From b073f910f9ee70168fe9589eda93d0f1afc0cbbb Mon Sep 17 00:00:00 2001 From: Kyle Kotowick Date: Mon, 12 Aug 2024 16:59:22 -0400 Subject: [PATCH 01/10] Initial VS Code debug config --- .vscode/launch.json | 31 ++++++++++++++++++++++ .vscode/tasks.json | 20 ++++++++++++++ runners/usbip/delayed-attach.sh | 47 +++++++++++++++++++++++++++++++++ 3 files changed, 98 insertions(+) create mode 100644 .vscode/launch.json create mode 100644 .vscode/tasks.json create mode 100644 runners/usbip/delayed-attach.sh diff --git a/.vscode/launch.json b/.vscode/launch.json new file mode 100644 index 00000000..e9ef10c0 --- /dev/null +++ b/.vscode/launch.json @@ -0,0 +1,31 @@ +{ + // Use IntelliSense to learn about possible attributes. + // Hover to view descriptions of existing attributes. + // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 + "version": "0.2.0", + "configurations": [ + { + "type": "lldb", + "request": "launch", + "name": "USB/IP Emulator", + "cargo": { + "args": [ + "build", + "--features", + "provisioner", + "--bin=usbip-runner", + ], + "filter": { + "kind": "bin", + } + }, + "preLaunchTask": "DelayedUSBIPAttach", + "program": "${cargo:program}", + "args": [ + "--ifs", + "${userHome}/nitrokey-usbip-ifs", + ], + "cwd": "${workspaceFolder}/runners/usbip", + } + ], +} \ No newline at end of file diff --git a/.vscode/tasks.json b/.vscode/tasks.json new file mode 100644 index 00000000..e270ed88 --- /dev/null +++ b/.vscode/tasks.json @@ -0,0 +1,20 @@ +{ + "version": "2.0.0", + "tasks": [ + { + // This task waits for a few seconds before attaching + // the newly-created USB/IP adapter + "label": "DelayedUSBIPAttach", + "type": "shell", + "command": "sudo ${workspaceFolder}/runners/usbip/delayed-attach.sh", + "presentation": { + "echo": true, + "reveal": "always", + "focus": false, + "panel": "shared", + "showReuseMessage": true, + "clear": true + } + } + ] +} \ No newline at end of file diff --git a/runners/usbip/delayed-attach.sh b/runners/usbip/delayed-attach.sh new file mode 100644 index 00000000..bcb3abab --- /dev/null +++ b/runners/usbip/delayed-attach.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +SCRIPTPATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" + +function wait_and_attach() { + echo "PRELAUNCH TASK RUNNING!" + pushd "$1" + + lsmod | grep vhci-hcd || sudo modprobe vhci-hcd + + endtime=$(($(date +%s) + 10)) + echo "$(date +%s) - $endtime" + while true; do + # Check if we've tried long enough and should time out + if [ $(date +%s) -gt $endtime ]; then + >&2 echo "Failed to find device before timeout" + return + fi + sleep 0.1 + output=$(sudo usbip list -r "localhost" 2>&1) + retval=$? + if [ $retval -eq 0 ]; then + # The device is available! Now attach it. + sudo usbip attach -r "localhost" -b "1-1" + echo "Device attached!" + lsusb + return + elif [ $retval -eq 1 ]; then + # Couldn't find the port, so keep waiting + continue + else + # Some unexpected error, exit out + >&2 echo "$output" + return + fi + done +} + +# Delete any existing output file +sudo rm -f /tmp/DelayedUSBIPAttach + +FUNC=$(declare -f wait_and_attach) + +# Run the function as sudo (so it catches sudo login requirement here instead of in the backgroun process). +# Direct all output to the output file so we can review it later if we like. +# Run the command in the background. +sudo bash -c "$FUNC; wait_and_attach \"$SCRIPTPATH\" 2>&1 | tee /tmp/DelayedUSBIPAttach &" From 02bcf9f9a77450ff48e6ff776241942f6b4877c1 Mon Sep 17 00:00:00 2001 From: Kyle Kotowick Date: Mon, 12 Aug 2024 17:03:56 -0400 Subject: [PATCH 02/10] Add verification of correct USB/IP attachment --- runners/usbip/delayed-attach.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/runners/usbip/delayed-attach.sh b/runners/usbip/delayed-attach.sh index bcb3abab..265dd38c 100644 --- a/runners/usbip/delayed-attach.sh +++ b/runners/usbip/delayed-attach.sh @@ -22,8 +22,12 @@ function wait_and_attach() { if [ $retval -eq 0 ]; then # The device is available! Now attach it. sudo usbip attach -r "localhost" -b "1-1" - echo "Device attached!" - lsusb + sudo usbip attach -r "localhost" -b "1-1" + if lsusb | grep -q "Clay Logic Nitrokey 3"; then + echo "Device attached!" + else + >&2 echo "Failed to attach device" + fi return elif [ $retval -eq 1 ]; then # Couldn't find the port, so keep waiting From cdddb54d4497dfe7212c9aea9795a023a5b81e17 Mon Sep 17 00:00:00 2001 From: Kyle Kotowick Date: Wed, 21 Aug 2024 16:11:39 +0000 Subject: [PATCH 03/10] Add execution permissions to delayed-attach --- runners/usbip/delayed-attach.sh | 1 - 1 file changed, 1 deletion(-) mode change 100644 => 100755 runners/usbip/delayed-attach.sh diff --git a/runners/usbip/delayed-attach.sh b/runners/usbip/delayed-attach.sh old mode 100644 new mode 100755 index 265dd38c..0308cffd --- a/runners/usbip/delayed-attach.sh +++ b/runners/usbip/delayed-attach.sh @@ -3,7 +3,6 @@ SCRIPTPATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" function wait_and_attach() { - echo "PRELAUNCH TASK RUNNING!" pushd "$1" lsmod | grep vhci-hcd || sudo modprobe vhci-hcd From 3d23996644fa4c0084c76b209f986e8c8e050659 Mon Sep 17 00:00:00 2001 From: Kyle Kotowick Date: Thu, 22 Aug 2024 02:48:36 +0000 Subject: [PATCH 04/10] Update debugging USB/IP attachment script --- .vscode/tasks.json | 30 +++++++-- runners/usbip/delayed-attach.sh | 107 ++++++++++++++++++++------------ 2 files changed, 93 insertions(+), 44 deletions(-) diff --git a/.vscode/tasks.json b/.vscode/tasks.json index e270ed88..133cd11a 100644 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -6,7 +6,11 @@ // the newly-created USB/IP adapter "label": "DelayedUSBIPAttach", "type": "shell", - "command": "sudo ${workspaceFolder}/runners/usbip/delayed-attach.sh", + "command": "sudo", + "args": [ + "${workspaceFolder}/runners/usbip/delayed-attach.sh" + ], + "isBackground": true, "presentation": { "echo": true, "reveal": "always", @@ -14,7 +18,25 @@ "panel": "shared", "showReuseMessage": true, "clear": true - } - } - ] + }, + // All this is needed so VSCode just lets this task run in the background. + "problemMatcher": [ + { + "pattern": [ + { + "regexp": ".", + "file": 1, + "location": 2, + "message": 3 + } + ], + "background": { + "activeOnStart": true, + "beginsPattern": ".", + "endsPattern": ".", + } + } + ], + }, + ], } \ No newline at end of file diff --git a/runners/usbip/delayed-attach.sh b/runners/usbip/delayed-attach.sh index 0308cffd..07718676 100755 --- a/runners/usbip/delayed-attach.sh +++ b/runners/usbip/delayed-attach.sh @@ -1,50 +1,77 @@ #!/bin/bash -SCRIPTPATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" +# This script waits for the USB/IP device to be available, then attaches it. +# It is designed to be used as a pre-launch task in a debugger, so that +# the device is automatically mounted each time the debugger starts. -function wait_and_attach() { - pushd "$1" +set -e +set -u +total_timeout=30 +usbip_timeout=1 +attach_timeout=10 +device_name="Clay Logic Nitrokey 3" - lsmod | grep vhci-hcd || sudo modprobe vhci-hcd +endtime=$(($(date +%s) + $total_timeout)) - endtime=$(($(date +%s) + 10)) - echo "$(date +%s) - $endtime" - while true; do - # Check if we've tried long enough and should time out - if [ $(date +%s) -gt $endtime ]; then - >&2 echo "Failed to find device before timeout" - return - fi - sleep 0.1 - output=$(sudo usbip list -r "localhost" 2>&1) - retval=$? - if [ $retval -eq 0 ]; then - # The device is available! Now attach it. - sudo usbip attach -r "localhost" -b "1-1" - sudo usbip attach -r "localhost" -b "1-1" - if lsusb | grep -q "Clay Logic Nitrokey 3"; then - echo "Device attached!" - else - >&2 echo "Failed to attach device" - fi - return - elif [ $retval -eq 1 ]; then - # Couldn't find the port, so keep waiting - continue + +echo "Waiting for USB/IP device to be available..." + +# Check if we've tried long enough and should time out +while [ $(date +%s) -le $endtime ]; do + + sleep 0.1 + + set +e + # Get the list of usbip devices, with a timeout. + output=$(timeout -k $usbip_timeout $usbip_timeout sudo usbip list -r "localhost" 2>&1) + retval=$? + set -e + + if [ $retval -eq 124 ] || [ $retval -eq 137 ]; then + echo "usbip list timed out" + # The command timed out, which means it's probably already been attached. + # Check to confirm. + if lsusb | grep -q "$device_name"; then + echo "Device attached!" + exit 0 else - # Some unexpected error, exit out - >&2 echo "$output" - return + >&2 echo "Failed to attach device" fi - done -} -# Delete any existing output file -sudo rm -f /tmp/DelayedUSBIPAttach + elif [ $retval -eq 0 ]; then + echo "Attaching..." + # The device is available! Now attach it. + + set +e + sudo usbip list -r "localhost" + sudo usbip attach -r "localhost" -b "1-1" + sudo usbip attach -r "localhost" -b "1-1" + set -e + + sleep 4 + + # Check if it's been attached + if lsusb | grep -q "$device_name"; then + echo "Device attached!" + lsusb | grep "$device_name" + exit 0 + fi + + # It didn't attach. For some reason, we sometimes have + # to run this command multiple times for it to work, + # so start the loop again. + continue + + elif [ $retval -eq 1 ]; then + # Couldn't find the port, so keep waiting + continue -FUNC=$(declare -f wait_and_attach) + else + # Some unexpected error, exit out + >&2 echo "$output" + exit $retval + fi +done -# Run the function as sudo (so it catches sudo login requirement here instead of in the backgroun process). -# Direct all output to the output file so we can review it later if we like. -# Run the command in the background. -sudo bash -c "$FUNC; wait_and_attach \"$SCRIPTPATH\" 2>&1 | tee /tmp/DelayedUSBIPAttach &" +>&2 echo "Failed to find device before timeout" +exit 1 From 834943d27fde97331140b110d01a3a78f8501657 Mon Sep 17 00:00:00 2001 From: Kyle Kotowick Date: Thu, 22 Aug 2024 02:58:44 +0000 Subject: [PATCH 05/10] Fix for delayed USB/IP attachment --- runners/usbip/delayed-attach.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/runners/usbip/delayed-attach.sh b/runners/usbip/delayed-attach.sh index 07718676..a3f184b3 100755 --- a/runners/usbip/delayed-attach.sh +++ b/runners/usbip/delayed-attach.sh @@ -8,7 +8,7 @@ set -e set -u total_timeout=30 usbip_timeout=1 -attach_timeout=10 +attach_delay=5 device_name="Clay Logic Nitrokey 3" endtime=$(($(date +%s) + $total_timeout)) @@ -48,7 +48,7 @@ while [ $(date +%s) -le $endtime ]; do sudo usbip attach -r "localhost" -b "1-1" set -e - sleep 4 + sleep $attach_delay # Check if it's been attached if lsusb | grep -q "$device_name"; then From 296161b92a4e9cbbee0cf328fe8db4c423944285 Mon Sep 17 00:00:00 2001 From: Kyle Kotowick Date: Fri, 27 Sep 2024 21:09:40 +0000 Subject: [PATCH 06/10] Add PQC backend --- .vscode/launch.json | 31 ------ .vscode/tasks.json | 42 -------- Cargo.lock | 165 ++++++++++++++++++++++++++++++-- Cargo.toml | 6 +- components/apps/Cargo.toml | 8 ++ components/apps/src/dispatch.rs | 11 +++ components/apps/src/lib.rs | 9 ++ 7 files changed, 192 insertions(+), 80 deletions(-) delete mode 100644 .vscode/launch.json delete mode 100644 .vscode/tasks.json diff --git a/.vscode/launch.json b/.vscode/launch.json deleted file mode 100644 index e9ef10c0..00000000 --- a/.vscode/launch.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - // Use IntelliSense to learn about possible attributes. - // Hover to view descriptions of existing attributes. - // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 - "version": "0.2.0", - "configurations": [ - { - "type": "lldb", - "request": "launch", - "name": "USB/IP Emulator", - "cargo": { - "args": [ - "build", - "--features", - "provisioner", - "--bin=usbip-runner", - ], - "filter": { - "kind": "bin", - } - }, - "preLaunchTask": "DelayedUSBIPAttach", - "program": "${cargo:program}", - "args": [ - "--ifs", - "${userHome}/nitrokey-usbip-ifs", - ], - "cwd": "${workspaceFolder}/runners/usbip", - } - ], -} \ No newline at end of file diff --git a/.vscode/tasks.json b/.vscode/tasks.json deleted file mode 100644 index 133cd11a..00000000 --- a/.vscode/tasks.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "version": "2.0.0", - "tasks": [ - { - // This task waits for a few seconds before attaching - // the newly-created USB/IP adapter - "label": "DelayedUSBIPAttach", - "type": "shell", - "command": "sudo", - "args": [ - "${workspaceFolder}/runners/usbip/delayed-attach.sh" - ], - "isBackground": true, - "presentation": { - "echo": true, - "reveal": "always", - "focus": false, - "panel": "shared", - "showReuseMessage": true, - "clear": true - }, - // All this is needed so VSCode just lets this task run in the background. - "problemMatcher": [ - { - "pattern": [ - { - "regexp": ".", - "file": 1, - "location": 2, - "message": 3 - } - ], - "background": { - "activeOnStart": true, - "beginsPattern": ".", - "endsPattern": ".", - } - } - ], - }, - ], -} \ No newline at end of file diff --git a/Cargo.lock b/Cargo.lock index 55edbe6f..b3bf97af 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -181,6 +181,7 @@ dependencies = [ "trussed-fs-info", "trussed-hkdf", "trussed-manage", + "trussed-pqc-backend", "trussed-rsa-alloc", "trussed-se050-backend", "trussed-se050-manage", @@ -508,6 +509,11 @@ name = "cc" version = "1.0.106" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "066fce287b1d4eafef758e89e09d724a24808a9196fe9756b8ca90e86d0719a2" +dependencies = [ + "jobserver", + "libc", + "once_cell", +] [[package]] name = "cexpr" @@ -1002,6 +1008,12 @@ dependencies = [ "subtle", ] +[[package]] +name = "dunce" +version = "1.0.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813" + [[package]] name = "ecdsa" version = "0.16.9" @@ -1674,6 +1686,15 @@ version = "1.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" +[[package]] +name = "jobserver" +version = "0.1.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "48d1dbcbbeb6a7fec7e059840aa538bd62aaccf972c7346c4d9d2059312853d0" +dependencies = [ + "libc", +] + [[package]] name = "js-sys" version = "0.3.69" @@ -1726,7 +1747,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e310b3a6b5907f99202fcdb4960ff45b93735d7c7d96b760fcff8db2dc0e103d" dependencies = [ "cfg-if", - "windows-targets 0.48.5", + "windows-targets 0.52.6", ] [[package]] @@ -2289,6 +2310,117 @@ version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de" +[[package]] +name = "pqcrypto" +version = "0.17.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5ac15ee741fa95113ea76e7b08ce966e55c7e725621119ec1a59cf88a96e94b4" +dependencies = [ + "pqcrypto-classicmceliece", + "pqcrypto-dilithium", + "pqcrypto-falcon", + "pqcrypto-hqc", + "pqcrypto-kyber", + "pqcrypto-sphincsplus", + "pqcrypto-traits", +] + +[[package]] +name = "pqcrypto-classicmceliece" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "020d75adba68e21bcd1a6268a7145bff549fe7559e75a122e19f6f00bfb896d7" +dependencies = [ + "cc", + "glob", + "libc", + "pqcrypto-internals", + "pqcrypto-traits", +] + +[[package]] +name = "pqcrypto-dilithium" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "685de0fa68c6786559d5fcdaa414f0cd68ef3f5d162f61823bd7424cd276726f" +dependencies = [ + "cc", + "glob", + "libc", + "pqcrypto-internals", + "pqcrypto-traits", +] + +[[package]] +name = "pqcrypto-falcon" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "35d1d53b8392f416aa11943f83c0372d88090d9c236b21a7f19352e61542119d" +dependencies = [ + "cc", + "glob", + "libc", + "pqcrypto-internals", + "pqcrypto-traits", +] + +[[package]] +name = "pqcrypto-hqc" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2e945bdfba5a47894067969abaa04d773c8dae56d1f33efa93fc5b84636b85bf" +dependencies = [ + "cc", + "glob", + "libc", + "pqcrypto-internals", + "pqcrypto-traits", +] + +[[package]] +name = "pqcrypto-internals" +version = "0.2.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d9d34bec6abe2283e6de7748b68b292d1ffa2203397e3e71380ff8418a49fb46" +dependencies = [ + "cc", + "dunce", + "getrandom", + "libc", +] + +[[package]] +name = "pqcrypto-kyber" +version = "0.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "15c00293cf898859d0c771455388054fd69ab712263c73fdc7f287a39b1ba000" +dependencies = [ + "cc", + "glob", + "libc", + "pqcrypto-internals", + "pqcrypto-traits", +] + +[[package]] +name = "pqcrypto-sphincsplus" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "82ea17a14b7623f262460f07e2773ae62b25c65e935db87581addd60cc9316c3" +dependencies = [ + "cc", + "glob", + "libc", + "pqcrypto-internals", + "pqcrypto-traits", +] + +[[package]] +name = "pqcrypto-traits" +version = "0.3.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "94e851c7654eed9e68d7d27164c454961a616cf8c203d500607ef22c737b51bb" + [[package]] name = "pretty_env_logger" version = "0.5.0" @@ -2680,13 +2812,22 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3" [[package]] name = "serde" -version = "1.0.204" +version = "1.0.210" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc76f558e0cbb2a839d37354c575f1dc3fdc6546b5be373ba43d95f231bf7c12" +checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a" dependencies = [ "serde_derive", ] +[[package]] +name = "serde-big-array" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "11fc7cc2c76d73e0f27ee52abbd64eec84d46f370c88371120433196934e4b7f" +dependencies = [ + "serde", +] + [[package]] name = "serde-byte-array" version = "0.1.2" @@ -2718,9 +2859,9 @@ dependencies = [ [[package]] name = "serde_derive" -version = "1.0.204" +version = "1.0.210" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e0cd7e117be63d3c3678776753929474f3b04a43a080c744d6b0ae2a8c28e222" +checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f" dependencies = [ "proc-macro2", "quote", @@ -3154,7 +3295,6 @@ dependencies = [ [[package]] name = "trussed" version = "0.1.0" -source = "git+https://github.com/nitrokey/trussed.git?tag=v0.1.0-nitrokey.21#66e8fa72939b769587df28550034ba66425dcefd" dependencies = [ "aes", "bitflags 2.6.0", @@ -3243,6 +3383,19 @@ dependencies = [ "trussed", ] +[[package]] +name = "trussed-pqc-backend" +version = "0.1.0" +dependencies = [ + "der", + "pkcs8", + "pqcrypto", + "pqcrypto-dilithium", + "serde", + "serde-big-array", + "trussed", +] + [[package]] name = "trussed-rsa-alloc" version = "0.2.1" diff --git a/Cargo.toml b/Cargo.toml index d2a6b10d..8b422d18 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -21,7 +21,8 @@ admin-app = { git = "https://github.com/Nitrokey/admin-app.git", tag = "v0.1.0-n cbor-smol = { git = "https://github.com/Nitrokey/cbor-smol.git", tag = "v0.4.0-nitrokey.4"} fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git", tag = "v0.1.1-nitrokey.19" } lpc55-hal = { git = "https://github.com/Nitrokey/lpc55-hal", tag = "v0.3.0-nitrokey.2" } -trussed = { git = "https://github.com/nitrokey/trussed.git", tag = "v0.1.0-nitrokey.21" } +#trussed = { git = "https://github.com/nitrokey/trussed.git", tag = "v0.1.0-nitrokey.21" } +trussed = { path = "../trussed"} # TODO: revert to remote # unreleased upstream changes apdu-dispatch = { git = "https://github.com/Nitrokey/apdu-dispatch.git", tag = "v0.1.2-nitrokey.3" } @@ -50,6 +51,9 @@ trussed-usbip = { git = "https://github.com/Nitrokey/pc-usbip-runner.git", tag = trussed-se050-manage = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", tag = "se050-manage-v0.1.0" } trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", tag ="v0.3.5" } +# TODO: revert to remote +trussed-pqc-backend = { path = "../trussed-pqc-backend", optional = true } + [profile.release] codegen-units = 1 lto = "fat" diff --git a/components/apps/Cargo.toml b/components/apps/Cargo.toml index 5ce688ef..947b48a2 100644 --- a/components/apps/Cargo.toml +++ b/components/apps/Cargo.toml @@ -22,6 +22,7 @@ littlefs2 = "0.4" # Backends trussed-auth = { version = "0.3.0", optional = true } trussed-rsa-alloc = { version = "0.2.0", optional = true } +trussed-pqc-backend = { version = "0.1.0", optional = true } trussed-se050-backend = { version = "0.3.0", optional = true } trussed-staging = { version = "0.3.0", features = ["wrap-key-to-file", "chunked", "hkdf", "manage", "fs-info"] } @@ -74,6 +75,13 @@ se050 = ["dep:se05x", "trussed-se050-backend", "trussed-se050-manage", "admin-ap # backends backend-auth = ["trussed-auth"] backend-rsa = ["trussed-rsa-alloc"] +# If any of the PQC algorithms are selected for compilation, then the +# PQC backend must be included and the corresponding algorithm features +# there must be set. +backend-dilithium = ["dep:trussed-pqc-backend"] +backend-dilithium2 = ["backend-dilithium", "trussed-pqc-backend/dilithium2"] +backend-dilithium3 = ["backend-dilithium", "trussed-pqc-backend/dilithium3"] +backend-dilithium5 = ["backend-dilithium", "trussed-pqc-backend/dilithium5"] log-all = ["admin-app/log-all", "fido-authenticator?/log-all", "secrets-app?/log-all", "webcrypt?/log-all", "opcard?/log-all", "provisioner-app?/log-all"] diff --git a/components/apps/src/dispatch.rs b/components/apps/src/dispatch.rs index fdae5660..97b0f59f 100644 --- a/components/apps/src/dispatch.rs +++ b/components/apps/src/dispatch.rs @@ -36,6 +36,9 @@ use trussed_auth::{AuthBackend, AuthContext, AuthExtension, MAX_HW_KEY_LEN}; #[cfg(feature = "backend-rsa")] use trussed_rsa_alloc::SoftwareRsa; +#[cfg(feature = "backend-dilithium")] +use trussed_pqc_backend::SoftwareDilithium; + use trussed_chunked::ChunkedExtension; use trussed_fs_info::FsInfoExtension; use trussed_hkdf::HkdfExtension; @@ -225,6 +228,10 @@ impl ExtensionDispatch for Dispatch { Backend::HmacSha256P256 => Err(TrussedError::RequestNotAvailable), #[cfg(feature = "backend-rsa")] Backend::SoftwareRsa => SoftwareRsa.request(&mut ctx.core, &mut (), request, resources), + #[cfg(feature = "backend-dilithium")] + Backend::SoftwareDilithium => { + SoftwareDilithium.request(&mut ctx.core, &mut (), request, resources) + } Backend::Staging => { self.staging .request(&mut ctx.core, &mut ctx.backends.staging, request, resources) @@ -274,6 +281,8 @@ impl ExtensionDispatch for Dispatch { }, #[cfg(feature = "backend-rsa")] Backend::SoftwareRsa => Err(TrussedError::RequestNotAvailable), + #[cfg(feature = "backend-dilithium")] + Backend::SoftwareDilithium => Err(TrussedError::RequestNotAvailable), Backend::Staging => match extension { Extension::Chunked => { ExtensionImpl::::extension_request_serialized( @@ -387,6 +396,8 @@ pub enum Backend { HmacSha256P256, #[cfg(feature = "backend-rsa")] SoftwareRsa, + #[cfg(feature = "backend-dilithium")] + SoftwareDilithium, Staging, /// Separate BackendId to prevent non-priviledged apps from accessing the manage Extension StagingManage, diff --git a/components/apps/src/lib.rs b/components/apps/src/lib.rs index 9495156c..6bfc6036 100644 --- a/components/apps/src/lib.rs +++ b/components/apps/src/lib.rs @@ -170,7 +170,10 @@ pub struct OpcardConfig { impl OpcardConfig { fn backends(&self) -> &'static [BackendId] { const BACKENDS_OPCARD_DEFAULT: &[BackendId] = &[ + #[cfg(feature = "backend-rsa")] BackendId::Custom(Backend::SoftwareRsa), + #[cfg(feature = "backend-dilithium")] + BackendId::Custom(Backend::SoftwareDilithium), BackendId::Custom(Backend::Auth), BackendId::Custom(Backend::Staging), BackendId::Core, @@ -927,7 +930,10 @@ impl App for WebcryptApp { } fn backends(runner: &R, _: &()) -> &'static [BackendId] { const BACKENDS_WEBCRYPT: &[BackendId] = &[ + #[cfg(feature = "backend-rsa")] BackendId::Custom(Backend::SoftwareRsa), + #[cfg(feature = "backend-dilithium")] + BackendId::Custom(Backend::SoftwareDilithium), BackendId::Custom(Backend::Staging), BackendId::Custom(Backend::Auth), BackendId::Core, @@ -1055,7 +1061,10 @@ impl App for PivApp { } fn backends(runner: &R, _: &()) -> &'static [BackendId] { const BACKENDS_PIV: &[BackendId] = &[ + #[cfg(feature = "backend-rsa")] BackendId::Custom(Backend::SoftwareRsa), + #[cfg(feature = "backend-dilithium")] + BackendId::Custom(Backend::SoftwareDilithium), BackendId::Custom(Backend::Auth), BackendId::Custom(Backend::Staging), BackendId::Core, From 014897259ee06c332ed70f535a3f7fdc1cef13d2 Mon Sep 17 00:00:00 2001 From: Kyle Kotowick Date: Fri, 27 Sep 2024 21:10:15 +0000 Subject: [PATCH 07/10] Ignore VSCode config files --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 8fc76fb5..ca11a963 100644 --- a/.gitignore +++ b/.gitignore @@ -46,3 +46,5 @@ utils/nrf-builder/provisioner-nk3am-nrf52-1.2.2.bin utils/nrf-builder/provisioner-nk3am-nrf52-1.2.2.hex utils/nrf-builder/provisioner-nk3am-nrf52-1.2.2.zip utils/nrf-builder/test-certs/ + +.vscode/ \ No newline at end of file From 03797e32be31bc231653d20579959d9d3853d4b1 Mon Sep 17 00:00:00 2001 From: Kyle Kotowick Date: Fri, 27 Sep 2024 21:22:22 +0000 Subject: [PATCH 08/10] Fix SoftwareDilithium inclusion --- components/apps/src/lib.rs | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/components/apps/src/lib.rs b/components/apps/src/lib.rs index 6bfc6036..e2d7a068 100644 --- a/components/apps/src/lib.rs +++ b/components/apps/src/lib.rs @@ -170,10 +170,7 @@ pub struct OpcardConfig { impl OpcardConfig { fn backends(&self) -> &'static [BackendId] { const BACKENDS_OPCARD_DEFAULT: &[BackendId] = &[ - #[cfg(feature = "backend-rsa")] BackendId::Custom(Backend::SoftwareRsa), - #[cfg(feature = "backend-dilithium")] - BackendId::Custom(Backend::SoftwareDilithium), BackendId::Custom(Backend::Auth), BackendId::Custom(Backend::Staging), BackendId::Core, @@ -906,7 +903,12 @@ impl App for FidoApp { } fn backends(_runner: &R, _config: &Self::Config) -> &'static [BackendId] { - &[BackendId::Custom(Backend::Staging), BackendId::Core] + &[ + BackendId::Custom(Backend::Staging), + BackendId::Core, + #[cfg(feature = "backend-dilithium")] + BackendId::Custom(Backend::SoftwareDilithium), + ] } } @@ -930,10 +932,7 @@ impl App for WebcryptApp { } fn backends(runner: &R, _: &()) -> &'static [BackendId] { const BACKENDS_WEBCRYPT: &[BackendId] = &[ - #[cfg(feature = "backend-rsa")] BackendId::Custom(Backend::SoftwareRsa), - #[cfg(feature = "backend-dilithium")] - BackendId::Custom(Backend::SoftwareDilithium), BackendId::Custom(Backend::Staging), BackendId::Custom(Backend::Auth), BackendId::Core, @@ -1061,10 +1060,7 @@ impl App for PivApp { } fn backends(runner: &R, _: &()) -> &'static [BackendId] { const BACKENDS_PIV: &[BackendId] = &[ - #[cfg(feature = "backend-rsa")] BackendId::Custom(Backend::SoftwareRsa), - #[cfg(feature = "backend-dilithium")] - BackendId::Custom(Backend::SoftwareDilithium), BackendId::Custom(Backend::Auth), BackendId::Custom(Backend::Staging), BackendId::Core, From b7caf0bbb2451f290400f6eeadad590af867b67f Mon Sep 17 00:00:00 2001 From: Kyle Kotowick Date: Mon, 30 Sep 2024 13:03:08 -0400 Subject: [PATCH 09/10] Re-order backends Co-authored-by: sosthene-nitrokey <109070476+sosthene-nitrokey@users.noreply.github.com> --- components/apps/src/lib.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/components/apps/src/lib.rs b/components/apps/src/lib.rs index e2d7a068..19890478 100644 --- a/components/apps/src/lib.rs +++ b/components/apps/src/lib.rs @@ -904,10 +904,10 @@ impl App for FidoApp { fn backends(_runner: &R, _config: &Self::Config) -> &'static [BackendId] { &[ + #[cfg(feature = "backend-dilithium")] + BackendId::Custom(Backend::SoftwareDilithium), BackendId::Custom(Backend::Staging), BackendId::Core, - #[cfg(feature = "backend-dilithium")] - BackendId::Custom(Backend::SoftwareDilithium), ] } } From ad1a0deddfc09b125c559c6084b0dc15272d9a0b Mon Sep 17 00:00:00 2001 From: Kyle Kotowick Date: Tue, 1 Oct 2024 03:20:37 +0000 Subject: [PATCH 10/10] Rename features; use local copies of dependencies --- Cargo.lock | 14 ++++---------- Cargo.toml | 14 ++++++++++---- components/apps/Cargo.toml | 8 ++++---- 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index b3bf97af..73043262 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -779,11 +779,12 @@ dependencies = [ [[package]] name = "cosey" version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "39323fe531b92e7acad90b8550b58cec63d29a6c5a56e02de4b25b6aeedbf82e" dependencies = [ + "cfg-if", "heapless-bytes", + "pqcrypto-dilithium", "serde", + "serde-big-array", "serde_repr", ] @@ -880,8 +881,6 @@ dependencies = [ [[package]] name = "ctap-types" version = "0.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf6a69fe79c279d4e06b0064d25ee7d05f87d55c06e07a1386043bc14bbd5c6d" dependencies = [ "bitflags 1.3.2", "cbor-smol", @@ -1187,7 +1186,6 @@ dependencies = [ [[package]] name = "fido-authenticator" version = "0.1.1" -source = "git+https://github.com/Nitrokey/fido-authenticator.git?tag=v0.1.1-nitrokey.19#0fdecc93df800543aed0f1de0ea0f7178cf93b80" dependencies = [ "apdu-dispatch", "cbor-smol", @@ -3318,6 +3316,7 @@ dependencies = [ "nb 1.1.0", "p256-cortex-m4", "postcard 0.7.3", + "pqcrypto-dilithium", "rand_chacha", "rand_core", "salty", @@ -4008,8 +4007,3 @@ dependencies = [ "quote", "syn 2.0.69", ] - -[[patch.unused]] -name = "ctap-types" -version = "0.2.0" -source = "git+https://github.com/trussed-dev/ctap-types.git?rev=72eb68b61e3f14957c5ab89bd22f776ac860eb62#72eb68b61e3f14957c5ab89bd22f776ac860eb62" diff --git a/Cargo.toml b/Cargo.toml index 8b422d18..4636c49c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -19,10 +19,9 @@ memory-regions = { path = "components/memory-regions" } # forked admin-app = { git = "https://github.com/Nitrokey/admin-app.git", tag = "v0.1.0-nitrokey.13" } cbor-smol = { git = "https://github.com/Nitrokey/cbor-smol.git", tag = "v0.4.0-nitrokey.4"} -fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git", tag = "v0.1.1-nitrokey.19" } +#fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git", tag = "v0.1.1-nitrokey.19" } lpc55-hal = { git = "https://github.com/Nitrokey/lpc55-hal", tag = "v0.3.0-nitrokey.2" } #trussed = { git = "https://github.com/nitrokey/trussed.git", tag = "v0.1.0-nitrokey.21" } -trussed = { path = "../trussed"} # TODO: revert to remote # unreleased upstream changes apdu-dispatch = { git = "https://github.com/Nitrokey/apdu-dispatch.git", tag = "v0.1.2-nitrokey.3" } @@ -32,7 +31,7 @@ littlefs2-sys = { git = "https://github.com/trussed-dev/littlefs2-sys.git", rev usbd-ctaphid = { git = "https://github.com/trussed-dev/usbd-ctaphid.git", rev = "dcff9009c3cd1ef9e5b09f8f307aca998fc9a8c8" } usbd-ccid = { git = "https://github.com/Nitrokey/usbd-ccid", tag = "v0.2.0-nitrokey.1" } p256-cortex-m4 = { git = "https://github.com/ycrypto/p256-cortex-m4.git", rev = "cdb31e12594b4dc1f045b860a885fdc94d96aee2" } -ctap-types = { git = "https://github.com/trussed-dev/ctap-types.git", rev = "72eb68b61e3f14957c5ab89bd22f776ac860eb62" } +#ctap-types = { git = "https://github.com/trussed-dev/ctap-types.git", rev = "72eb68b61e3f14957c5ab89bd22f776ac860eb62" } # unreleased crates secrets-app = { git = "https://github.com/Nitrokey/trussed-secrets-app", tag = "v0.13.0" } @@ -52,7 +51,14 @@ trussed-se050-manage = { git = "https://github.com/Nitrokey/trussed-se050-backen trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", tag ="v0.3.5" } # TODO: revert to remote -trussed-pqc-backend = { path = "../trussed-pqc-backend", optional = true } +trussed = { path = "../trussed"} +# TODO: revert to remote +trussed-pqc-backend = { path = "../trussed-pqc-backend" } +# TODO: delete and uncomment above +ctap-types = { path = "../ctap-types" } +# TODO: delete and uncomment above +fido-authenticator = {path = "../fido-authenticator"} +cosey = { path = "../cosey" } [profile.release] codegen-units = 1 diff --git a/components/apps/Cargo.toml b/components/apps/Cargo.toml index 947b48a2..bf4fedf4 100644 --- a/components/apps/Cargo.toml +++ b/components/apps/Cargo.toml @@ -78,10 +78,10 @@ backend-rsa = ["trussed-rsa-alloc"] # If any of the PQC algorithms are selected for compilation, then the # PQC backend must be included and the corresponding algorithm features # there must be set. -backend-dilithium = ["dep:trussed-pqc-backend"] -backend-dilithium2 = ["backend-dilithium", "trussed-pqc-backend/dilithium2"] -backend-dilithium3 = ["backend-dilithium", "trussed-pqc-backend/dilithium3"] -backend-dilithium5 = ["backend-dilithium", "trussed-pqc-backend/dilithium5"] +backend-pqc = ["dep:trussed-pqc-backend"] +backend-dilithium2 = ["backend-pqc", "trussed-pqc-backend/dilithium2", "fido-authenticator/backend-dilithium2"] +backend-dilithium3 = ["backend-pqc", "trussed-pqc-backend/dilithium3", "fido-authenticator/backend-dilithium3"] +backend-dilithium5 = ["backend-pqc", "trussed-pqc-backend/dilithium5", "fido-authenticator/backend-dilithium5"] log-all = ["admin-app/log-all", "fido-authenticator?/log-all", "secrets-app?/log-all", "webcrypt?/log-all", "opcard?/log-all", "provisioner-app?/log-all"]