml index 0e9218cf..9b40d51d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -17,12 +17,12 @@ version = "1.7.0-rc.1" memory-regions = { path = "components/memory-regions" } # forked -admin-app = { git = "https://github.com/Nitrokey/admin-app.git", rev = "v0.1.0-nitrokey.12" } +admin-app = { git = "https://github.com/Nitrokey/admin-app.git", rev = "da6ccda351c4b7edbd7677ff636b7d0c9edb5199" } cbor-smol = { git = "https://github.com/Nitrokey/cbor-smol.git", tag = "v0.4.0-nitrokey.3"} fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git", tag = "v0.1.1-nitrokey.14" } lpc55-hal = { git = "https://github.com/Nitrokey/lpc55-hal", tag = "v0.3.0-nitrokey.2" } serde-indexed = { git = "https://github.com/nitrokey/serde-indexed.git", tag = "v0.1.0-nitrokey.2" } -trussed = { git = "https://github.com/Nitrokey/trussed.git", rev = "371e8f7a07817c2ed57978bd86e3412bd9877647" } +trussed = { git = "https://github.com/Nitrokey/trussed.git", tag = "v0.1.0-nitrokey.19" } # unreleased upstream changes apdu-dispatch = { git = "https://github.com/Nitrokey/apdu-dispatch.git", tag = "v0.1.2-nitrokey.3" } @@ -43,13 +43,12 @@ trussed-chunked = { git = "https://github.com/trussed-dev/trussed-staging.git", trussed-manage = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "manage-v0.1.0" } trussed-wrap-key-to-file = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "wrap-key-to-file-v0.1.0" } trussed-staging = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "v0.3.0" } -trussed-auth = { git = "https://github.com/Nitrokey/trussed-auth", tag = "v0.3.0-nitrokey.1" } +trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth", rev = "deeba516cdfc280170d8b4f4cd1e024bac21ee13" } trussed-hkdf = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "hkdf-v0.2.0" } trussed-rsa-alloc = { git = "https://github.com/trussed-dev/trussed-rsa-backend.git", rev = "9732a9a3e98af72112286afdc9b7174c66c2869a" } trussed-usbip = { git = "https://github.com/Nitrokey/pc-usbip-runner.git", tag = "v0.0.1-nitrokey.3" } trussed-se050-manage = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", tag = "se050-manage-v0.1.0" } -trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", rev = "46b5af1842ccae7db76171aca5813f13991054c9" } - +trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", rev = "23d3511276176da396b6c3e788cd1c2f4dd37c9d" } [profile.release] codegen-units = 1 diff --git a/components/apps/src/dispatch.rs b/components/apps/src/dispatch.rs index a773fb73..5de947a2 100644 --- a/components/apps/src/dispatch.rs +++ b/components/apps/src/dispatch.rs @@ -5,10 +5,13 @@ use trussed::{ api::{Reply, Request}, error::Error as TrussedError, service::ServiceResources, - types::{Context, Location}, + types::Context, Platform, }; +#[cfg(feature = "backend-auth")] +use trussed::types::Location; + use littlefs2::{path, path::Path}; use if_chain::if_chain; @@ -118,13 +121,14 @@ const NAMESPACE: trussed_se050_backend::namespacing::Namespace = { ]) }; +#[cfg(any(feature = "backend-auth", feature = "se050"))] +pub const AUTH_LOCATION: Location = Location::Internal; + impl Dispatch { pub fn new( - auth_location: Location, + #[cfg(any(feature = "backend-auth", feature = "se050"))] auth_location: Location, #[cfg(feature = "se050")] se050: Option>, ) -> Self { - #[cfg(not(all(feature = "backend-auth", feature = "se050")))] - let _ = auth_location; Self { #[cfg(feature = "backend-auth")] auth: AuthBackend::new(auth_location, TRUSSED_AUTH_FS_LAYOUT), diff --git a/components/apps/src/lib.rs b/components/apps/src/lib.rs index ac6762f9..1d46e771 100644 --- a/components/apps/src/lib.rs +++ b/components/apps/src/lib.rs @@ -14,11 +14,21 @@ use ctaphid_dispatch::app::App as CtaphidApp; #[cfg(feature = "se050")] use embedded_hal::blocking::delay::DelayUs; use heapless::Vec; +#[cfg(all(feature = "opcard", any(feature = "factory-reset", feature = "se050")))] +use littlefs2::path; use serde::{Deserialize, Serialize}; +#[cfg(all(feature = "opcard", feature = "se050"))] +use trussed::{api::NotBefore, service::Filestore}; use trussed::{ - backend::BackendId, client::ClientBuilder, interrupt::InterruptFlag, platform::Syscall, - store::filestore::ClientFilestore, types::Path, ClientImplementation, Platform, Service, + backend::BackendId, + client::ClientBuilder, + interrupt::InterruptFlag, + platform::Syscall, + store::filestore::ClientFilestore, + types::{Location, Path}, + ClientImplementation, Platform, Service, }; + use utils::Version; pub use admin_app::Reboot; @@ -31,6 +41,9 @@ mod dispatch; use dispatch::Backend; pub use dispatch::Dispatch; +#[cfg(any(feature = "backend-auth", feature = "se050"))] +pub use dispatch::AUTH_LOCATION; + fn is_default(value: &T) -> bool { value == &Default::default() } @@ -161,9 +174,9 @@ impl OpcardConfig { ) -> Option<(&'static Path, &'static ResetSignalAllocation)> { match key { #[cfg(feature = "factory-reset")] - "" => Some((littlefs2::path!("opcard"), &OPCARD_RESET_SIGNAL)), + "" => Some((path!("opcard"), &OPCARD_RESET_SIGNAL)), #[cfg(feature = "se050")] - "use_se050_backend" => Some((littlefs2::path!("opcard"), &OPCARD_RESET_SIGNAL)), + "use_se050_backend" => Some((path!("opcard"), &OPCARD_RESET_SIGNAL)), _ => None, } } @@ -378,6 +391,34 @@ impl Apps { ) }); + #[cfg(all(feature = "opcard", feature = "se050"))] + if !data.init_status.contains(InitStatus::CONFIG_ERROR) + && app.config().fs_version == 0 + && !app.config().opcard.use_se050_backend + { + let trussed_auth_used = trussed_auth::AuthBackend::is_client_active( + trussed_auth::FilesystemLayout::V0, + dispatch::AUTH_LOCATION, + path!("opcard"), + data.store, + ) + .unwrap_or_default(); + let mut opcard_used = false; + let mut fs = ClientFilestore::new(path!("opcard").into(), data.store); + if fs + .read_dir_first(path!(""), Location::External, &NotBefore::None) + .unwrap_or_default() + .is_none() + { + opcard_used = true; + } + + if !trussed_auth_used && !opcard_used { + // No need to factory reset because the app is not yet created yet + app.config_mut().opcard.use_se050_backend = true; + } + } + let migration_version = used_migrators .iter() .map(|m| m.version) @@ -698,7 +739,7 @@ impl App for FidoApp { }; let large_blobs = if cfg!(feature = "test") && runner.is_efs_available() { Some(fido_authenticator::LargeBlobsConfig { - location: trussed::types::Location::External, + location: Location::External, max_size: 4096, }) } else { @@ -738,7 +779,7 @@ impl App for WebcryptApp { Webcrypt::new_with_options( trussed, webcrypt::Options::new( - trussed::types::Location::External, + Location::External, [uuid[0], uuid[1], uuid[2], uuid[3]], WEBCRYPT_APP_CREDENTIALS_COUNT_LIMIT, ), @@ -766,7 +807,7 @@ impl App for SecretsApp { fn with_client(runner: &R, trussed: Client, _: (), _: &()) -> Self { let uuid = runner.uuid(); let options = secrets_app::Options::new( - trussed::types::Location::External, + Location::External, CustomStatus::ReverseHotpSuccess.into(), CustomStatus::ReverseHotpError.into(), [uuid[0], uuid[1], uuid[2], uuid[3]], @@ -804,7 +845,7 @@ impl App for OpcardApp { // See scd/app-openpgp.c in GnuPG for the manufacturer IDs options.manufacturer = 0x000Fu16.to_be_bytes(); options.serial = [uuid[0], uuid[1], uuid[2], uuid[3]]; - options.storage = trussed::types::Location::External; + options.storage = Location::External; #[cfg(feature = "se050")] { if config.use_se050_backend { diff --git a/components/boards/src/init.rs b/components/boards/src/init.rs index 3c92d628..32f35cda 100644 --- a/components/boards/src/init.rs +++ b/components/boards/src/init.rs @@ -2,7 +2,10 @@ use apdu_dispatch::{ dispatch::ApduDispatch, interchanges::{Channel as CcidChannel, Responder as CcidResponder, SIZE as CCID_SIZE}, }; +#[cfg(any(feature = "trussed-auth", feature = "se050"))] +use apps::AUTH_LOCATION; use apps::{AdminData, Data, Dispatch, FidoData, InitStatus}; + use ctaphid_dispatch::{dispatch::Dispatch as CtaphidDispatch, types::Channel as CtapChannel}; #[cfg(not(feature = "no-delog"))] use delog::delog; @@ -11,7 +14,7 @@ use nfc_device::Iso14443; use rand::{CryptoRng, Rng as _, RngCore, SeedableRng}; use rand_chacha::ChaCha8Rng; use ref_swap::OptionRefSwap; -use trussed::{interrupt::InterruptFlag, platform::Store as _, types::Location}; +use trussed::{interrupt::InterruptFlag, platform::Store as _}; use usb_device::{ bus::UsbBusAllocator, device::{UsbDevice, UsbDeviceBuilder, UsbVidPid}, @@ -257,21 +260,22 @@ pub fn init_trussed( #[cfg(feature = "trussed-auth")] let dispatch = if let Some(hw_key) = hw_key { Dispatch::with_hw_key( - Location::Internal, + AUTH_LOCATION, trussed::types::Bytes::from_slice(hw_key).unwrap(), #[cfg(feature = "se050")] se050, ) } else { Dispatch::new( - Location::Internal, + AUTH_LOCATION, #[cfg(feature = "se050")] se050, ) }; #[cfg(not(feature = "trussed-auth"))] let dispatch = Dispatch::new( - Location::Internal, + #[cfg(feature = "se050")] + AUTH_LOCATION, #[cfg(feature = "se050")] se050, ); From 7f840334c5bd88eba3567cda3fe2edf54e335bf0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Fri, 5 Apr 2024 11:40:14 +0200 Subject: [PATCH 2/7] Enable se050 automatically on factory-reset of opcard --- Cargo.lock | 2 +- Cargo.toml | 2 +- components/apps/src/lib.rs | 48 +++++++++++++++++++++++++++++++++++++- 3 files changed, 49 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 7ff3cd25..4b61c551 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5,7 +5,7 @@ version = 3 [[package]] name = "admin-app" version = "0.1.0" -source = "git+https://github.com/Nitrokey/admin-app.git?rev=da6ccda351c4b7edbd7677ff636b7d0c9edb5199#da6ccda351c4b7edbd7677ff636b7d0c9edb5199" +source = "git+https://github.com/Nitrokey/admin-app.git?rev=054536c2b46722b657fdc4d5806a5edcb10b5256#054536c2b46722b657fdc4d5806a5edcb10b5256" dependencies = [ "apdu-dispatch", "cbor-smol", diff --git a/Cargo.toml b/Cargo.toml index 9b40d51d..b2eaacf2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -17,7 +17,7 @@ version = "1.7.0-rc.1" memory-regions = { path = "components/memory-regions" } # forked -admin-app = { git = "https://github.com/Nitrokey/admin-app.git", rev = "da6ccda351c4b7edbd7677ff636b7d0c9edb5199" } +admin-app = { git = "https://github.com/Nitrokey/admin-app.git", rev = "054536c2b46722b657fdc4d5806a5edcb10b5256" } cbor-smol = { git = "https://github.com/Nitrokey/cbor-smol.git", tag = "v0.4.0-nitrokey.3"} fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git", tag = "v0.1.1-nitrokey.14" } lpc55-hal = { git = "https://github.com/Nitrokey/lpc55-hal", tag = "v0.3.0-nitrokey.2" } diff --git a/components/apps/src/lib.rs b/components/apps/src/lib.rs index 1d46e771..f2624f0f 100644 --- a/components/apps/src/lib.rs +++ b/components/apps/src/lib.rs @@ -16,6 +16,10 @@ use embedded_hal::blocking::delay::DelayUs; use heapless::Vec; #[cfg(all(feature = "opcard", any(feature = "factory-reset", feature = "se050")))] use littlefs2::path; + +#[cfg(feature = "factory-reset")] +use admin_app::ResetConfigResult; + use serde::{Deserialize, Serialize}; #[cfg(all(feature = "opcard", feature = "se050"))] use trussed::{api::NotBefore, service::Filestore}; @@ -92,6 +96,15 @@ impl admin_app::Config for Config { } } + #[cfg(feature = "factory-reset")] + fn reset_client_config(&mut self, key: &str) -> ResetConfigResult { + match key { + "fido" => self.fido.reset_config(), + "opcard" => self.opcard.reset_config(), + _ => ResetConfigResult::WrongKey, + } + } + fn migration_version(&self) -> Option { Some(self.fs_version) } @@ -124,15 +137,36 @@ impl FidoConfig { ) -> Option<(&'static Path, &'static ResetSignalAllocation)> { None } + + #[cfg(feature = "factory-reset")] + fn reset_config(&mut self) -> ResetConfigResult { + use core::mem; + let old = mem::take(self); + + if &old == self { + ResetConfigResult::Unchanged + } else { + ResetConfigResult::Changed + } + } } -#[derive(Debug, Default, PartialEq, Deserialize, Serialize)] +#[derive(Debug, PartialEq, Deserialize, Serialize)] pub struct OpcardConfig { #[cfg(feature = "se050")] #[serde(default, rename = "s", skip_serializing_if = "is_default")] use_se050_backend: bool, } +impl Default for OpcardConfig { + fn default() -> Self { + Self { + #[cfg(feature = "se050")] + use_se050_backend: true, + } + } +} + #[cfg(feature = "opcard")] impl OpcardConfig { fn backends(&self) -> &'static [BackendId] { @@ -180,6 +214,18 @@ impl OpcardConfig { _ => None, } } + + #[cfg(feature = "factory-reset")] + fn reset_config(&mut self) -> ResetConfigResult { + use core::mem; + let old = mem::take(self); + + if &old == self { + ResetConfigResult::Unchanged + } else { + ResetConfigResult::Changed + } + } } pub trait Runner { From 2883dcf636b8b6083a0c99cf43547a434d9f4fbd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Fri, 5 Apr 2024 12:26:15 +0200 Subject: [PATCH 3/7] Enable se050 by default for nk3 --- runners/embedded/Cargo.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/runners/embedded/Cargo.toml b/runners/embedded/Cargo.toml index 8cd1f5ea..18ef12ba 100644 --- a/runners/embedded/Cargo.toml +++ b/runners/embedded/Cargo.toml @@ -56,7 +56,7 @@ utils = { path = "../../components/utils", features = ["build"] } [features] default = ["alloc"] -test = ["apps/nk3-test", "utils/test", "se050"] +test = ["apps/nk3-test", "utils/test"] develop = ["no-encrypted-storage", "apps/no-reset-time-window", "log-traceP"] develop-no-press = ["develop", "no-buttons"] provisioner = ["apps/nk3-provisioner", "boards/provisioner", "write-undefined-flash", "no-buttons", "apps/no-reset-time-window", "lpc55-hardware-checks"] @@ -80,8 +80,8 @@ format-filesystem = [] alloc = ["alloc-cortex-m"] -board-nk3am = ["boards/board-nk3am", "soc-nrf52"] -board-nk3xn = ["boards/board-nk3xn", "soc-lpc55"] +board-nk3am = ["boards/board-nk3am", "soc-nrf52", "se050"] +board-nk3xn = ["boards/board-nk3xn", "soc-lpc55", "se050"] soc-nrf52 = ["nrf52840-hal", "nrf52840-pac"] soc-lpc55 = ["lpc55-hal", "lpc55-pac", "nb", "systick-monotonic"] From 9247654ae4df64d5f4927a3aee4dfbe8f9b3a52f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Fri, 5 Apr 2024 12:31:42 +0200 Subject: [PATCH 4/7] Fix lints --- components/apps/src/dispatch.rs | 1 + components/apps/src/lib.rs | 1 + 2 files changed, 2 insertions(+) diff --git a/components/apps/src/dispatch.rs b/components/apps/src/dispatch.rs index 5de947a2..a54229de 100644 --- a/components/apps/src/dispatch.rs +++ b/components/apps/src/dispatch.rs @@ -125,6 +125,7 @@ const NAMESPACE: trussed_se050_backend::namespacing::Namespace = { pub const AUTH_LOCATION: Location = Location::Internal; impl Dispatch { + #[allow(clippy::new_without_default)] pub fn new( #[cfg(any(feature = "backend-auth", feature = "se050"))] auth_location: Location, #[cfg(feature = "se050")] se050: Option>, diff --git a/components/apps/src/lib.rs b/components/apps/src/lib.rs index f2624f0f..0fdee41e 100644 --- a/components/apps/src/lib.rs +++ b/components/apps/src/lib.rs @@ -158,6 +158,7 @@ pub struct OpcardConfig { use_se050_backend: bool, } +#[allow(clippy::derivable_impls)] impl Default for OpcardConfig { fn default() -> Self { Self { From a8929703201c016e0596881b89e1681aa0d236ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Tue, 9 Apr 2024 09:38:58 +0200 Subject: [PATCH 5/7] Fix nit --- components/apps/src/lib.rs | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/components/apps/src/lib.rs b/components/apps/src/lib.rs index 0fdee41e..2c1c4490 100644 --- a/components/apps/src/lib.rs +++ b/components/apps/src/lib.rs @@ -450,15 +450,11 @@ impl Apps { data.store, ) .unwrap_or_default(); - let mut opcard_used = false; let mut fs = ClientFilestore::new(path!("opcard").into(), data.store); - if fs + let opcard_used = !fs .read_dir_first(path!(""), Location::External, &NotBefore::None) .unwrap_or_default() - .is_none() - { - opcard_used = true; - } + .is_none(); if !trussed_auth_used && !opcard_used { // No need to factory reset because the app is not yet created yet From da2ac3af2f66fb27463e2b1ef28ae58139616b35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Tue, 9 Apr 2024 10:14:39 +0200 Subject: [PATCH 6/7] Fix default value and save config after factory-reset --- Cargo.lock | 3 ++- Cargo.toml | 2 +- components/apps/Cargo.toml | 1 + components/apps/src/lib.rs | 46 +++++++++++++++++++++++++------------- 4 files changed, 35 insertions(+), 17 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 4b61c551..4ca8cfc2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5,7 +5,7 @@ version = 3 [[package]] name = "admin-app" version = "0.1.0" -source = "git+https://github.com/Nitrokey/admin-app.git?rev=054536c2b46722b657fdc4d5806a5edcb10b5256#054536c2b46722b657fdc4d5806a5edcb10b5256" +source = "git+https://github.com/Nitrokey/admin-app.git?rev=c257432dbe2efb53424d6847d82d90ddb527c53b#c257432dbe2efb53424d6847d82d90ddb527c53b" dependencies = [ "apdu-dispatch", "cbor-smol", @@ -160,6 +160,7 @@ dependencies = [ "bitflags 2.4.2", "cbor-smol", "ctaphid-dispatch", + "delog", "embedded-hal", "fido-authenticator", "heapless", diff --git a/Cargo.toml b/Cargo.toml index b2eaacf2..31b7fc0a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -17,7 +17,7 @@ version = "1.7.0-rc.1" memory-regions = { path = "components/memory-regions" } # forked -admin-app = { git = "https://github.com/Nitrokey/admin-app.git", rev = "054536c2b46722b657fdc4d5806a5edcb10b5256" } +admin-app = { git = "https://github.com/Nitrokey/admin-app.git", rev = "c257432dbe2efb53424d6847d82d90ddb527c53b" } cbor-smol = { git = "https://github.com/Nitrokey/cbor-smol.git", tag = "v0.4.0-nitrokey.3"} fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git", tag = "v0.1.1-nitrokey.14" } lpc55-hal = { git = "https://github.com/Nitrokey/lpc55-hal", tag = "v0.3.0-nitrokey.2" } diff --git a/components/apps/Cargo.toml b/components/apps/Cargo.toml index 7f4d899d..f8614524 100644 --- a/components/apps/Cargo.toml +++ b/components/apps/Cargo.toml @@ -4,6 +4,7 @@ version = { workspace = true } edition = "2021" [dependencies] +delog = "0.1" apdu-dispatch = "0.1" bitflags = "2" ctaphid-dispatch = "0.1" diff --git a/components/apps/src/lib.rs b/components/apps/src/lib.rs index 2c1c4490..389d8d25 100644 --- a/components/apps/src/lib.rs +++ b/components/apps/src/lib.rs @@ -20,6 +20,11 @@ use littlefs2::path; #[cfg(feature = "factory-reset")] use admin_app::ResetConfigResult; +#[macro_use] +extern crate delog; + +generate_macros!(); + use serde::{Deserialize, Serialize}; #[cfg(all(feature = "opcard", feature = "se050"))] use trussed::{api::NotBefore, service::Filestore}; @@ -151,23 +156,13 @@ impl FidoConfig { } } -#[derive(Debug, PartialEq, Deserialize, Serialize)] +#[derive(Debug, PartialEq, Deserialize, Serialize, Default)] pub struct OpcardConfig { #[cfg(feature = "se050")] #[serde(default, rename = "s", skip_serializing_if = "is_default")] use_se050_backend: bool, } -#[allow(clippy::derivable_impls)] -impl Default for OpcardConfig { - fn default() -> Self { - Self { - #[cfg(feature = "se050")] - use_se050_backend: true, - } - } -} - #[cfg(feature = "opcard")] impl OpcardConfig { fn backends(&self) -> &'static [BackendId] { @@ -194,6 +189,18 @@ impl OpcardConfig { } impl OpcardConfig { + /// The config value used for initialization and after a factory-reset + /// + /// This is distinct from the `Default` value because the old default config was not + /// enabled + #[cfg(any(feature = "factory-reset", feature = "se050"))] + fn init() -> Self { + Self { + #[cfg(feature = "se050")] + use_se050_backend: true, + } + } + fn field(&mut self, key: &str) -> Option> { match key { #[cfg(feature = "se050")] @@ -219,7 +226,7 @@ impl OpcardConfig { #[cfg(feature = "factory-reset")] fn reset_config(&mut self) -> ResetConfigResult { use core::mem; - let old = mem::take(self); + let old = mem::replace(self, Self::init()); if &old == self { ResetConfigResult::Unchanged @@ -443,7 +450,8 @@ impl Apps { && app.config().fs_version == 0 && !app.config().opcard.use_se050_backend { - let trussed_auth_used = trussed_auth::AuthBackend::is_client_active( + use core::mem; + let opcard_trussed_auth_used = trussed_auth::AuthBackend::is_client_active( trussed_auth::FilesystemLayout::V0, dispatch::AUTH_LOCATION, path!("opcard"), @@ -456,9 +464,17 @@ impl Apps { .unwrap_or_default() .is_none(); - if !trussed_auth_used && !opcard_used { + if !opcard_trussed_auth_used && !opcard_used { // No need to factory reset because the app is not yet created yet - app.config_mut().opcard.use_se050_backend = true; + let mut config = OpcardConfig::init(); + mem::swap(&mut app.config_mut().opcard, &mut config); + app.save_config_filestore(&mut filestore) + .map_err(|_err| { + // We reset the config to the old on file version to avoid invalid operations + mem::swap(&mut app.config_mut().opcard, &mut config); + error_now!("Failed to save config after migration: {_err:?}"); + }) + .ok(); } } From 133529b49948bbb657b9188f01c25bf32815f3bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Fri, 12 Apr 2024 10:02:23 +0200 Subject: [PATCH 7/7] Fix trussed-auth commit --- Cargo.lock | 2 +- Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 4ca8cfc2..f825e54b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3211,7 +3211,7 @@ dependencies = [ [[package]] name = "trussed-auth" version = "0.3.0" -source = "git+https://github.com/trussed-dev/trussed-auth?rev=deeba516cdfc280170d8b4f4cd1e024bac21ee13#deeba516cdfc280170d8b4f4cd1e024bac21ee13" +source = "git+https://github.com/trussed-dev/trussed-auth?rev=947ffe6cff426ccbbbb2d0f689437f427665919e#947ffe6cff426ccbbbb2d0f689437f427665919e" dependencies = [ "chacha20poly1305", "hkdf", diff --git a/Cargo.toml b/Cargo.toml index 31b7fc0a..1762dc28 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -43,7 +43,7 @@ trussed-chunked = { git = "https://github.com/trussed-dev/trussed-staging.git", trussed-manage = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "manage-v0.1.0" } trussed-wrap-key-to-file = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "wrap-key-to-file-v0.1.0" } trussed-staging = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "v0.3.0" } -trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth", rev = "deeba516cdfc280170d8b4f4cd1e024bac21ee13" } +trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth", rev = "947ffe6cff426ccbbbb2d0f689437f427665919e" } trussed-hkdf = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "hkdf-v0.2.0" } trussed-rsa-alloc = { git = "https://github.com/trussed-dev/trussed-rsa-backend.git", rev = "9732a9a3e98af72112286afdc9b7174c66c2869a" } trussed-usbip = { git = "https://github.com/Nitrokey/pc-usbip-runner.git", tag = "v0.0.1-nitrokey.3" }