Merge branch 'main' into newidentity

.github/workflows/scorecard.yml

@@ -59,14 +59,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
+        uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
         with:
           sarif_file: results.sarif

Dockerfile

@@ -7,6 +7,7 @@ ARG APPLET_PUBLIC_KEY
 ARG OS_PUBLIC_KEY1
 ARG OS_PUBLIC_KEY2
 ARG GIT_SEMVER_TAG
+ARG BEE
 ARG DEBUG
 ARG FAKE_RPMB=1
 ARG FAKE_STORAGE=0
@@ -36,8 +37,9 @@ ENV LOG_ORIGIN=${LOG_ORIGIN} \
     OS_PUBLIC_KEY1="/tmp/os1.pub" \
     OS_PUBLIC_KEY2="/tmp/os2.pub" \
     GIT_SEMVER_TAG=${GIT_SEMVER_TAG} \
-    DEBUG=${DEBUG} \
     FAKE_RPMB=${FAKE_RPMB} \
-    FAKE_STORAGE=${FAKE_STORAGE}
+    FAKE_STORAGE=${FAKE_STORAGE} \
+    BEE=${BEE} \
+    DEBUG=${DEBUG}
 
 RUN make trusted_os_release

go.mod

@@ -18,8 +18,8 @@ require (
 	github.com/usbarmory/imx-usbnet v0.0.0-20230626092818-ef791923688e
 	github.com/usbarmory/imx-usbserial v0.0.0-20230503192150-40b6298b31f8
 	github.com/usbarmory/tamago v0.0.0-20240118094434-dfe6a899d3a7
-	golang.org/x/crypto v0.18.0
-	golang.org/x/mod v0.14.0
+	golang.org/x/crypto v0.19.0
+	golang.org/x/mod v0.15.0
 	google.golang.org/protobuf v1.32.0
 	gvisor.dev/gvisor v0.0.0-20230614190805-57027c7d31f8
 	k8s.io/klog v1.0.0
@@ -40,7 +40,7 @@ require (
 	github.com/transparency-dev/formats v0.0.0-20230920083814-0f75b1d4e813 // indirect
 	github.com/u-root/u-root v0.11.0 // indirect
 	golang.org/x/sync v0.5.0 // indirect
-	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/sys v0.17.0 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect

go.sum

@@ -81,16 +81,16 @@ github.com/usbarmory/imx-usbserial v0.0.0-20230503192150-40b6298b31f8/go.mod h1:
 github.com/usbarmory/tamago v0.0.0-20220823080407-04f05cf2a5a3/go.mod h1:Lok79mjbJnhoBGqhX5cCUsZtSemsQF5FNZW+2R1dRr8=
 github.com/usbarmory/tamago v0.0.0-20240118094434-dfe6a899d3a7 h1:t+T08niBplMpzl0OOPyr4rDMhscFyfjA6oQAFfcoZ1c=
 github.com/usbarmory/tamago v0.0.0-20240118094434-dfe6a899d3a7/go.mod h1:uCPXcPo8SZulhZPz8irfVqzwVlPZ45w7CTJxkfxueGA=
-golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
-golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/mod v0.15.0 h1:SernR4v+D55NyBH2QiEQrlBAnj1ECL6AGrA5+dPaMY8=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
 golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
-golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=

release/cloudbuild_ci.yaml

@@ -24,6 +24,7 @@ steps:
           --build-arg=OS_PUBLIC_KEY1=${_OS_PUBLIC_KEY1} \
           --build-arg=OS_PUBLIC_KEY2=${_OS_PUBLIC_KEY2} \
           --build-arg=GIT_SEMVER_TAG=$(cat /workspace/fake_tag) \
+          --build-arg=BEE=${_BEE} \
           --build-arg=DEBUG=${_DEBUG} \
           -t builder-image \
           .
@@ -172,5 +173,6 @@ substitutions:
   _APPLET_PUBLIC_KEY: transparency.dev-aw-applet-ci+3ff32e2c+AV1fgxtByjXuPjPfi0/7qTbEBlPGGCyxqr6ZlppoLOz3
   _OS_PUBLIC_KEY1: transparency.dev-aw-os1-ci+7a0eaef3+AcsqvmrcKIbs21H2Bm2fWb6oFWn/9MmLGNc6NLJty2eQ
   _OS_PUBLIC_KEY2: transparency.dev-aw-os2-ci+af8e4114+AbBJk5MgxRB+68KhGojhUdSt1ts5GAdRIT1Eq9zEkgQh
+  _BEE: '1'
   _DEBUG: '1'
   _CHECKPOINT_CACHE: 'public, max-age=30'

trusted_os/main.go

@@ -160,6 +160,10 @@ func main() {
 	if false && imx6ul.SNVS.Available() {
 		log.Printf("SM version verification (%s)", Version)
 
+		if err = rpmb.init(); err != nil {
+			log.Fatalf("SM could not initialize rollback protection, %v", err)
+		}
+
 		if err = rpmb.checkVersion(osVersionSector, Version); err != nil {
 			log.Fatalf("SM firmware rollback check failure, %v", err)
 		}

trusted_os/rpmb.go

@@ -65,70 +65,75 @@ const (
 )
 
 type RPMB struct {
+	storage   Card
 	partition *rpmb.RPMB
 }
 
 func newRPMB(storage Card) (r *RPMB, err error) {
+	return &RPMB{storage: storage}, nil
+}
+
+func (r *RPMB) init() error {
 	// derived key for RPBM MAC generation
 	var dk []byte
+	var err error
 
 	switch {
 	case imx6ul.CAAM != nil:
+		dk = make([]byte, sha256.Size) // dk needs to be correctly sized to receive the key.
 		err = imx6ul.CAAM.DeriveKey([]byte(diversifierMAC), dk)
 	case imx6ul.DCP != nil:
 		dk, err = imx6ul.DCP.DeriveKey([]byte(diversifierMAC), make([]byte, aes.BlockSize), -1)
 	default:
 		err = errors.New("unsupported hardware")
 	}
-
 	if err != nil {
-		return nil, fmt.Errorf("could not derive RPMB key (%v)", err)
+		return fmt.Errorf("could not derive RPMB key (%v)", err)
 	}
 
 	uid := imx6ul.UniqueID()
 
-	card, ok := storage.(*usdhc.USDHC)
+	card, ok := r.storage.(*usdhc.USDHC)
 	if !ok {
-		return nil, errors.New("could not assert type *usdhc.USDHC from Card")
+		return errors.New("could not assert type *usdhc.USDHC from Card")
 	}
 
 	// setup RPMB
-	r = &RPMB{}
 	r.partition, err = rpmb.Init(
 		card,
 		pbkdf2.Key(dk, uid[:], iter, sha256.Size, sha256.New),
 		dummySector,
 	)
 	if err != nil {
-		return nil, fmt.Errorf("RPMB could not be initialized: %v", err)
+		return fmt.Errorf("RPMB could not be initialized: %v", err)
 	}
 
 	var e *rpmb.OperationError
 	_, err = r.partition.Counter(false)
 
 	if !(errors.As(err, &e) && e.Result == rpmb.AuthenticationKeyNotYetProgrammed) {
-		return nil, fmt.Errorf("RPMB could not be initialized: %v", err)
+		return fmt.Errorf("RPMB could not be initialized: %v", err)
 	}
 
 	// Fuse a bit to indicate previous key programming to prevent malicious
 	// eMMC replacement to intercept ProgramKey().
 	//
 	// If already fused refuse to do any programming and bail.
 	if res, err := otp.ReadOCOTP(rpmbFuseBank, rpmbFuseWord, 0, 1); err != nil || bytes.Equal(res, []byte{1}) {
-		return nil, fmt.Errorf("could not read RPMB program key flag (%x, %v)", res, err)
+		return fmt.Errorf("could not read RPMB program key flag (%x, %v)", res, err)
 	}
 
 	if err = otp.BlowOCOTP(rpmbFuseBank, rpmbFuseWord, 0, 1, []byte{1}); err != nil {
-		return nil, fmt.Errorf("could not fuse RPMB program key flag (%v)", err)
+		return fmt.Errorf("could not fuse RPMB program key flag (%v)", err)
 	}
 
 	log.Print("RPMB authentication key not yet programmed, programming")
 
 	if err = r.partition.ProgramKey(); err != nil {
-		return nil, fmt.Errorf("could not program RPMB key")
+		return fmt.Errorf("could not program RPMB key")
 	}
 
-	return r, nil
+	return nil
 }
 
 func parseVersion(s string) (version uint32, err error) {

trusted_os/rpmb_fake.go

@@ -60,7 +60,6 @@ func newRPMB(_ Card) (*RPMB, error) {
 
 func parseVersion(s string) (version uint32, err error) {
 	v, err := strconv.Atoi(s)
-
 	if err != nil {
 		return
 	}