From cbe96545ed1b3b67a30654cc205c0161ae26a0d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Mon, 25 Mar 2024 11:41:41 +0100 Subject: [PATCH 1/5] Fix clippy warnings --- extensions/se050-manage/src/lib.rs | 1 + src/core_api.rs | 53 +++++++++++++++--------------- 2 files changed, 27 insertions(+), 27 deletions(-) diff --git a/extensions/se050-manage/src/lib.rs b/extensions/se050-manage/src/lib.rs index f027396..3dd29b7 100644 --- a/extensions/se050-manage/src/lib.rs +++ b/extensions/se050-manage/src/lib.rs @@ -71,6 +71,7 @@ pub struct InfoReply { pub transient_reset: u16, } +#[allow(clippy::large_enum_variant)] #[derive(Debug, Deserialize, Serialize)] pub enum Se050ManageReply { Info(InfoReply), diff --git a/src/core_api.rs b/src/core_api.rs index 0d19f09..fa12ee3 100644 --- a/src/core_api.rs +++ b/src/core_api.rs @@ -1189,10 +1189,10 @@ impl> Se050Backend { match key_id { ParsedObjectId::VolatileRsaKey(obj_id) => { - self.rsa_decrypt_volatile(key, obj_id, &message, se050_keystore, algo, kind) + self.rsa_decrypt_volatile(key, obj_id, message, se050_keystore, algo, kind) } ParsedObjectId::PersistentKey(obj_id) => { - self.rsa_decrypt_persistent(obj_id, &message, algo) + self.rsa_decrypt_persistent(obj_id, message, algo) } _ => Err(Error::ObjectHandleInvalid), } @@ -2990,17 +2990,14 @@ impl> Se050Backend { backend_path.push(&PathBuf::from(BACKEND_DIR)); backend_path.push(&PathBuf::from(CORE_DIR)); - // Used to ensure that the keystore is only created once. - // Keystore creation is expensive because it forks the rng. - let assert_once: [Request; 0] = []; - // Create the keystore lazily - let core_keystore = move |resources: &mut ServiceResources

, - core_ctx: &mut CoreContext| { - drop(assert_once); - resources.keystore(core_ctx.path.clone()) - }; - let se050_keystore = - move |resources: &mut ServiceResources

| resources.keystore(backend_path); + /// Coerce an FnMut into a FnOnce to ensure the stores are not created twice by mistake + fn once( + generator: impl FnMut(&mut ServiceResources

, &mut CoreContext) -> R, + ) -> impl FnOnce(&mut ServiceResources

, &mut CoreContext) -> R { + generator + } + let core_keystore = once(|resources, core_ctx| resources.keystore(core_ctx.path.clone())); + let se050_keystore = once(|resources, _core_ctx| resources.keystore(backend_path.clone())); let backend_ctx = backend_ctx.with_namespace(&self.ns, &core_ctx.path); let ns = backend_ctx.ns; @@ -3011,7 +3008,7 @@ impl> Se050Backend { .agree( req, &mut core_keystore(resources, core_ctx)?, - &mut se050_keystore(resources)?, + &mut se050_keystore(resources, core_ctx)?, ns, )? .into(), @@ -3020,7 +3017,7 @@ impl> Se050Backend { req.key, req.mechanism, &req.message, - &mut se050_keystore(resources)?, + &mut se050_keystore(resources, core_ctx)?, ns, )? .into(), @@ -3028,7 +3025,7 @@ impl> Se050Backend { .derive_key( req, &mut core_keystore(resources, core_ctx)?, - &mut se050_keystore(resources)?, + &mut se050_keystore(resources, core_ctx)?, ns, )? .into(), @@ -3042,34 +3039,36 @@ impl> Se050Backend { .serialize_key(req, &mut core_keystore(resources, core_ctx)?)? .into(), Request::Delete(request::Delete { key }) => self - .delete(key, ns, &mut se050_keystore(resources)?)? + .delete(key, ns, &mut se050_keystore(resources, core_ctx)?)? + .into(), + Request::Clear(req) => self + .clear(req, &mut se050_keystore(resources, core_ctx)?, ns)? .into(), - Request::Clear(req) => self.clear(req, &mut se050_keystore(resources)?, ns)?.into(), Request::DeleteAllKeys(req) => self .delete_all_keys( req, &mut core_keystore(resources, core_ctx)?, - &mut se050_keystore(resources)?, + &mut se050_keystore(resources, core_ctx)?, ns, )? .into(), Request::Exists(req) if supported(req.mechanism) => self - .exists(req, &mut se050_keystore(resources)?, ns)? + .exists(req, &mut se050_keystore(resources, core_ctx)?, ns)? .into(), Request::GenerateKey(req) if supported(req.mechanism) => self - .generate_key(req, &mut se050_keystore(resources)?, ns)? + .generate_key(req, &mut se050_keystore(resources, core_ctx)?, ns)? + .into(), + Request::Sign(req) if supported(req.mechanism) => self + .sign(req, &mut se050_keystore(resources, core_ctx)?, ns)? .into(), - Request::Sign(req) if supported(req.mechanism) => { - self.sign(req, &mut se050_keystore(resources)?, ns)?.into() - } Request::UnsafeInjectKey(req) if supported(req.mechanism) => self - .unsafe_inject_key(req, &mut se050_keystore(resources)?, ns)? + .unsafe_inject_key(req, &mut se050_keystore(resources, core_ctx)?, ns)? .into(), Request::UnwrapKey(req) => self .unwrap_key( req, &mut core_keystore(resources, core_ctx)?, - &mut se050_keystore(resources)?, + &mut se050_keystore(resources, core_ctx)?, ns, )? .into(), @@ -3080,7 +3079,7 @@ impl> Se050Backend { .wrap_key( req, &mut core_keystore(resources, core_ctx)?, - &mut se050_keystore(resources)?, + &mut se050_keystore(resources, core_ctx)?, ns, )? .into(), From 3ebc82c41bc0e90c4930c18a49bec29c28b9df93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Mon, 25 Mar 2024 15:16:19 +0100 Subject: [PATCH 2/5] Add migration that deletes all se050 backend data --- Cargo.toml | 6 +- FILESYSTEM.md | 61 ++++++++++++++ src/lib.rs | 4 +- src/migrate.rs | 175 +++++++++++++++++++++++++++++++++++++++ src/trussed_auth_impl.rs | 63 ++++++++++++-- 5 files changed, 300 insertions(+), 9 deletions(-) create mode 100644 FILESYSTEM.md create mode 100644 src/migrate.rs diff --git a/Cargo.toml b/Cargo.toml index 2144072..ef4995d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -46,14 +46,18 @@ crypto-bigint = { version = "0.5.3", default-features = false } p256 = { version = "0.13.2", default-features = false, features = ["ecdsa-core"] } salty = "0.3.0" p256-cortex-m4 = { version = "0.1.0-alpha.6", features = ["prehash", "sec1-signatures"] } +admin-app = "0.1.0" [patch.crates-io] littlefs2 = { git = "https://github.com/trussed-dev/littlefs2.git", rev = "ebd27e49ca321089d01d8c9b169c4aeb58ceeeca" } -trussed = { git = "https://github.com/Nitrokey/trussed.git", tag = "v0.1.0-nitrokey.18" } +apdu-dispatch = { git = "https://github.com/trussed-dev/apdu-dispatch.git", rev = "915fc237103fcecc29d0f0b73391f19abf6576de" } +ctaphid-dispatch = { git = "https://github.com/trussed-dev/ctaphid-dispatch.git", rev = "57cb3317878a8593847595319aa03ef17c29ec5b" } +trussed = { git = "https://github.com/Nitrokey/trussed.git", rev = "dd7836a155c78e93a2087611666e60308ed8ff1d" } trussed-auth = { git = "https://github.com/Nitrokey/trussed-auth", rev = "49c13eae6d9a225676191d4776d514848e4eab5b" } trussed-manage = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "manage-v0.1.0" } trussed-rsa-alloc = { git = "https://github.com/Nitrokey/trussed-rsa-backend.git", rev = "2088e2f8a8d706276c1559717b4c6b6d4f270253" } trussed-wrap-key-to-file = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "wrap-key-to-file-v0.1.0" } +admin-app = { git = "https://github.com/Nitrokey/admin-app.git", rev = "9f832f3b7f79108353b82e28f78449f10883abdc" } trussed-se050-manage = { path = "extensions/se050-manage" } diff --git a/FILESYSTEM.md b/FILESYSTEM.md new file mode 100644 index 0000000..39cfbc4 --- /dev/null +++ b/FILESYSTEM.md @@ -0,0 +1,61 @@ +# Filesystem layout resulting from the use of the backend + +- The directory for the backend `BACKEND_DIR=se050-bak` +- The directory for per-client auth data: `AUTH_DIR=auth` +- The directory for the core keys `CORE_DIR=se050-core` + +## Trussed auth impl: + +``` +/ +|- opcard +| | +| |- dat +| |- sec +| |- pub +| |- BACKEND_DIR +| | |- AUTH (`let fs = once(|resources, _| resources.raw_filestore(backend_path))`) +| | | |- pin.XX +| | | |- pin.XX +| | | |- application_salt +| +|- BACKEND_DIR (`let global_fs = once(|resources, _| resources.raw_filestore(PathBuf::from(BACKEND_DIR)))`) +| |- salt +``` + +## Core API impl + +``` +/ +|- opcard +| |- dat +| |- sec +| |- pub +| |- BACKEND_DIR +| | |- CORE_DIR +| | | |- sec +| | | |- pub +``` + +## TOTAL: + +``` +/ +|- opcard +| | +| |- dat +| |- sec +| |- pub +| |- BACKEND_DIR +| | |- CORE_DIR +| | | |- sec +| | | |- pub +| | |- AUTH (`let fs = once(|resources, _| resources.raw_filestore(backend_path))`) +| | | |- pin.XX +| | | |- pin.XX +| | | |- application_salt +| +|- BACKEND_DIR (`let global_fs = once(|resources, _| resources.raw_filestore(PathBuf::from(BACKEND_DIR)))`) +| |- salt +``` + diff --git a/src/lib.rs b/src/lib.rs index 8bcb41f..c057692 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -4,6 +4,7 @@ use core::ops::Range; use embedded_hal::blocking::delay::DelayUs; use hex_literal::hex; +use littlefs2::path; use littlefs2::path::Path; use namespacing::{Namespace, NamespaceValue}; use se05x::{ @@ -24,10 +25,11 @@ mod staging; mod core_api; mod manage; +pub mod migrate; pub mod namespacing; /// Need overhead for TLV + SW bytes -const BACKEND_DIR: &str = "se050-bak"; +const BACKEND_DIR: &Path = path!("se050-bak"); pub const GLOBAL_ATTEST_ID: ObjectId = ObjectId(hex!("F0000012")); diff --git a/src/migrate.rs b/src/migrate.rs new file mode 100644 index 0000000..b51a44a --- /dev/null +++ b/src/migrate.rs @@ -0,0 +1,175 @@ +use littlefs2::{io::Error, object_safe::DynFilesystem, path::Path}; + +use crate::BACKEND_DIR; + +// Old: +// +// ``` +// / +// |- opcard +// | | +// | |- dat +// | |- sec +// | |- pub +// | |- BACKEND_DIR +// | | |- CORE_DIR +// | | | |- sec +// | | | |- pub +// | | |- AUTH +// | | | |- dat (`let fs = once(|resources, _| resources.raw_filestore(backend_path))`) +// | | | | |- pin.XX +// | | | | |- pin.XX +// | | | | |- application_salt +// | +// |- BACKEND_DIR (`let global_fs = once(|resources, _| resources.raw_filestore(PathBuf::from(BACKEND_DIR)))`) +// | |- dat +// | | |- salt +// ``` + +fn migrate_single(fs: &dyn DynFilesystem, path: &Path) -> Result<(), Error> { + match fs.remove_dir_all(path) { + Err(Error::NoSuchEntry) => Ok(()), + Err(err) => Err(err), + Ok(()) => Ok(()), + } +} + +/// Migrate the filesystem to remove the `dat` directories +/// +/// `apps` must be an array of paths to the apps that make use of trussed-se050-backend +/// +/// Migrate does not itself keep track of whether the migration was performed +/// +/// ```rust +///# use littlefs2::{fs::Filesystem, const_ram_storage, path}; +///# use trussed::types::{LfsResult, LfsStorage}; +///# use trussed_se050_backend::migrate::migrate_remove_all_dat; +///# const_ram_storage!(Storage, 4096); +///# let mut storage = Storage::new(); +///# Filesystem::format(&mut storage); +///# Filesystem::mount_and_then(&mut storage, |fs| { +/// migrate_remove_all_dat(fs, &[path!("secrets"), path!("opcard")])?; +///# Ok(()) +///# }).unwrap(); +/// ``` +pub fn migrate_remove_all_dat(fs: &dyn DynFilesystem, apps: &[&Path]) -> Result<(), Error> { + migrate_single(fs, BACKEND_DIR)?; + for p in apps { + migrate_single(fs, &p.join(BACKEND_DIR))?; + } + Ok(()) +} + +#[allow(clippy::unwrap_used)] +#[cfg(test)] +mod tests { + use littlefs2::path; + use trussed_staging::manage::test_utils::{test_migration_one, FsValues}; + + use crate::trussed_auth_impl::AUTH_DIR; + + use super::*; + + const OPCARD_DIR: FsValues = FsValues::Dir(&[ + (path!("admin-user-pin-key.bin"), FsValues::File(40)), + (path!("aes_key.bin"), FsValues::File(123)), + (path!("auth_key.bin"), FsValues::File(122)), + (path!("conf_key.bin"), FsValues::File(121)), + (path!("persistent-state.cbor"), FsValues::File(150)), + (path!("rc-user-pin-key.bin"), FsValues::File(40)), + (path!("signing_key.bin"), FsValues::File(120)), + ]); + const OPCARD_PUB_DIR: FsValues = FsValues::Dir(&[ + ( + path!("069386c3c735689061ac51b8bca9f160"), + FsValues::File(48), + ), + ( + path!("233d86bfc2f196ff7c108cf23a282bd5"), + FsValues::File(36), + ), + ( + path!("2bdef14a0e18d28191162f8c1599d598"), + FsValues::File(36), + ), + ]); + const AUTH_OPCARD_DIR: FsValues = FsValues::Dir(&[ + (path!("application_salt"), FsValues::File(16)), + (path!("pin.00"), FsValues::File(118)), + (path!("pin.01"), FsValues::File(119)), + (path!("pin.02"), FsValues::File(120)), + ]); + + #[test] + fn migration() { + const TEST_BEFORE: FsValues = FsValues::Dir(&[ + ( + path!("opcard"), + FsValues::Dir(&[ + (path!("dat"), OPCARD_DIR), + (path!("pub"), OPCARD_PUB_DIR), + ( + BACKEND_DIR, + FsValues::Dir(&[( + AUTH_DIR, + FsValues::Dir(&[(path!("dat"), AUTH_OPCARD_DIR)]), + )]), + ), + ]), + ), + ( + BACKEND_DIR, + FsValues::Dir(&[( + path!("dat"), + FsValues::Dir(&[(path!("salt"), FsValues::File(16))]), + )]), + ), + ( + path!("trussed"), + FsValues::Dir(&[( + path!("dat"), + FsValues::Dir(&[(path!("rng-state.bin"), FsValues::File(32))]), + )]), + ), + ]); + + const TEST_AFTER: FsValues = FsValues::Dir(&[ + ( + path!("opcard"), + FsValues::Dir(&[(path!("dat"), OPCARD_DIR), (path!("pub"), OPCARD_PUB_DIR)]), + ), + ( + path!("trussed"), + FsValues::Dir(&[( + path!("dat"), + FsValues::Dir(&[(path!("rng-state.bin"), FsValues::File(32))]), + )]), + ), + ]); + + test_migration_one(&TEST_BEFORE, &TEST_AFTER, |fs| { + migrate_remove_all_dat(fs, &[path!("secrets"), path!("opcard")]) + }); + } + + #[test] + fn migration_emptyt() { + const TEST_VALUES: FsValues = FsValues::Dir(&[ + ( + path!("opcard"), + FsValues::Dir(&[(path!("dat"), OPCARD_DIR), (path!("pub"), OPCARD_PUB_DIR)]), + ), + ( + path!("trussed"), + FsValues::Dir(&[( + path!("dat"), + FsValues::Dir(&[(path!("rng-state.bin"), FsValues::File(32))]), + )]), + ), + ]); + + test_migration_one(&TEST_VALUES, &TEST_VALUES, |fs| { + migrate_remove_all_dat(fs, &[path!("secrets"), path!("opcard")]) + }); + } +} diff --git a/src/trussed_auth_impl.rs b/src/trussed_auth_impl.rs index 71bd46c..4ba6e4e 100644 --- a/src/trussed_auth_impl.rs +++ b/src/trussed_auth_impl.rs @@ -1,6 +1,8 @@ use core::fmt; use embedded_hal::blocking::delay::DelayUs; use hkdf::Hkdf; +use littlefs2::path; +use littlefs2::path::Path; use se05x::{ se05x::{ commands::{GetRandom, ReadObject, WriteBinary}, @@ -14,8 +16,8 @@ use trussed::{ key::{Kind, Secrecy}, platform::CryptoRng, serde_extensions::ExtensionImpl, - service::{Filestore, Keystore, RngCore}, - types::{Location, PathBuf}, + service::{Filestore, Keystore, RngCore, ServiceResources}, + types::{CoreContext, Location, PathBuf}, Bytes, }; use trussed_auth::MAX_HW_KEY_LEN; @@ -43,7 +45,7 @@ pub(crate) const KEY_LEN: usize = 32; pub(crate) type Key = ByteArray; pub(crate) type Salt = ByteArray; -const AUTH_DIR: &str = "auth"; +pub(crate) const AUTH_DIR: &Path = path!("auth"); #[derive(Clone)] pub enum HardwareKey { @@ -272,25 +274,45 @@ impl> ExtensionImpl let mut backend_path = core_ctx.path.clone(); backend_path.push(&PathBuf::from(BACKEND_DIR)); backend_path.push(&PathBuf::from(AUTH_DIR)); - let fs = &mut resources.filestore(backend_path); - let global_fs = &mut resources.filestore(PathBuf::from(BACKEND_DIR)); + + /// Coerce an FnMut into a FnOnce to ensure the stores are not created twice by mistake + fn once( + generator: impl FnOnce(&mut ServiceResources

, &mut CoreContext) -> R, + ) -> impl FnOnce(&mut ServiceResources

, &mut CoreContext) -> R { + generator + } + + let fs = once(|resources, _| resources.raw_filestore(backend_path)); + let global_fs = once(|resources, _| resources.raw_filestore(PathBuf::from(BACKEND_DIR))); let client_id = core_ctx.path.clone(); - let keystore = &mut resources.keystore(core_ctx.path.clone())?; + let keystore = once(|resources, core_ctx| resources.keystore(core_ctx.path.clone())); use trussed_auth::{reply, request, AuthRequest}; match request { AuthRequest::HasPin(request) => { + let fs = &mut fs(resources, core_ctx); let has_pin = fs.exists(&request.id.path(), self.metadata_location); Ok(reply::HasPin { has_pin }.into()) } AuthRequest::CheckPin(request) => { - let pin_data = PinData::load(request.id, fs, self.metadata_location)?; + let keystore = &mut keystore(resources, core_ctx)?; + let global_fs = &mut global_fs(resources, core_ctx); + + let pin_data = PinData::load( + request.id, + &mut fs(resources, core_ctx), + self.metadata_location, + )?; let app_key = self.get_app_key(client_id, global_fs, auth_ctx, keystore.rng())?; let success = pin_data.check(&request.pin, &app_key, &mut self.se, keystore.rng())?; Ok(reply::CheckPin { success }.into()) } AuthRequest::GetPinKey(request) => { + let fs = &mut fs(resources, core_ctx); + let global_fs = &mut global_fs(resources, core_ctx); + let keystore = &mut keystore(resources, core_ctx)?; + let pin_data = PinData::load(request.id, fs, self.metadata_location).map_err(|_err| { debug!("Failed to get pin data: {_err:?}"); @@ -318,6 +340,10 @@ impl> ExtensionImpl .into()) } AuthRequest::GetApplicationKey(request) => { + let keystore = &mut keystore(resources, core_ctx)?; + let global_fs = &mut global_fs(resources, core_ctx); + let fs = &mut fs(resources, core_ctx); + let salt = get_app_salt(fs, keystore.rng(), self.metadata_location)?; let key = expand_app_key( &salt, @@ -333,6 +359,10 @@ impl> ExtensionImpl Ok(reply::GetApplicationKey { key: key_id }.into()) } AuthRequest::SetPin(request) => { + let keystore = &mut keystore(resources, core_ctx)?; + let global_fs = &mut global_fs(resources, core_ctx); + let fs = &mut fs(resources, core_ctx); + if fs.exists(&request.id.path(), self.metadata_location) { return Err(trussed::Error::FunctionFailed); } @@ -350,6 +380,10 @@ impl> ExtensionImpl Ok(reply::SetPin {}.into()) } AuthRequest::SetPinWithKey(request) => { + let keystore = &mut keystore(resources, core_ctx)?; + let global_fs = &mut global_fs(resources, core_ctx); + let fs = &mut fs(resources, core_ctx); + let app_key = self.get_app_key(client_id, global_fs, auth_ctx, keystore.rng())?; let key = keystore.load_key(Secrecy::Secret, Some(Kind::Symmetric(32)), &request.key)?; @@ -372,6 +406,10 @@ impl> ExtensionImpl Ok(reply::SetPinWithKey {}.into()) } AuthRequest::ChangePin(request) => { + let global_fs = &mut global_fs(resources, core_ctx); + let fs = &mut fs(resources, core_ctx); + let keystore = &mut keystore(resources, core_ctx)?; + let mut pin_data = PinData::load(request.id, fs, self.metadata_location)?; let app_key = self.get_app_key(client_id, global_fs, auth_ctx, keystore.rng())?; let success = pin_data.update( @@ -385,15 +423,22 @@ impl> ExtensionImpl Ok(reply::ChangePin { success }.into()) } AuthRequest::DeletePin(request) => { + let fs = &mut fs(resources, core_ctx); + let pin_data = PinData::load(request.id, fs, self.metadata_location)?; pin_data.delete(fs, self.metadata_location, &mut self.se)?; Ok(reply::DeletePin {}.into()) } AuthRequest::DeleteAllPins(request::DeleteAllPins) => { + let fs = &mut fs(resources, core_ctx); + delete_all_pins(fs, self.metadata_location, &mut self.se)?; Ok(reply::DeleteAllPins.into()) } AuthRequest::PinRetries(request) => { + let fs = &mut fs(resources, core_ctx); + let keystore = &mut keystore(resources, core_ctx)?; + debug!("Getting pin retries"); let pin_data = PinData::load(request.id, fs, self.metadata_location)?; debug!("Loaded {pin_data:?}"); @@ -405,10 +450,14 @@ impl> ExtensionImpl .into()) } AuthRequest::ResetAppKeys(_req) => { + let fs = &mut fs(resources, core_ctx); + delete_app_salt(fs, self.metadata_location)?; Ok(reply::ResetAppKeys.into()) } AuthRequest::ResetAuthData(_req) => { + let fs = &mut fs(resources, core_ctx); + delete_app_salt(fs, self.metadata_location)?; delete_all_pins(fs, self.metadata_location, &mut self.se)?; Ok(reply::ResetAuthData.into()) From 0f33b19b18060c0f63a75b1e3894a5e0da8179b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Mon, 25 Mar 2024 17:27:12 +0100 Subject: [PATCH 3/5] Use trussed-auth 0.3.0 --- Cargo.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index ef4995d..6117f5c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -24,7 +24,7 @@ serde.workspace = true trussed.workspace = true se05x = { version = "0.1.1", features = ["serde", "builder"] } -trussed-auth = "0.2.2" +trussed-auth = "0.3.0" trussed-manage = "0.1.0" trussed-se050-manage = "0.1.0" trussed-wrap-key-to-file = "0.1.0" @@ -53,7 +53,7 @@ littlefs2 = { git = "https://github.com/trussed-dev/littlefs2.git", rev = "ebd27 apdu-dispatch = { git = "https://github.com/trussed-dev/apdu-dispatch.git", rev = "915fc237103fcecc29d0f0b73391f19abf6576de" } ctaphid-dispatch = { git = "https://github.com/trussed-dev/ctaphid-dispatch.git", rev = "57cb3317878a8593847595319aa03ef17c29ec5b" } trussed = { git = "https://github.com/Nitrokey/trussed.git", rev = "dd7836a155c78e93a2087611666e60308ed8ff1d" } -trussed-auth = { git = "https://github.com/Nitrokey/trussed-auth", rev = "49c13eae6d9a225676191d4776d514848e4eab5b" } +trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth.git", tag = "v0.3.0"} trussed-manage = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "manage-v0.1.0" } trussed-rsa-alloc = { git = "https://github.com/Nitrokey/trussed-rsa-backend.git", rev = "2088e2f8a8d706276c1559717b4c6b6d4f270253" } trussed-wrap-key-to-file = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "wrap-key-to-file-v0.1.0" } From d5aee1bcff61dc55bcf87efca10cd58cd06714a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Tue, 26 Mar 2024 17:56:59 +0100 Subject: [PATCH 4/5] Make the use of the raw backend optional --- src/lib.rs | 9 +++++++++ src/trussed_auth_impl.rs | 10 ++++++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index c057692..c28ac77 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -53,6 +53,12 @@ enum EnableState { Failed(se05x::se05x::Error), } +#[derive(Clone, Debug)] +pub enum FilesystemLayout { + V0, + V1, +} + pub struct Se050Backend { se: Se05X, enabled: EnableState, @@ -60,6 +66,7 @@ pub struct Se050Backend { hw_key: HardwareKey, ns: Namespace, configured: bool, + layout: FilesystemLayout, } impl> Se050Backend { @@ -68,6 +75,7 @@ impl> Se050Backend { metadata_location: Location, hardware_key: Option>, ns: Namespace, + layout: FilesystemLayout, ) -> Self { Se050Backend { se, @@ -79,6 +87,7 @@ impl> Se050Backend { }, ns, configured: false, + layout, } } diff --git a/src/trussed_auth_impl.rs b/src/trussed_auth_impl.rs index 4ba6e4e..bca002b 100644 --- a/src/trussed_auth_impl.rs +++ b/src/trussed_auth_impl.rs @@ -282,8 +282,14 @@ impl> ExtensionImpl generator } - let fs = once(|resources, _| resources.raw_filestore(backend_path)); - let global_fs = once(|resources, _| resources.raw_filestore(PathBuf::from(BACKEND_DIR))); + let fs = once(|resources, _| match self.layout { + crate::FilesystemLayout::V0 => resources.filestore(backend_path), + crate::FilesystemLayout::V1 => resources.raw_filestore(backend_path), + }); + let global_fs = once(|resources, _| match self.layout { + crate::FilesystemLayout::V0 => resources.filestore(PathBuf::from(BACKEND_DIR)), + crate::FilesystemLayout::V1 => resources.raw_filestore(PathBuf::from(BACKEND_DIR)), + }); let client_id = core_ctx.path.clone(); let keystore = once(|resources, core_ctx| resources.keystore(core_ctx.path.clone())); From 96257a243052f57935e61231aa752ddf5155ba6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Tue, 2 Apr 2024 17:56:30 +0200 Subject: [PATCH 5/5] Use tagged admin-app version --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 6117f5c..9c94eea 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -57,7 +57,7 @@ trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth.git", tag = trussed-manage = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "manage-v0.1.0" } trussed-rsa-alloc = { git = "https://github.com/Nitrokey/trussed-rsa-backend.git", rev = "2088e2f8a8d706276c1559717b4c6b6d4f270253" } trussed-wrap-key-to-file = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "wrap-key-to-file-v0.1.0" } -admin-app = { git = "https://github.com/Nitrokey/admin-app.git", rev = "9f832f3b7f79108353b82e28f78449f10883abdc" } +admin-app = { git = "https://github.com/Nitrokey/admin-app.git", tag = "v0.1.0-nitrokey.12" } trussed-se050-manage = { path = "extensions/se050-manage" }