Disable migrations by default

Cargo.toml

@@ -19,7 +19,7 @@ memory-regions = { path = "components/memory-regions" }
 # forked
 admin-app = { git = "https://github.com/Nitrokey/admin-app.git", rev = "7637af1cc935cc20210310ae00e54e28fc2d3b51" }
 cbor-smol = { git = "https://github.com/Nitrokey/cbor-smol.git", rev = "bac1ac69dd0117d1f80f3f5e1d3b60ba8987ad70"}
-fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git", rev = "81818b0ea8a2f1c49ef1d16ebdc4f79b4c8e32cb" }
+fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git",  tag = "v0.1.1-nitrokey.14" }
 flexiber = { git = "https://github.com/Nitrokey/flexiber", tag = "0.1.1.nitrokey" }
 lpc55-hal = { git = "https://github.com/Nitrokey/lpc55-hal", tag = "v0.3.0-nitrokey.2" }
 serde-indexed = { git = "https://github.com/nitrokey/serde-indexed.git", tag = "v0.1.0-nitrokey.2" }
@@ -35,20 +35,20 @@ usbd-ccid = { git = "https://github.com/Nitrokey/usbd-ccid", tag = "v0.2.0-nitro
 p256-cortex-m4  = { git = "https://github.com/ycrypto/p256-cortex-m4.git", rev = "cdb31e12594b4dc1f045b860a885fdc94d96aee2" }
 
 # unreleased crates
-secrets-app = { git = "https://github.com/Nitrokey/trussed-secrets-app", rev = "5da6f4e278a4b13fadbaacdb30387ccc6a3a9bfa" }
+secrets-app = { git = "https://github.com/Nitrokey/trussed-secrets-app", rev = "6eff6f9ad65df6875fe1eec31cfe34f591cad303" }
 webcrypt = { git = "https://github.com/nitrokey/nitrokey-websmartcard-rust", tag = "v0.8.0-rc6" }
 opcard = { git = "https://github.com/Nitrokey/opcard-rs", rev = "70e3f1aa21ecb75c1237b20b733d0e228a966b10" }
 piv-authenticator = { git = "https://github.com/Nitrokey/piv-authenticator.git", rev = "2d0ae0312170adb9cfffd05f70ebc83af3c14679" }
 trussed-chunked = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "chunked-v0.1.0" }
 trussed-manage = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "manage-v0.1.0" }
 trussed-wrap-key-to-file = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "wrap-key-to-file-v0.1.0" }
 trussed-staging = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "v0.3.0" }
-trussed-auth = { git = "https://github.com/Nitrokey/trussed-auth", rev = "68271487a93c65261f4d54149a17b8a5137201de" }
+trussed-auth = { git = "https://github.com/Nitrokey/trussed-auth", rev = "f89f8534a88fb1fe96c6ad6e002e6e523e0e7280" }
 trussed-hkdf = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "hkdf-v0.2.0" }
 trussed-rsa-alloc = { git = "https://github.com/trussed-dev/trussed-rsa-backend.git", rev = "9732a9a3e98af72112286afdc9b7174c66c2869a" }
 trussed-usbip = { git = "https://github.com/Nitrokey/pc-usbip-runner.git", tag = "v0.0.1-nitrokey.3" }
 trussed-se050-manage = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", tag = "se050-manage-v0.1.0" }
-trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", rev = "0f33b19b18060c0f63a75b1e3894a5e0da8179b7" }
+trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", rev = "4158263c4c060be2691cf87ad400187f9ef0b0a3" }
 
 [profile.release]
 codegen-units = 1

components/apps/src/dispatch.rs

@@ -45,6 +45,8 @@ use webcrypt::hmacsha256p256::{
     HmacSha256P256Extension,
 };
 
+use crate::migrations::USE_MIGRATIONS;
+
 pub struct Dispatch<T = (), D = ()> {
     #[cfg(feature = "backend-auth")]
     auth: AuthBackend,
@@ -121,12 +123,14 @@ impl<T: Twi, D: Delay> Dispatch<T, D> {
         let _ = auth_location;
         Self {
             #[cfg(feature = "backend-auth")]
-            auth: AuthBackend::new(auth_location),
+            auth: AuthBackend::new(auth_location, USE_MIGRATIONS),
             #[cfg(feature = "webcrypt")]
             hmacsha256p256: Default::default(),
             staging: build_staging_backend(),
             #[cfg(feature = "se050")]
-            se050: se050.map(|driver| Se050Backend::new(driver, auth_location, None, NAMESPACE)),
+            se050: se050.map(|driver| {
+                Se050Backend::new(driver, auth_location, None, NAMESPACE, USE_MIGRATIONS)
+            }),
             #[cfg(not(feature = "se050"))]
             __: Default::default(),
         }
@@ -142,13 +146,19 @@ impl<T: Twi, D: Delay> Dispatch<T, D> {
         // Should the backend really use the same key?
         let hw_key_se050 = hw_key.clone();
         Self {
-            auth: AuthBackend::with_hw_key(auth_location, hw_key),
+            auth: AuthBackend::with_hw_key(auth_location, hw_key, USE_MIGRATIONS),
             #[cfg(feature = "webcrypt")]
             hmacsha256p256: Default::default(),
             staging: build_staging_backend(),
             #[cfg(feature = "se050")]
             se050: se050.map(|driver| {
-                Se050Backend::new(driver, auth_location, Some(hw_key_se050), NAMESPACE)
+                Se050Backend::new(
+                    driver,
+                    auth_location,
+                    Some(hw_key_se050),
+                    NAMESPACE,
+                    USE_MIGRATIONS,
+                )
             }),
             #[cfg(not(feature = "se050"))]
             __: Default::default(),

components/apps/src/lib.rs

@@ -14,7 +14,6 @@ use ctaphid_dispatch::app::App as CtaphidApp;
 #[cfg(feature = "se050")]
 use embedded_hal::blocking::delay::DelayUs;
 use heapless::Vec;
-use littlefs2::path;
 use serde::{Deserialize, Serialize};
 use trussed::{
     backend::BackendId, client::ClientBuilder, interrupt::InterruptFlag, platform::Syscall,
@@ -23,7 +22,7 @@ use trussed::{
 use utils::Version;
 
 pub use admin_app::Reboot;
-use admin_app::{migrations::Migrator, ConfigValueMut, ResetSignalAllocation};
+use admin_app::{ConfigValueMut, ResetSignalAllocation};
 
 #[cfg(feature = "webcrypt")]
 use webcrypt::{PeekingBypass, Webcrypt};
@@ -36,41 +35,49 @@ fn is_default<T: Default + PartialEq>(value: &T) -> bool {
     value == &Default::default()
 }
 
-const MIGRATION_VERSION_SPACE_EFFICIENCY: u32 = 1;
+#[allow(unused)]
+mod migrations {
+    use admin_app::migrations::Migrator;
+    use littlefs2::path;
 
-const MIGRATORS: &[Migrator] = &[
-    // We first migrate the SE050 since this migration deletes data to make sure that the other
-    // migrations succeed even on low block availability
-    #[cfg(feature = "se050-migration")]
-    Migrator {
-        migrate: |ifs, _efs| {
-            trussed_se050_backend::migrate::migrate_remove_all_dat(ifs, &[path!("/opcard")])
+    pub(crate) const MIGRATION_VERSION_SPACE_EFFICIENCY: u32 = 1;
+
+    /// set to true to enable migrations for trussed-auth and se050-backend
+    pub(crate) const USE_MIGRATIONS: bool = false;
+
+    // TODO: use when enabling migrations of trussed-auth and se050-backend and of fido-authenticator
+    pub(crate) const MIGRATORS: &[Migrator] = &[
+        // We first migrate the SE050 since this migration deletes data to make sure that the other
+        // migrations succeed even on low block availability
+        #[cfg(feature = "se050-migration")]
+        Migrator {
+            migrate: |ifs, _efs| {
+                trussed_se050_backend::migrate::migrate_remove_all_dat(ifs, &[path!("/opcard")])
+            },
+            version: MIGRATION_VERSION_SPACE_EFFICIENCY,
         },
-        version: MIGRATION_VERSION_SPACE_EFFICIENCY,
-    },
-    #[cfg(feature = "backend-auth")]
-    Migrator {
-        migrate: |ifs, _efs| {
-            trussed_auth::migrate::migrate_remove_dat(
-                ifs,
-                &[
-                    path!("opcard"),
-                    path!("webcrypt"),
-                    path!("secrets"),
-                    path!("piv"),
-                ],
-            )
+        #[cfg(feature = "backend-auth")]
+        Migrator {
+            migrate: |ifs, _efs| {
+                trussed_auth::migrate::migrate_remove_dat(
+                    ifs,
+                    &[
+                        path!("opcard"),
+                        path!("webcrypt"),
+                        path!("secrets"),
+                        path!("piv"),
+                    ],
+                )
+            },
+            version: MIGRATION_VERSION_SPACE_EFFICIENCY,
         },
-        version: MIGRATION_VERSION_SPACE_EFFICIENCY,
-    },
-    #[cfg(feature = "fido-authenticator")]
-    Migrator {
-        migrate: |ifs, _efs| {
-            fido_authenticator::migrate::migrate_no_rp_dir(ifs, path!("/fido/dat"))
+        Migrator {
+            // FIDO migration
+            migrate: |_ifs, _efs| todo!("Add fido migration"),
+            version: MIGRATION_VERSION_SPACE_EFFICIENCY,
         },
-        version: MIGRATION_VERSION_SPACE_EFFICIENCY,
-    },
-];
+    ];
+}
 
 #[derive(Debug, Default, PartialEq, Deserialize, Serialize)]
 pub struct Config {
@@ -375,7 +382,7 @@ impl<R: Runner> Apps<R> {
             version,
             data.version_string,
             data.status(),
-            MIGRATORS,
+            migrations::MIGRATORS,
         )
         .unwrap_or_else(|(trussed, _err)| {
             data.init_status.insert(InitStatus::CONFIG_ERROR);
@@ -385,11 +392,11 @@ impl<R: Runner> Apps<R> {
                 version,
                 data.version_string,
                 data.status(),
-                MIGRATORS,
+                migrations::MIGRATORS,
             )
         });
 
-        const LATEST_MIGRATION: u32 = MIGRATION_VERSION_SPACE_EFFICIENCY;
+        const LATEST_MIGRATION: u32 = 0;
         let migration_success = app
             .migrate(LATEST_MIGRATION, data.store, &mut filestore)
             .is_ok();