Nitrokey · KyleKotowick · Aug 12, 2024 · Aug 12, 2024 · Aug 21, 2024 · Aug 21, 2024
diff --git a/.gitignore b/.gitignore
@@ -46,3 +46,5 @@ utils/nrf-builder/provisioner-nk3am-nrf52-1.2.2.bin
 utils/nrf-builder/provisioner-nk3am-nrf52-1.2.2.hex
 utils/nrf-builder/provisioner-nk3am-nrf52-1.2.2.zip
 utils/nrf-builder/test-certs/
+
+.vscode/
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -21,7 +21,8 @@ admin-app = { git = "https://github.com/Nitrokey/admin-app.git", tag = "v0.1.0-n
 cbor-smol = { git = "https://github.com/Nitrokey/cbor-smol.git", tag = "v0.4.0-nitrokey.4"}
 fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git", tag = "v0.1.1-nitrokey.19" }
 lpc55-hal = { git = "https://github.com/Nitrokey/lpc55-hal", tag = "v0.3.0-nitrokey.2" }
-trussed = { git = "https://github.com/nitrokey/trussed.git", tag = "v0.1.0-nitrokey.21" }
+#trussed = { git = "https://github.com/nitrokey/trussed.git", tag = "v0.1.0-nitrokey.21" }
+trussed = { path = "../trussed"} # TODO: revert to remote
 
 # unreleased upstream changes
 apdu-dispatch = { git = "https://github.com/Nitrokey/apdu-dispatch.git", tag = "v0.1.2-nitrokey.3" }
@@ -50,6 +51,9 @@ trussed-usbip = { git = "https://github.com/Nitrokey/pc-usbip-runner.git", tag =
 trussed-se050-manage = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", tag = "se050-manage-v0.1.0" }
 trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", tag ="v0.3.5" }
 
+# TODO: revert to remote
+trussed-pqc-backend = { path = "../trussed-pqc-backend", optional = true }
+
 [profile.release]
 codegen-units = 1
 lto = "fat"

diff --git a/components/apps/Cargo.toml b/components/apps/Cargo.toml
@@ -22,6 +22,7 @@ littlefs2 = "0.4"
 # Backends
 trussed-auth = { version = "0.3.0", optional = true }
 trussed-rsa-alloc = { version = "0.2.0", optional = true }
+trussed-pqc-backend = { version = "0.1.0", optional = true }
 trussed-se050-backend = { version = "0.3.0", optional = true }
 trussed-staging = { version = "0.3.0", features = ["wrap-key-to-file", "chunked", "hkdf", "manage", "fs-info"] }
 
@@ -74,6 +75,13 @@ se050 = ["dep:se05x", "trussed-se050-backend", "trussed-se050-manage", "admin-ap
 # backends
 backend-auth = ["trussed-auth"]
 backend-rsa = ["trussed-rsa-alloc"]
+# If any of the PQC algorithms are selected for compilation, then the
+# PQC backend must be included and the corresponding algorithm features
+# there must be set.
+backend-dilithium = ["dep:trussed-pqc-backend"]
+backend-dilithium2 = ["backend-dilithium", "trussed-pqc-backend/dilithium2"]
+backend-dilithium3 = ["backend-dilithium", "trussed-pqc-backend/dilithium3"]
+backend-dilithium5 = ["backend-dilithium", "trussed-pqc-backend/dilithium5"]
 
 log-all = ["admin-app/log-all", "fido-authenticator?/log-all", "secrets-app?/log-all", "webcrypt?/log-all", "opcard?/log-all", "provisioner-app?/log-all"]
 

diff --git a/components/apps/src/dispatch.rs b/components/apps/src/dispatch.rs
@@ -36,6 +36,9 @@ use trussed_auth::{AuthBackend, AuthContext, AuthExtension, MAX_HW_KEY_LEN};
 #[cfg(feature = "backend-rsa")]
 use trussed_rsa_alloc::SoftwareRsa;
 
+#[cfg(feature = "backend-dilithium")]
+use trussed_pqc_backend::SoftwareDilithium;
+
 use trussed_chunked::ChunkedExtension;
 use trussed_fs_info::FsInfoExtension;
 use trussed_hkdf::HkdfExtension;
@@ -225,6 +228,10 @@ impl<T: Twi, D: Delay> ExtensionDispatch for Dispatch<T, D> {
             Backend::HmacSha256P256 => Err(TrussedError::RequestNotAvailable),
             #[cfg(feature = "backend-rsa")]
             Backend::SoftwareRsa => SoftwareRsa.request(&mut ctx.core, &mut (), request, resources),
+            #[cfg(feature = "backend-dilithium")]
+            Backend::SoftwareDilithium => {
+                SoftwareDilithium.request(&mut ctx.core, &mut (), request, resources)
+            }
             Backend::Staging => {
                 self.staging
                     .request(&mut ctx.core, &mut ctx.backends.staging, request, resources)
@@ -274,6 +281,8 @@ impl<T: Twi, D: Delay> ExtensionDispatch for Dispatch<T, D> {
             },
             #[cfg(feature = "backend-rsa")]
             Backend::SoftwareRsa => Err(TrussedError::RequestNotAvailable),
+            #[cfg(feature = "backend-dilithium")]
+            Backend::SoftwareDilithium => Err(TrussedError::RequestNotAvailable),
             Backend::Staging => match extension {
                 Extension::Chunked => {
                     ExtensionImpl::<ChunkedExtension>::extension_request_serialized(
@@ -387,6 +396,8 @@ pub enum Backend {
     HmacSha256P256,
     #[cfg(feature = "backend-rsa")]
     SoftwareRsa,
+    #[cfg(feature = "backend-dilithium")]
+    SoftwareDilithium,
     Staging,
     /// Separate BackendId to prevent non-priviledged apps from accessing the manage Extension
     StagingManage,

diff --git a/components/apps/src/lib.rs b/components/apps/src/lib.rs
@@ -903,7 +903,12 @@ impl<R: Runner> App<R> for FidoApp<R> {
     }
 
     fn backends(_runner: &R, _config: &Self::Config) -> &'static [BackendId<Backend>] {
-        &[BackendId::Custom(Backend::Staging), BackendId::Core]
+        &[
+            BackendId::Custom(Backend::Staging),
+            BackendId::Core,
+            #[cfg(feature = "backend-dilithium")]
+            BackendId::Custom(Backend::SoftwareDilithium),
+        ]
     }
 }