diff --git a/Cargo.lock b/Cargo.lock index 1e5ab23e..fd36c0e7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5,7 +5,7 @@ version = 3 [[package]] name = "admin-app" version = "0.1.0" -source = "git+https://github.com/Nitrokey/admin-app.git?tag=v0.1.0-nitrokey.11#0ba0e766cba65a1fe7b0865f343de589e4202d82" +source = "git+https://github.com/Nitrokey/admin-app.git?rev=2dfc133c9cd78148492622bf842e16feecd3cac6#2dfc133c9cd78148492622bf842e16feecd3cac6" dependencies = [ "apdu-dispatch", "cbor-smol", @@ -147,7 +147,7 @@ source = "git+https://github.com/Nitrokey/apdu-dispatch.git?tag=v0.1.2-nitrokey. dependencies = [ "delog", "heapless", - "interchange 0.3.0", + "interchange", "iso7816", ] @@ -365,7 +365,7 @@ dependencies = [ "embedded-time", "fm11nc08", "generic-array", - "interchange 0.3.0", + "interchange", "lfs-backup", "littlefs2", "lpc55-hal", @@ -490,7 +490,7 @@ dependencies = [ [[package]] name = "cbor-smol" version = "0.4.0" -source = "git+https://github.com/Nitrokey/cbor-smol.git?tag=v0.4.0-nitrokey.1#cdedd94cc62214f99f0e4bb35f9e7a67f50a45c1" +source = "git+https://github.com/Nitrokey/cbor-smol.git?rev=bac1ac69dd0117d1f80f3f5e1d3b60ba8987ad70#bac1ac69dd0117d1f80f3f5e1d3b60ba8987ad70" dependencies = [ "delog", "heapless", @@ -894,7 +894,7 @@ dependencies = [ "delog", "heapless", "heapless-bytes", - "interchange 0.3.0", + "interchange", "ref-swap", "trussed", ] @@ -1078,7 +1078,7 @@ dependencies = [ "ctaphid-dispatch", "delog", "embedded-hal", - "interchange 0.3.0", + "interchange", "lpc55-hal", "lpc55-pac", "memory-regions", @@ -1117,7 +1117,7 @@ checksum = "a357d28ed41a50f9c765dbfe56cbc04a64e53e5fc58ba79fbc34c10ef3df831f" [[package]] name = "encrypted_container" version = "0.1.0" -source = "git+https://github.com/Nitrokey/trussed-secrets-app?tag=v0.13.0-rc2#c4cd4c10c4b6e6910b462ee963ac3610ffdfc3aa" +source = "git+https://github.com/Nitrokey/trussed-secrets-app?rev=e87b6b8b574b273bedf3dfe7bbbce59697ce8e4c#e87b6b8b574b273bedf3dfe7bbbce59697ce8e4c" dependencies = [ "cbor-smol", "delog", @@ -1179,7 +1179,7 @@ dependencies = [ [[package]] name = "fido-authenticator" version = "0.1.1" -source = "git+https://github.com/Nitrokey/fido-authenticator.git?tag=v0.1.1-nitrokey.13#d55050a2491b0bd6cb6f72d1265ef038b8295c4f" +source = "git+https://github.com/Nitrokey/fido-authenticator.git?rev=5872fc8599180593552583bec0e6d6bf7c341a32#5872fc8599180593552583bec0e6d6bf7c341a32" dependencies = [ "apdu-dispatch", "ctap-types", @@ -1187,6 +1187,7 @@ dependencies = [ "delog", "heapless", "iso7816", + "littlefs2", "serde", "serde-indexed", "serde_cbor", @@ -1623,12 +1624,6 @@ dependencies = [ "generic-array", ] -[[package]] -name = "interchange" -version = "0.2.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "310d743c23f798f10d5ba2f77fdd3eff06aaf2d8f8b9d78beba7fb1167f4ccbf" - [[package]] name = "interchange" version = "0.3.0" @@ -1750,7 +1745,7 @@ checksum = "01cda141df6706de531b6c46c3a33ecca755538219bd484262fa09410c13539c" [[package]] name = "littlefs2" version = "0.4.0" -source = "git+https://github.com/trussed-dev/littlefs2?rev=ebd27e49ca321089d01d8c9b169c4aeb58ceeeca#ebd27e49ca321089d01d8c9b169c4aeb58ceeeca" +source = "git+https://github.com/trussed-dev/littlefs2.git?rev=960e57d9fc0d209308c8e15dc26252bbe1ff6ba8#960e57d9fc0d209308c8e15dc26252bbe1ff6ba8" dependencies = [ "bitflags 1.3.2", "cstr_core", @@ -1907,7 +1902,7 @@ dependencies = [ "delog", "embedded-time", "heapless", - "interchange 0.3.0", + "interchange", "iso7816", "nb 1.1.0", ] @@ -1924,7 +1919,7 @@ dependencies = [ "cortex-m-rtic", "ctaphid-dispatch", "delog", - "interchange 0.3.0", + "interchange", "memory-regions", "nrf52840-hal", "nrf52840-pac", @@ -2112,7 +2107,7 @@ checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5" [[package]] name = "opcard" version = "1.4.0" -source = "git+https://github.com/Nitrokey/opcard-rs?tag=v1.4.0#0fec661b2d5718b97e942c229444ba6b8997ea7e" +source = "git+https://github.com/Nitrokey/opcard-rs?rev=70e3f1aa21ecb75c1237b20b733d0e228a966b10#70e3f1aa21ecb75c1237b20b733d0e228a966b10" dependencies = [ "admin-app", "apdu-dispatch", @@ -2225,8 +2220,8 @@ checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" [[package]] name = "piv-authenticator" -version = "0.4.0" -source = "git+https://github.com/trussed-dev/piv-authenticator.git?tag=v0.4.0#b69b394facdaaafcd41a5ea48dae34ed3680e9d5" +version = "0.3.4" +source = "git+https://github.com/Nitrokey/piv-authenticator.git?rev=2d0ae0312170adb9cfffd05f70ebc83af3c14679#2d0ae0312170adb9cfffd05f70ebc83af3c14679" dependencies = [ "apdu-dispatch", "delog", @@ -2242,6 +2237,7 @@ dependencies = [ "trussed-auth", "trussed-chunked", "trussed-rsa-alloc", + "trussed-staging", "untrusted", ] @@ -2671,7 +2667,7 @@ dependencies = [ [[package]] name = "secrets-app" version = "0.13.0" -source = "git+https://github.com/Nitrokey/trussed-secrets-app?tag=v0.13.0-rc2#c4cd4c10c4b6e6910b462ee963ac3610ffdfc3aa" +source = "git+https://github.com/Nitrokey/trussed-secrets-app?rev=e87b6b8b574b273bedf3dfe7bbbce59697ce8e4c#e87b6b8b574b273bedf3dfe7bbbce59697ce8e4c" dependencies = [ "apdu-dispatch", "bitflags 2.4.2", @@ -2684,11 +2680,11 @@ dependencies = [ "heapless", "heapless-bytes", "hex-literal 0.3.4", - "interchange 0.2.2", "iso7816", "serde", "trussed", "trussed-auth", + "trussed-staging", ] [[package]] @@ -3206,7 +3202,7 @@ dependencies = [ [[package]] name = "trussed" version = "0.1.0" -source = "git+https://github.com/Nitrokey/trussed.git?tag=v0.1.0-nitrokey.18#cb7bd328549293077cd9d6c2e9e42df62180db96" +source = "git+https://github.com/Nitrokey/trussed.git?rev=371e8f7a07817c2ed57978bd86e3412bd9877647#371e8f7a07817c2ed57978bd86e3412bd9877647" dependencies = [ "aes", "bitflags 2.4.2", @@ -3225,7 +3221,7 @@ dependencies = [ "heapless-bytes", "hex-literal 0.4.1", "hmac", - "interchange 0.3.0", + "interchange", "littlefs2", "nb 1.1.0", "p256-cortex-m4", @@ -3242,12 +3238,14 @@ dependencies = [ [[package]] name = "trussed-auth" -version = "0.2.2" -source = "git+https://github.com/trussed-dev/trussed-auth?rev=4b8191f248c26cb074cdac887c7f3f48f9c449a4#4b8191f248c26cb074cdac887c7f3f48f9c449a4" +version = "0.3.0" +source = "git+https://github.com/trussed-dev/trussed-auth?rev=68271487a93c65261f4d54149a17b8a5137201de#68271487a93c65261f4d54149a17b8a5137201de" dependencies = [ + "admin-app", "chacha20poly1305", "hkdf", "hmac", + "littlefs2", "rand_core", "serde", "serde-byte-array", @@ -3268,16 +3266,10 @@ dependencies = [ [[package]] name = "trussed-hkdf" -version = "0.1.0" -source = "git+https://github.com/Nitrokey/trussed-hkdf-backend.git?tag=v0.1.0#4a172d88c0fd4be713a863db0cb18266acb0da43" +version = "0.2.0" +source = "git+https://github.com/trussed-dev/trussed-staging.git?tag=hkdf-v0.2.0#e016b25fbc49f3ba13272d58a9e9d47a16d8ea14" dependencies = [ - "heapless-bytes", - "hkdf", - "hmac", - "log", - "postcard 0.7.3", "serde", - "sha2", "trussed", ] @@ -3307,8 +3299,9 @@ dependencies = [ [[package]] name = "trussed-se050-backend" version = "0.3.0" -source = "git+https://github.com/Nitrokey/trussed-se050-backend.git?tag=v0.3.0#af9502a6e1d0359212101558cafa359e7f7bd5a9" +source = "git+https://github.com/Nitrokey/trussed-se050-backend.git?rev=0f33b19b18060c0f63a75b1e3894a5e0da8179b7#0f33b19b18060c0f63a75b1e3894a5e0da8179b7" dependencies = [ + "admin-app", "cbor-smol", "crypto-bigint", "delog", @@ -3347,17 +3340,20 @@ dependencies = [ [[package]] name = "trussed-staging" -version = "0.2.0" -source = "git+https://github.com/trussed-dev/trussed-staging.git?tag=v0.2.0#5fc00717e6aa3f43d4f72fd3bd589f2de3a89b98" +version = "0.3.0" +source = "git+https://github.com/trussed-dev/trussed-staging.git?tag=v0.3.0#e016b25fbc49f3ba13272d58a9e9d47a16d8ea14" dependencies = [ "chacha20poly1305", "delog", + "hkdf", "littlefs2", "rand_core", "serde", "serde-byte-array", + "sha2", "trussed", "trussed-chunked", + "trussed-hkdf", "trussed-manage", "trussed-wrap-key-to-file", ] @@ -3369,7 +3365,7 @@ source = "git+https://github.com/Nitrokey/pc-usbip-runner.git?tag=v0.0.1-nitroke dependencies = [ "apdu-dispatch", "ctaphid-dispatch", - "interchange 0.3.0", + "interchange", "log", "trussed", "usb-device", @@ -3502,7 +3498,7 @@ dependencies = [ "delog", "embedded-time", "heapless", - "interchange 0.3.0", + "interchange", "iso7816", "usb-device", ] @@ -3518,7 +3514,7 @@ dependencies = [ "embedded-time", "heapless", "heapless-bytes", - "interchange 0.3.0", + "interchange", "ref-swap", "serde", "trussed", diff --git a/Cargo.toml b/Cargo.toml index a2d491fb..a79b801b 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -17,38 +17,38 @@ version = "1.7.0-rc.1" memory-regions = { path = "components/memory-regions" } # forked -admin-app = { git = "https://github.com/Nitrokey/admin-app.git", tag = "v0.1.0-nitrokey.11" } -cbor-smol = { git = "https://github.com/Nitrokey/cbor-smol.git", tag = "v0.4.0-nitrokey.1" } -fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git", tag = "v0.1.1-nitrokey.13" } +admin-app = { git = "https://github.com/Nitrokey/admin-app.git", rev = "2dfc133c9cd78148492622bf842e16feecd3cac6" } +cbor-smol = { git = "https://github.com/Nitrokey/cbor-smol.git", rev = "bac1ac69dd0117d1f80f3f5e1d3b60ba8987ad70"} +fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git", rev = "5872fc8599180593552583bec0e6d6bf7c341a32" } flexiber = { git = "https://github.com/Nitrokey/flexiber", tag = "0.1.1.nitrokey" } lpc55-hal = { git = "https://github.com/Nitrokey/lpc55-hal", tag = "v0.3.0-nitrokey.2" } serde-indexed = { git = "https://github.com/nitrokey/serde-indexed.git", tag = "v0.1.0-nitrokey.2" } -trussed = { git = "https://github.com/Nitrokey/trussed.git", tag = "v0.1.0-nitrokey.18" } +trussed = { git = "https://github.com/Nitrokey/trussed.git", rev = "371e8f7a07817c2ed57978bd86e3412bd9877647" } # unreleased upstream changes apdu-dispatch = { git = "https://github.com/Nitrokey/apdu-dispatch.git", tag = "v0.1.2-nitrokey.3" } ctap-types = { git = "https://github.com/trussed-dev/ctap-types.git", rev = "a9f8003a1d9f05f9eea39e615b9159bc0613fcb5" } ctaphid-dispatch = { git = "https://github.com/Nitrokey/ctaphid-dispatch.git", tag = "v0.1.1-nitrokey.3" } -littlefs2 = { git = "https://github.com/trussed-dev/littlefs2", rev = "ebd27e49ca321089d01d8c9b169c4aeb58ceeeca" } +littlefs2 = { git = "https://github.com/trussed-dev/littlefs2.git", rev = "960e57d9fc0d209308c8e15dc26252bbe1ff6ba8" } usbd-ctaphid = { git = "https://github.com/trussed-dev/usbd-ctaphid.git", rev = "1db2e014f28669bc484c81ab0406c54b16bba33c" } usbd-ccid = { git = "https://github.com/Nitrokey/usbd-ccid", tag = "v0.2.0-nitrokey.1" } p256-cortex-m4 = { git = "https://github.com/ycrypto/p256-cortex-m4.git", rev = "cdb31e12594b4dc1f045b860a885fdc94d96aee2" } # unreleased crates -secrets-app = { git = "https://github.com/Nitrokey/trussed-secrets-app", tag = "v0.13.0-rc2" } +secrets-app = { git = "https://github.com/Nitrokey/trussed-secrets-app", rev = "e87b6b8b574b273bedf3dfe7bbbce59697ce8e4c" } webcrypt = { git = "https://github.com/nitrokey/nitrokey-websmartcard-rust", tag = "v0.8.0-rc6" } -opcard = { git = "https://github.com/Nitrokey/opcard-rs", tag = "v1.4.0" } -piv-authenticator = { git = "https://github.com/trussed-dev/piv-authenticator.git", tag = "v0.4.0" } +opcard = { git = "https://github.com/Nitrokey/opcard-rs", rev = "70e3f1aa21ecb75c1237b20b733d0e228a966b10" } +piv-authenticator = { git = "https://github.com/Nitrokey/piv-authenticator.git", rev = "2d0ae0312170adb9cfffd05f70ebc83af3c14679" } trussed-chunked = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "chunked-v0.1.0" } trussed-manage = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "manage-v0.1.0" } trussed-wrap-key-to-file = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "wrap-key-to-file-v0.1.0" } -trussed-staging = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "v0.2.0" } -trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth", rev = "4b8191f248c26cb074cdac887c7f3f48f9c449a4" } -trussed-hkdf = { git = "https://github.com/Nitrokey/trussed-hkdf-backend.git", tag = "v0.1.0" } +trussed-staging = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "v0.3.0" } +trussed-auth = { git = "https://github.com/Nitrokey/trussed-auth", rev = "68271487a93c65261f4d54149a17b8a5137201de" } +trussed-hkdf = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "hkdf-v0.2.0" } trussed-rsa-alloc = { git = "https://github.com/trussed-dev/trussed-rsa-backend.git", rev = "9732a9a3e98af72112286afdc9b7174c66c2869a" } trussed-usbip = { git = "https://github.com/Nitrokey/pc-usbip-runner.git", tag = "v0.0.1-nitrokey.3" } -trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", tag = "v0.3.0" } trussed-se050-manage = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", tag = "se050-manage-v0.1.0" } +trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", rev = "0f33b19b18060c0f63a75b1e3894a5e0da8179b7" } [profile.release] codegen-units = 1 diff --git a/components/apps/Cargo.toml b/components/apps/Cargo.toml index cd5dbd46..dcfef4d7 100644 --- a/components/apps/Cargo.toml +++ b/components/apps/Cargo.toml @@ -19,11 +19,11 @@ if_chain = "1.0.2" littlefs2 = "0.4" # Backends -trussed-auth = { version = "0.2.2", optional = true } -trussed-hkdf = { version = "0.1.0" } +trussed-auth = { version = "0.3.0", optional = true } +trussed-hkdf = { version = "0.2.0" } trussed-rsa-alloc = { version = "0.1.0", optional = true } trussed-se050-backend = { version = "0.3.0", optional = true } -trussed-staging = { version = "0.2.0", features = ["wrap-key-to-file", "chunked", "manage"] } +trussed-staging = { version = "0.3.0", features = ["wrap-key-to-file", "chunked", "manage", "hkdf"] } # Extensions trussed-chunked = "0.1.0" @@ -38,7 +38,7 @@ ndef-app = { path = "../ndef-app", optional = true } webcrypt = { version = "0.8.0", optional = true } secrets-app = { version = "0.13.0", features = ["apdu-dispatch", "ctaphid"], optional = true } opcard = { version = "1.4.0", features = ["apdu-dispatch", "delog", "rsa2048-gen", "rsa4096", "admin-app"], optional = true } -piv-authenticator = { version = "0.4.0", features = ["apdu-dispatch", "delog", "rsa"], optional = true } +piv-authenticator = { version = "0.3.4", features = ["apdu-dispatch", "delog", "rsa"], optional = true } provisioner-app = { path = "../provisioner-app", optional = true } [dev-dependencies] @@ -67,7 +67,8 @@ webcrypt = ["dep:webcrypt", "backend-auth", "backend-rsa"] fido-authenticator = ["dep:fido-authenticator", "usbd-ctaphid"] opcard = ["dep:opcard", "backend-rsa", "backend-auth"] piv-authenticator = ["dep:piv-authenticator", "backend-rsa", "backend-auth"] -se050 = ["dep:se05x", "trussed-se050-backend", "trussed-se050-manage", "admin-app/se050"] +se050 = ["dep:se05x", "trussed-se050-backend", "trussed-se050-manage", "admin-app/se050", "se050-migration"] +se050-migration = ["dep:se05x", "trussed-se050-backend"] # backends backend-auth = ["trussed-auth"] diff --git a/components/apps/src/dispatch.rs b/components/apps/src/dispatch.rs index bd40b614..29740881 100644 --- a/components/apps/src/dispatch.rs +++ b/components/apps/src/dispatch.rs @@ -16,7 +16,6 @@ use trussed::{ api::{reply, request}, backend::Backend as _, serde_extensions::{ExtensionDispatch, ExtensionId, ExtensionImpl}, - types::NoData, }; #[cfg(feature = "se050")] @@ -35,7 +34,7 @@ use trussed_auth::{AuthBackend, AuthContext, AuthExtension, MAX_HW_KEY_LEN}; use trussed_rsa_alloc::SoftwareRsa; use trussed_chunked::ChunkedExtension; -use trussed_hkdf::{HkdfBackend, HkdfExtension}; +use trussed_hkdf::HkdfExtension; use trussed_manage::ManageExtension; use trussed_staging::{StagingBackend, StagingContext}; use trussed_wrap_key_to_file::WrapKeyToFileExtension; @@ -49,7 +48,6 @@ use webcrypt::hmacsha256p256::{ pub struct Dispatch { #[cfg(feature = "backend-auth")] auth: AuthBackend, - hkdf: HkdfBackend, #[cfg(feature = "webcrypt")] hmacsha256p256: HmacSha256P256Backend, staging: StagingBackend, @@ -124,7 +122,6 @@ impl Dispatch { Self { #[cfg(feature = "backend-auth")] auth: AuthBackend::new(auth_location), - hkdf: HkdfBackend, #[cfg(feature = "webcrypt")] hmacsha256p256: Default::default(), staging: build_staging_backend(), @@ -146,7 +143,6 @@ impl Dispatch { let hw_key_se050 = hw_key.clone(); Self { auth: AuthBackend::with_hw_key(auth_location, hw_key), - hkdf: HkdfBackend, #[cfg(feature = "webcrypt")] hmacsha256p256: Default::default(), staging: build_staging_backend(), @@ -199,7 +195,6 @@ impl ExtensionDispatch for Dispatch { self.auth .request(&mut ctx.core, &mut ctx.backends.auth, request, resources) } - Backend::Hkdf => Err(TrussedError::RequestNotAvailable), #[cfg(feature = "webcrypt")] Backend::HmacSha256P256 => Err(TrussedError::RequestNotAvailable), #[cfg(feature = "backend-rsa")] @@ -241,15 +236,6 @@ impl ExtensionDispatch for Dispatch { #[allow(unreachable_patterns)] _ => Err(TrussedError::RequestNotAvailable), }, - Backend::Hkdf => match extension { - Extension::Hkdf => self.hkdf.extension_request_serialized( - &mut ctx.core, - &mut NoData, - request, - resources, - ), - _ => Err(TrussedError::RequestNotAvailable), - }, #[cfg(feature = "webcrypt")] Backend::HmacSha256P256 => match extension { Extension::HmacSha256P256 => self.hmacsha256p256.extension_request_serialized( @@ -281,6 +267,13 @@ impl ExtensionDispatch for Dispatch { resources, ) } + Extension::Hkdf => ExtensionImpl::::extension_request_serialized( + &mut self.staging, + &mut ctx.core, + &mut ctx.backends.staging, + request, + resources, + ), #[allow(unreachable_patterns)] _ => Err(TrussedError::RequestNotAvailable), }, @@ -348,7 +341,6 @@ impl ExtensionDispatch for Dispatch { pub enum Backend { #[cfg(feature = "backend-auth")] Auth, - Hkdf, #[cfg(feature = "webcrypt")] HmacSha256P256, #[cfg(feature = "backend-rsa")] diff --git a/components/apps/src/lib.rs b/components/apps/src/lib.rs index f869ccd0..95078c39 100644 --- a/components/apps/src/lib.rs +++ b/components/apps/src/lib.rs @@ -14,6 +14,7 @@ use ctaphid_dispatch::app::App as CtaphidApp; #[cfg(feature = "se050")] use embedded_hal::blocking::delay::DelayUs; use heapless::Vec; +use littlefs2::path; use serde::{Deserialize, Serialize}; use trussed::{ backend::BackendId, client::ClientBuilder, interrupt::InterruptFlag, platform::Syscall, @@ -22,7 +23,7 @@ use trussed::{ use utils::Version; pub use admin_app::Reboot; -use admin_app::{ConfigValueMut, ResetSignalAllocation}; +use admin_app::{migrations::Migrator, ConfigValueMut, ResetSignalAllocation}; #[cfg(feature = "webcrypt")] use webcrypt::{PeekingBypass, Webcrypt}; @@ -35,12 +36,50 @@ fn is_default(value: &T) -> bool { value == &Default::default() } +const MIGRATION_VERSION_SPACE_EFFICIENCY: u32 = 1; + +const MIGRATORS: &[Migrator] = &[ + // We first migrate the SE050 since this migration deletes data to make sure that the other + // migrations succeed even on low block availability + #[cfg(feature = "se050-migration")] + Migrator { + migrate: |ifs, _efs| { + trussed_se050_backend::migrate::migrate_remove_all_dat(ifs, &[path!("/opcard")]) + }, + version: MIGRATION_VERSION_SPACE_EFFICIENCY, + }, + #[cfg(feature = "backend-auth")] + Migrator { + migrate: |ifs, _efs| { + trussed_auth::migrate::migrate_remove_dat( + ifs, + &[ + path!("opcard"), + path!("webcrypt"), + path!("secrets"), + path!("piv"), + ], + ) + }, + version: MIGRATION_VERSION_SPACE_EFFICIENCY, + }, + #[cfg(feature = "fido-authenticator")] + Migrator { + migrate: |ifs, _efs| { + fido_authenticator::migrate::migrate_no_rp_dir(ifs, path!("/fido/dat")) + }, + version: MIGRATION_VERSION_SPACE_EFFICIENCY, + }, +]; + #[derive(Debug, Default, PartialEq, Deserialize, Serialize)] pub struct Config { #[serde(default, rename = "f", skip_serializing_if = "is_default")] fido: FidoConfig, #[serde(default, rename = "o", skip_serializing_if = "is_default")] opcard: OpcardConfig, + #[serde(default, rename = "v", skip_serializing_if = "is_default")] + fs_version: u32, } impl admin_app::Config for Config { @@ -74,6 +113,14 @@ impl admin_app::Config for Config { None } } + + fn migration_version(&self) -> Option { + Some(self.fs_version) + } + fn set_migration_version(&mut self, version: u32) -> bool { + self.fs_version = version; + true + } } #[derive(Debug, Default, PartialEq, Deserialize, Serialize)] @@ -82,7 +129,7 @@ pub struct FidoConfig { disable_skip_up_timeout: bool, } -impl admin_app::Config for FidoConfig { +impl FidoConfig { fn field(&mut self, key: &str) -> Option> { match key { "disable_skip_up_timeout" => { @@ -92,6 +139,7 @@ impl admin_app::Config for FidoConfig { } } + #[cfg(feature = "factory-reset")] fn reset_client_id( &self, _key: &str, @@ -132,7 +180,7 @@ impl OpcardConfig { } } -impl admin_app::Config for OpcardConfig { +impl OpcardConfig { fn field(&mut self, key: &str) -> Option> { match key { #[cfg(feature = "se050")] @@ -141,6 +189,7 @@ impl admin_app::Config for OpcardConfig { } } + #[cfg(feature = "factory-reset")] fn reset_client_id( &self, key: &str, @@ -248,6 +297,7 @@ pub struct Apps { provisioner: ProvisionerApp, #[cfg(feature = "webcrypt")] webcrypt: PeekingBypass<'static, FidoApp, WebcryptApp>, + migrated_successfully: bool, } impl Apps { @@ -271,6 +321,7 @@ impl Apps { } = data; let (admin, init_status) = Self::admin_app(runner, &mut make_client, admin); + #[cfg(not(feature = "opcard"))] let _ = init_status; @@ -303,6 +354,7 @@ impl Apps { #[cfg(feature = "webcrypt")] webcrypt: webcrypt_fido_bypass, admin, + migrated_successfully: init_status.contains(InitStatus::MIGRATION_ERROR), } } @@ -319,13 +371,14 @@ impl Apps { // TODO: use CLIENT_ID directly let mut filestore = ClientFilestore::new(ADMIN_APP_CLIENT_ID.into(), data.store); let version = data.version.encode(); - let app = AdminApp::::load_config( + let mut app = AdminApp::::load_config( trussed, &mut filestore, runner.uuid(), version, data.version_string, data.status(), + MIGRATORS, ) .unwrap_or_else(|(trussed, _err)| { data.init_status.insert(InitStatus::CONFIG_ERROR); @@ -335,8 +388,15 @@ impl Apps { version, data.version_string, data.status(), + MIGRATORS, ) }); + + const LATEST_MIGRATION: u32 = MIGRATION_VERSION_SPACE_EFFICIENCY; + let migration_success = app.migrate(LATEST_MIGRATION, data.store).is_ok(); + if !migration_success { + data.init_status &= InitStatus::MIGRATION_ERROR; + } (app, data.init_status) } @@ -373,23 +433,25 @@ impl Apps { #[cfg(feature = "ndef-app")] apps.push(&mut self.ndef).ok().unwrap(); - // App 2: secrets - #[cfg(feature = "secrets-app")] - apps.push(&mut self.oath).ok().unwrap(); + if self.migrated_successfully { + // App 2: secrets + #[cfg(feature = "secrets-app")] + apps.push(&mut self.oath).ok().unwrap(); - // App 3: opcard - #[cfg(feature = "opcard")] - if let Some(opcard) = &mut self.opcard { - apps.push(opcard).ok().unwrap(); - } + // App 3: opcard + #[cfg(feature = "opcard")] + if let Some(opcard) = &mut self.opcard { + apps.push(opcard).ok().unwrap(); + } - // App 4: piv - #[cfg(feature = "piv-authenticator")] - apps.push(&mut self.piv).ok().unwrap(); + // App 4: piv + #[cfg(feature = "piv-authenticator")] + apps.push(&mut self.piv).ok().unwrap(); - // App 5: fido - #[cfg(all(feature = "fido-authenticator", not(feature = "webcrypt")))] - apps.push(&mut self.fido).ok().unwrap(); + // App 5: fido + #[cfg(all(feature = "fido-authenticator", not(feature = "webcrypt")))] + apps.push(&mut self.fido).ok().unwrap(); + } // App 6: admin apps.push(&mut self.admin).ok().unwrap(); @@ -407,18 +469,22 @@ impl Apps { { let mut apps: Vec<&mut dyn CtaphidApp<'static>, 4> = Default::default(); - // App 1: webcrypt or fido - #[cfg(feature = "webcrypt")] - apps.push(&mut self.webcrypt).ok().unwrap(); - #[cfg(all(feature = "fido-authenticator", not(feature = "webcrypt")))] - apps.push(&mut self.fido).ok().unwrap(); + if self.migrated_successfully { + // App 1: webcrypt or fido + #[cfg(feature = "webcrypt")] + apps.push(&mut self.webcrypt).ok().unwrap(); + #[cfg(all(feature = "fido-authenticator", not(feature = "webcrypt")))] + apps.push(&mut self.fido).ok().unwrap(); + } // App 2: admin apps.push(&mut self.admin).ok().unwrap(); - // App 3: secrets - #[cfg(feature = "secrets-app")] - apps.push(&mut self.oath).ok().unwrap(); + if self.migrated_successfully { + // App 3: secrets + #[cfg(feature = "secrets-app")] + apps.push(&mut self.oath).ok().unwrap(); + } // App 4: provisioner #[cfg(feature = "provisioner-app")] @@ -462,7 +528,7 @@ impl trussed_usbip::Apps<'static, Client, Dispatch> for Apps { trait App: Sized { /// additional data needed by this Trussed app type Data; - type Config: admin_app::Config; + type Config; /// the desired client ID const CLIENT_ID: &'static str; @@ -659,11 +725,7 @@ impl App for FidoApp { } fn backends(_runner: &R, _config: &Self::Config) -> &'static [BackendId] { - &[ - BackendId::Custom(Backend::Hkdf), - BackendId::Custom(Backend::Staging), - BackendId::Core, - ] + &[BackendId::Custom(Backend::Staging), BackendId::Core] } } @@ -844,6 +906,7 @@ mod tests { #[cfg(feature = "se050")] use_se050_backend: true, }, + fs_version: 1, }; let data: Bytes<1024> = cbor_serialize_bytes(&config).unwrap(); // littlefs2 is most efficient with files < 1/4 of the block size. The block sizes are 512