Skip to content

Commit

Permalink
feat(core): introduce storage insecure mode
Browse files Browse the repository at this point in the history
reduces the number of PIN iterations and avoids erasing the other
storage bank -- if a test ever overruns, it will probably RSOD out, but
that's unlikely to happen
  • Loading branch information
matejcik committed Nov 22, 2024
1 parent c66b050 commit eca810e
Show file tree
Hide file tree
Showing 5 changed files with 50 additions and 0 deletions.
2 changes: 2 additions & 0 deletions core/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ BENCHMARK ?= 0
TREZOR_EMULATOR_DEBUGGABLE ?= 0
QUIET_MODE ?= 0
TREZOR_DISABLE_ANIMATION ?= $(if $(filter 0,$(PYOPT)),1,0)
STORAGE_INSECURE_TESTING_MODE ?= 0

# OpenOCD interface default. Alternative: ftdi/olimex-arm-usb-tiny-h
OPENOCD_INTERFACE ?= stlink
Expand Down Expand Up @@ -144,6 +145,7 @@ SCONS_VARS = \
PRODUCTION="$(PRODUCTION)" \
PYOPT="$(PYOPT)" \
QUIET_MODE="$(QUIET_MODE)" \
STORAGE_INSECURE_TESTING_MODE="$(STORAGE_INSECURE_TESTING_MODE)" \
THP="$(THP)" \
TREZOR_DISABLE_ANIMATION="$(TREZOR_DISABLE_ANIMATION)" \
TREZOR_EMULATOR_ASAN="$(ADDRESS_SANITIZER)" \
Expand Down
20 changes: 20 additions & 0 deletions core/SConscript.firmware
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ MODEL_IDENTIFIER = models.get_model_identifier(TREZOR_MODEL)
BENCHMARK = ARGUMENTS.get('BENCHMARK', '0') == '1'
DISABLE_ANIMATION = ARGUMENTS.get('TREZOR_DISABLE_ANIMATION', '0') == '1'

STORAGE_INSECURE_TESTING_MODE = ARGUMENTS.get('STORAGE_INSECURE_TESTING_MODE', '0') == '1'
if STORAGE_INSECURE_TESTING_MODE and PRODUCTION:
raise RuntimeError("STORAGE_INSECURE_TESTING_MODE cannot be used in production")
if STORAGE_INSECURE_TESTING_MODE:
DISABLE_OPTIGA = True
PYOPT = "0"

if BENCHMARK and PYOPT != '0':
print("BENCHMARK=1 works only with PYOPT=0.")
exit(1)
Expand Down Expand Up @@ -369,6 +376,9 @@ if THP:
'vendor/trezor-crypto/elligator2.c',
]

if STORAGE_INSECURE_TESTING_MODE:
CPPDEFINES_MOD += ['STORAGE_INSECURE_TESTING_MODE']

ui.init_ui(TREZOR_MODEL, "firmware", CPPDEFINES_MOD, SOURCE_MOD, RUST_UI_FEATURES)

SOURCE_QSTR = SOURCE_MOD + SOURCE_MICROPYTHON + SOURCE_MICROPYTHON_SPEED
Expand Down Expand Up @@ -874,6 +884,16 @@ elif 'STM32U5G9xx' in CPPDEFINES_HAL or 'STM32U585xx' in CPPDEFINES_HAL:
else:
raise Exception("Unknown MCU")

if STORAGE_INSECURE_TESTING_MODE:
INSECURE_TESTING_MODE_STR = """
#########################################################
# #
# STORAGE_INSECURE_TESTING_MODE enabled, DO NOT USE #
# #
#########################################################
"""
action_bin.append(INSECURE_TESTING_MODE_STR)

program_bin = env.Command(
target='firmware.bin',
source=program_elf,
Expand Down
19 changes: 19 additions & 0 deletions core/SConscript.kernel
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,13 @@ DISABLE_OPTIGA = ARGUMENTS.get('DISABLE_OPTIGA', '0') == '1'
HW_REVISION = ARGUMENTS.get('HW_REVISION', None)
THP = ARGUMENTS.get('THP', '0') == '1' # Trezor-Host Protocol

STORAGE_INSECURE_TESTING_MODE = ARGUMENTS.get('STORAGE_INSECURE_TESTING_MODE', '0') == '1'
if STORAGE_INSECURE_TESTING_MODE and PRODUCTION:
raise RuntimeError("STORAGE_INSECURE_TESTING_MODE cannot be used in production")
if STORAGE_INSECURE_TESTING_MODE:
DISABLE_OPTIGA = True
PYOPT = "0"

FEATURE_FLAGS = {
"RDI": True,
"SECP256K1_ZKP": True, # required for trezor.crypto.curve.bip340 (BIP340/Taproot)
Expand Down Expand Up @@ -235,6 +242,8 @@ if THP:
'vendor/trezor-crypto/elligator2.c',
]

if STORAGE_INSECURE_TESTING_MODE:
CPPDEFINES_MOD += ['STORAGE_INSECURE_TESTING_MODE']

env = Environment(
ENV=os.environ,
Expand Down Expand Up @@ -411,6 +420,16 @@ action_bin=[
'$CP $TARGET ' + BINARY_NAME,
]

if STORAGE_INSECURE_TESTING_MODE:
INSECURE_TESTING_MODE_STR = """
#########################################################
# #
# STORAGE_INSECURE_TESTING_MODE enabled, DO NOT USE #
# #
#########################################################
"""
action_bin.append(INSECURE_TESTING_MODE_STR)

program_bin = env.Command(
target='kernel.bin',
source=program_elf,
Expand Down
4 changes: 4 additions & 0 deletions storage/norcow.c
Original file line number Diff line number Diff line change
Expand Up @@ -284,11 +284,15 @@ void norcow_wipe(void) {
// Erase the active sector first, because it contains sensitive data.
erase_sector(norcow_active_sector, sectrue);

#if STORAGE_INSECURE_TESTING_MODE && !PRODUCTION
// skip erasing inactive sectors
#else
for (uint8_t i = 0; i < NORCOW_SECTOR_COUNT; i++) {
if (i != norcow_active_sector) {
erase_sector(i, secfalse);
}
}
#endif
norcow_active_version = NORCOW_VERSION;
norcow_write_sector = norcow_active_sector;
norcow_free_offset = NORCOW_STORAGE_START;
Expand Down
5 changes: 5 additions & 0 deletions storage/storage.c
Original file line number Diff line number Diff line change
Expand Up @@ -86,8 +86,13 @@ const uint32_t V0_PIN_EMPTY = 1;
// up constant storage space.
#define MAX_WIPE_CODE_LEN 50

#if STORAGE_INSECURE_TESTING_MODE && !PRODUCTION
#pragma message("STORAGE IS INSECURE DO NOT USE THIS IN PRODUCTION")
#define PIN_ITER_COUNT 1
#else
// The total number of iterations to use in PBKDF2.
#define PIN_ITER_COUNT 20000
#endif

// The minimum number of milliseconds between progress updates.
#define MIN_PROGRESS_UPDATE_MS 100
Expand Down

0 comments on commit eca810e

Please sign in to comment.