Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move certs and lock to data #331

Merged
merged 9 commits into from
Oct 27, 2019
Merged

Move certs and lock to data #331

merged 9 commits into from
Oct 27, 2019

Conversation

conorpp
Copy link
Member

@conorpp conorpp commented Oct 27, 2019

This update fully separates the "hacker" and "secure" state differences to not be compiled into the application, and stored as separate data. So builds after this point do not need to be separated into "secure" and "hacker builds. The main motivation for this is to simplify the update procedure.

The bootloader, however, is unchanged. It needs to have two separate builds for checking signatures or not, which is fine since it's not included in the Solo update.

Two main changes to make this work:

  • Attestation certificate is moved into one of the data flash pages. To make sure the correct certificate is migrated (solo vs hacker), the currently stored attestation key is checked if it's a hacker, and assumed to be a secure if it's not.
  • Lock/secure setting of the device is moved to a variable in data flash page. The value of the current option bytes setting is gathered from the STM option bytes. We could just use the STM option bytes, but it's best to additionally store the flag elsewhere and check that STM option bytes are configured correctly at boot.

To pair with these changes, the "bundle" builds will be configured to store the certificate and lock information, WIP.

@conorpp conorpp merged commit a1a79b0 into master Oct 27, 2019
This was referenced Oct 27, 2019
Merged
Merged
szszszsz
szszszsz reviewed Nov 7, 2019
View reviewed changes
fido2/ctaphid.c
@@ -745,16 +741,21 @@ uint8_t ctaphid_custom_command(int len, CTAP_RESPONSE * ctap_resp, CTAPHID_WRITE

case CTAPHID_GETVERSION:
printf1(TAG_HID,"CTAPHID_GETVERSION\n");
wb->bcnt = 3;
wb->bcnt = 4;
ctap_buffer[0] = SOLO_VERSION_MAJ;
ctap_buffer[1] = SOLO_VERSION_MIN;
ctap_buffer[2] = SOLO_VERSION_PATCH;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct me if I am wrong, but I believe any site can call this command. Is it button-guarded? If not, then it would be nice to add such user confirmation to avoid providing additional data for fingerprinting.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Websites cannot issue HID commands through FIDO API. It is potentially additional info for fingerprinting. It's main use is to silently tell if the device needs a firmware update, so requiring a button press would hamper the UX. I'm for keeping it silent.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's move the further conversation to #339.

@szszszsz szszszsz mentioned this pull request Nov 8, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@szszszsz szszszsz szszszsz left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@conorpp @szszszsz