diff --git a/.gitignore b/.gitignore index 8fc76fb5..ca11a963 100644 --- a/.gitignore +++ b/.gitignore @@ -46,3 +46,5 @@ utils/nrf-builder/provisioner-nk3am-nrf52-1.2.2.bin utils/nrf-builder/provisioner-nk3am-nrf52-1.2.2.hex utils/nrf-builder/provisioner-nk3am-nrf52-1.2.2.zip utils/nrf-builder/test-certs/ + +.vscode/ \ No newline at end of file diff --git a/Cargo.lock b/Cargo.lock index 55edbe6f..73043262 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -181,6 +181,7 @@ dependencies = [ "trussed-fs-info", "trussed-hkdf", "trussed-manage", + "trussed-pqc-backend", "trussed-rsa-alloc", "trussed-se050-backend", "trussed-se050-manage", @@ -508,6 +509,11 @@ name = "cc" version = "1.0.106" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "066fce287b1d4eafef758e89e09d724a24808a9196fe9756b8ca90e86d0719a2" +dependencies = [ + "jobserver", + "libc", + "once_cell", +] [[package]] name = "cexpr" @@ -773,11 +779,12 @@ dependencies = [ [[package]] name = "cosey" version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "39323fe531b92e7acad90b8550b58cec63d29a6c5a56e02de4b25b6aeedbf82e" dependencies = [ + "cfg-if", "heapless-bytes", + "pqcrypto-dilithium", "serde", + "serde-big-array", "serde_repr", ] @@ -874,8 +881,6 @@ dependencies = [ [[package]] name = "ctap-types" version = "0.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf6a69fe79c279d4e06b0064d25ee7d05f87d55c06e07a1386043bc14bbd5c6d" dependencies = [ "bitflags 1.3.2", "cbor-smol", @@ -1002,6 +1007,12 @@ dependencies = [ "subtle", ] +[[package]] +name = "dunce" +version = "1.0.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813" + [[package]] name = "ecdsa" version = "0.16.9" @@ -1175,7 +1186,6 @@ dependencies = [ [[package]] name = "fido-authenticator" version = "0.1.1" -source = "git+https://github.com/Nitrokey/fido-authenticator.git?tag=v0.1.1-nitrokey.19#0fdecc93df800543aed0f1de0ea0f7178cf93b80" dependencies = [ "apdu-dispatch", "cbor-smol", @@ -1674,6 +1684,15 @@ version = "1.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" +[[package]] +name = "jobserver" +version = "0.1.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "48d1dbcbbeb6a7fec7e059840aa538bd62aaccf972c7346c4d9d2059312853d0" +dependencies = [ + "libc", +] + [[package]] name = "js-sys" version = "0.3.69" @@ -1726,7 +1745,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e310b3a6b5907f99202fcdb4960ff45b93735d7c7d96b760fcff8db2dc0e103d" dependencies = [ "cfg-if", - "windows-targets 0.48.5", + "windows-targets 0.52.6", ] [[package]] @@ -2289,6 +2308,117 @@ version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de" +[[package]] +name = "pqcrypto" +version = "0.17.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5ac15ee741fa95113ea76e7b08ce966e55c7e725621119ec1a59cf88a96e94b4" +dependencies = [ + "pqcrypto-classicmceliece", + "pqcrypto-dilithium", + "pqcrypto-falcon", + "pqcrypto-hqc", + "pqcrypto-kyber", + "pqcrypto-sphincsplus", + "pqcrypto-traits", +] + +[[package]] +name = "pqcrypto-classicmceliece" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "020d75adba68e21bcd1a6268a7145bff549fe7559e75a122e19f6f00bfb896d7" +dependencies = [ + "cc", + "glob", + "libc", + "pqcrypto-internals", + "pqcrypto-traits", +] + +[[package]] +name = "pqcrypto-dilithium" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "685de0fa68c6786559d5fcdaa414f0cd68ef3f5d162f61823bd7424cd276726f" +dependencies = [ + "cc", + "glob", + "libc", + "pqcrypto-internals", + "pqcrypto-traits", +] + +[[package]] +name = "pqcrypto-falcon" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "35d1d53b8392f416aa11943f83c0372d88090d9c236b21a7f19352e61542119d" +dependencies = [ + "cc", + "glob", + "libc", + "pqcrypto-internals", + "pqcrypto-traits", +] + +[[package]] +name = "pqcrypto-hqc" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2e945bdfba5a47894067969abaa04d773c8dae56d1f33efa93fc5b84636b85bf" +dependencies = [ + "cc", + "glob", + "libc", + "pqcrypto-internals", + "pqcrypto-traits", +] + +[[package]] +name = "pqcrypto-internals" +version = "0.2.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d9d34bec6abe2283e6de7748b68b292d1ffa2203397e3e71380ff8418a49fb46" +dependencies = [ + "cc", + "dunce", + "getrandom", + "libc", +] + +[[package]] +name = "pqcrypto-kyber" +version = "0.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "15c00293cf898859d0c771455388054fd69ab712263c73fdc7f287a39b1ba000" +dependencies = [ + "cc", + "glob", + "libc", + "pqcrypto-internals", + "pqcrypto-traits", +] + +[[package]] +name = "pqcrypto-sphincsplus" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "82ea17a14b7623f262460f07e2773ae62b25c65e935db87581addd60cc9316c3" +dependencies = [ + "cc", + "glob", + "libc", + "pqcrypto-internals", + "pqcrypto-traits", +] + +[[package]] +name = "pqcrypto-traits" +version = "0.3.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "94e851c7654eed9e68d7d27164c454961a616cf8c203d500607ef22c737b51bb" + [[package]] name = "pretty_env_logger" version = "0.5.0" @@ -2680,13 +2810,22 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3" [[package]] name = "serde" -version = "1.0.204" +version = "1.0.210" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc76f558e0cbb2a839d37354c575f1dc3fdc6546b5be373ba43d95f231bf7c12" +checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a" dependencies = [ "serde_derive", ] +[[package]] +name = "serde-big-array" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "11fc7cc2c76d73e0f27ee52abbd64eec84d46f370c88371120433196934e4b7f" +dependencies = [ + "serde", +] + [[package]] name = "serde-byte-array" version = "0.1.2" @@ -2718,9 +2857,9 @@ dependencies = [ [[package]] name = "serde_derive" -version = "1.0.204" +version = "1.0.210" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e0cd7e117be63d3c3678776753929474f3b04a43a080c744d6b0ae2a8c28e222" +checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f" dependencies = [ "proc-macro2", "quote", @@ -3154,7 +3293,6 @@ dependencies = [ [[package]] name = "trussed" version = "0.1.0" -source = "git+https://github.com/nitrokey/trussed.git?tag=v0.1.0-nitrokey.21#66e8fa72939b769587df28550034ba66425dcefd" dependencies = [ "aes", "bitflags 2.6.0", @@ -3178,6 +3316,7 @@ dependencies = [ "nb 1.1.0", "p256-cortex-m4", "postcard 0.7.3", + "pqcrypto-dilithium", "rand_chacha", "rand_core", "salty", @@ -3243,6 +3382,19 @@ dependencies = [ "trussed", ] +[[package]] +name = "trussed-pqc-backend" +version = "0.1.0" +dependencies = [ + "der", + "pkcs8", + "pqcrypto", + "pqcrypto-dilithium", + "serde", + "serde-big-array", + "trussed", +] + [[package]] name = "trussed-rsa-alloc" version = "0.2.1" @@ -3855,8 +4007,3 @@ dependencies = [ "quote", "syn 2.0.69", ] - -[[patch.unused]] -name = "ctap-types" -version = "0.2.0" -source = "git+https://github.com/trussed-dev/ctap-types.git?rev=72eb68b61e3f14957c5ab89bd22f776ac860eb62#72eb68b61e3f14957c5ab89bd22f776ac860eb62" diff --git a/Cargo.toml b/Cargo.toml index d2a6b10d..4636c49c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -19,9 +19,9 @@ memory-regions = { path = "components/memory-regions" } # forked admin-app = { git = "https://github.com/Nitrokey/admin-app.git", tag = "v0.1.0-nitrokey.13" } cbor-smol = { git = "https://github.com/Nitrokey/cbor-smol.git", tag = "v0.4.0-nitrokey.4"} -fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git", tag = "v0.1.1-nitrokey.19" } +#fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git", tag = "v0.1.1-nitrokey.19" } lpc55-hal = { git = "https://github.com/Nitrokey/lpc55-hal", tag = "v0.3.0-nitrokey.2" } -trussed = { git = "https://github.com/nitrokey/trussed.git", tag = "v0.1.0-nitrokey.21" } +#trussed = { git = "https://github.com/nitrokey/trussed.git", tag = "v0.1.0-nitrokey.21" } # unreleased upstream changes apdu-dispatch = { git = "https://github.com/Nitrokey/apdu-dispatch.git", tag = "v0.1.2-nitrokey.3" } @@ -31,7 +31,7 @@ littlefs2-sys = { git = "https://github.com/trussed-dev/littlefs2-sys.git", rev usbd-ctaphid = { git = "https://github.com/trussed-dev/usbd-ctaphid.git", rev = "dcff9009c3cd1ef9e5b09f8f307aca998fc9a8c8" } usbd-ccid = { git = "https://github.com/Nitrokey/usbd-ccid", tag = "v0.2.0-nitrokey.1" } p256-cortex-m4 = { git = "https://github.com/ycrypto/p256-cortex-m4.git", rev = "cdb31e12594b4dc1f045b860a885fdc94d96aee2" } -ctap-types = { git = "https://github.com/trussed-dev/ctap-types.git", rev = "72eb68b61e3f14957c5ab89bd22f776ac860eb62" } +#ctap-types = { git = "https://github.com/trussed-dev/ctap-types.git", rev = "72eb68b61e3f14957c5ab89bd22f776ac860eb62" } # unreleased crates secrets-app = { git = "https://github.com/Nitrokey/trussed-secrets-app", tag = "v0.13.0" } @@ -50,6 +50,16 @@ trussed-usbip = { git = "https://github.com/Nitrokey/pc-usbip-runner.git", tag = trussed-se050-manage = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", tag = "se050-manage-v0.1.0" } trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", tag ="v0.3.5" } +# TODO: revert to remote +trussed = { path = "../trussed"} +# TODO: revert to remote +trussed-pqc-backend = { path = "../trussed-pqc-backend" } +# TODO: delete and uncomment above +ctap-types = { path = "../ctap-types" } +# TODO: delete and uncomment above +fido-authenticator = {path = "../fido-authenticator"} +cosey = { path = "../cosey" } + [profile.release] codegen-units = 1 lto = "fat" diff --git a/components/apps/Cargo.toml b/components/apps/Cargo.toml index 5ce688ef..bf4fedf4 100644 --- a/components/apps/Cargo.toml +++ b/components/apps/Cargo.toml @@ -22,6 +22,7 @@ littlefs2 = "0.4" # Backends trussed-auth = { version = "0.3.0", optional = true } trussed-rsa-alloc = { version = "0.2.0", optional = true } +trussed-pqc-backend = { version = "0.1.0", optional = true } trussed-se050-backend = { version = "0.3.0", optional = true } trussed-staging = { version = "0.3.0", features = ["wrap-key-to-file", "chunked", "hkdf", "manage", "fs-info"] } @@ -74,6 +75,13 @@ se050 = ["dep:se05x", "trussed-se050-backend", "trussed-se050-manage", "admin-ap # backends backend-auth = ["trussed-auth"] backend-rsa = ["trussed-rsa-alloc"] +# If any of the PQC algorithms are selected for compilation, then the +# PQC backend must be included and the corresponding algorithm features +# there must be set. +backend-pqc = ["dep:trussed-pqc-backend"] +backend-dilithium2 = ["backend-pqc", "trussed-pqc-backend/dilithium2", "fido-authenticator/backend-dilithium2"] +backend-dilithium3 = ["backend-pqc", "trussed-pqc-backend/dilithium3", "fido-authenticator/backend-dilithium3"] +backend-dilithium5 = ["backend-pqc", "trussed-pqc-backend/dilithium5", "fido-authenticator/backend-dilithium5"] log-all = ["admin-app/log-all", "fido-authenticator?/log-all", "secrets-app?/log-all", "webcrypt?/log-all", "opcard?/log-all", "provisioner-app?/log-all"] diff --git a/components/apps/src/dispatch.rs b/components/apps/src/dispatch.rs index fdae5660..97b0f59f 100644 --- a/components/apps/src/dispatch.rs +++ b/components/apps/src/dispatch.rs @@ -36,6 +36,9 @@ use trussed_auth::{AuthBackend, AuthContext, AuthExtension, MAX_HW_KEY_LEN}; #[cfg(feature = "backend-rsa")] use trussed_rsa_alloc::SoftwareRsa; +#[cfg(feature = "backend-dilithium")] +use trussed_pqc_backend::SoftwareDilithium; + use trussed_chunked::ChunkedExtension; use trussed_fs_info::FsInfoExtension; use trussed_hkdf::HkdfExtension; @@ -225,6 +228,10 @@ impl ExtensionDispatch for Dispatch { Backend::HmacSha256P256 => Err(TrussedError::RequestNotAvailable), #[cfg(feature = "backend-rsa")] Backend::SoftwareRsa => SoftwareRsa.request(&mut ctx.core, &mut (), request, resources), + #[cfg(feature = "backend-dilithium")] + Backend::SoftwareDilithium => { + SoftwareDilithium.request(&mut ctx.core, &mut (), request, resources) + } Backend::Staging => { self.staging .request(&mut ctx.core, &mut ctx.backends.staging, request, resources) @@ -274,6 +281,8 @@ impl ExtensionDispatch for Dispatch { }, #[cfg(feature = "backend-rsa")] Backend::SoftwareRsa => Err(TrussedError::RequestNotAvailable), + #[cfg(feature = "backend-dilithium")] + Backend::SoftwareDilithium => Err(TrussedError::RequestNotAvailable), Backend::Staging => match extension { Extension::Chunked => { ExtensionImpl::::extension_request_serialized( @@ -387,6 +396,8 @@ pub enum Backend { HmacSha256P256, #[cfg(feature = "backend-rsa")] SoftwareRsa, + #[cfg(feature = "backend-dilithium")] + SoftwareDilithium, Staging, /// Separate BackendId to prevent non-priviledged apps from accessing the manage Extension StagingManage, diff --git a/components/apps/src/lib.rs b/components/apps/src/lib.rs index 9495156c..19890478 100644 --- a/components/apps/src/lib.rs +++ b/components/apps/src/lib.rs @@ -903,7 +903,12 @@ impl App for FidoApp { } fn backends(_runner: &R, _config: &Self::Config) -> &'static [BackendId] { - &[BackendId::Custom(Backend::Staging), BackendId::Core] + &[ + #[cfg(feature = "backend-dilithium")] + BackendId::Custom(Backend::SoftwareDilithium), + BackendId::Custom(Backend::Staging), + BackendId::Core, + ] } } diff --git a/runners/usbip/delayed-attach.sh b/runners/usbip/delayed-attach.sh new file mode 100755 index 00000000..a3f184b3 --- /dev/null +++ b/runners/usbip/delayed-attach.sh @@ -0,0 +1,77 @@ +#!/bin/bash + +# This script waits for the USB/IP device to be available, then attaches it. +# It is designed to be used as a pre-launch task in a debugger, so that +# the device is automatically mounted each time the debugger starts. + +set -e +set -u +total_timeout=30 +usbip_timeout=1 +attach_delay=5 +device_name="Clay Logic Nitrokey 3" + +endtime=$(($(date +%s) + $total_timeout)) + + +echo "Waiting for USB/IP device to be available..." + +# Check if we've tried long enough and should time out +while [ $(date +%s) -le $endtime ]; do + + sleep 0.1 + + set +e + # Get the list of usbip devices, with a timeout. + output=$(timeout -k $usbip_timeout $usbip_timeout sudo usbip list -r "localhost" 2>&1) + retval=$? + set -e + + if [ $retval -eq 124 ] || [ $retval -eq 137 ]; then + echo "usbip list timed out" + # The command timed out, which means it's probably already been attached. + # Check to confirm. + if lsusb | grep -q "$device_name"; then + echo "Device attached!" + exit 0 + else + >&2 echo "Failed to attach device" + fi + + elif [ $retval -eq 0 ]; then + echo "Attaching..." + # The device is available! Now attach it. + + set +e + sudo usbip list -r "localhost" + sudo usbip attach -r "localhost" -b "1-1" + sudo usbip attach -r "localhost" -b "1-1" + set -e + + sleep $attach_delay + + # Check if it's been attached + if lsusb | grep -q "$device_name"; then + echo "Device attached!" + lsusb | grep "$device_name" + exit 0 + fi + + # It didn't attach. For some reason, we sometimes have + # to run this command multiple times for it to work, + # so start the loop again. + continue + + elif [ $retval -eq 1 ]; then + # Couldn't find the port, so keep waiting + continue + + else + # Some unexpected error, exit out + >&2 echo "$output" + exit $retval + fi +done + +>&2 echo "Failed to find device before timeout" +exit 1