diff --git a/Cargo.lock b/Cargo.lock index 9fa9c84e..2f1d4c85 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1119,7 +1119,7 @@ checksum = "a357d28ed41a50f9c765dbfe56cbc04a64e53e5fc58ba79fbc34c10ef3df831f" [[package]] name = "encrypted_container" version = "0.1.0" -source = "git+https://github.com/Nitrokey/trussed-secrets-app?rev=5da6f4e278a4b13fadbaacdb30387ccc6a3a9bfa#5da6f4e278a4b13fadbaacdb30387ccc6a3a9bfa" +source = "git+https://github.com/Nitrokey/trussed-secrets-app?rev=6eff6f9ad65df6875fe1eec31cfe34f591cad303#6eff6f9ad65df6875fe1eec31cfe34f591cad303" dependencies = [ "cbor-smol", "delog", @@ -1181,7 +1181,7 @@ dependencies = [ [[package]] name = "fido-authenticator" version = "0.1.1" -source = "git+https://github.com/Nitrokey/fido-authenticator.git?rev=db4a63dd582784c847520136da930f172330ef28#db4a63dd582784c847520136da930f172330ef28" +source = "git+https://github.com/Nitrokey/fido-authenticator.git?tag=v0.1.1-nitrokey.14#db4a63dd582784c847520136da930f172330ef28" dependencies = [ "apdu-dispatch", "ctap-types", @@ -2669,7 +2669,7 @@ dependencies = [ [[package]] name = "secrets-app" version = "0.13.0" -source = "git+https://github.com/Nitrokey/trussed-secrets-app?rev=5da6f4e278a4b13fadbaacdb30387ccc6a3a9bfa#5da6f4e278a4b13fadbaacdb30387ccc6a3a9bfa" +source = "git+https://github.com/Nitrokey/trussed-secrets-app?rev=6eff6f9ad65df6875fe1eec31cfe34f591cad303#6eff6f9ad65df6875fe1eec31cfe34f591cad303" dependencies = [ "apdu-dispatch", "bitflags 2.4.2", @@ -3240,9 +3240,8 @@ dependencies = [ [[package]] name = "trussed-auth" version = "0.3.0" -source = "git+https://github.com/Nitrokey/trussed-auth?rev=f89f8534a88fb1fe96c6ad6e002e6e523e0e7280#f89f8534a88fb1fe96c6ad6e002e6e523e0e7280" +source = "git+https://github.com/Nitrokey/trussed-auth?rev=b792b186378b81e15e1ef9e8d5a08ef0d986e9bb#b792b186378b81e15e1ef9e8d5a08ef0d986e9bb" dependencies = [ - "admin-app", "chacha20poly1305", "hkdf", "hmac", @@ -3300,7 +3299,7 @@ dependencies = [ [[package]] name = "trussed-se050-backend" version = "0.3.0" -source = "git+https://github.com/Nitrokey/trussed-se050-backend.git?rev=4158263c4c060be2691cf87ad400187f9ef0b0a3#4158263c4c060be2691cf87ad400187f9ef0b0a3" +source = "git+https://github.com/Nitrokey/trussed-se050-backend.git?rev=d5aee1bcff61dc55bcf87efca10cd58cd06714a0#d5aee1bcff61dc55bcf87efca10cd58cd06714a0" dependencies = [ "admin-app", "cbor-smol", diff --git a/Cargo.toml b/Cargo.toml index 0dcf8e57..7a8002de 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -43,12 +43,12 @@ trussed-chunked = { git = "https://github.com/trussed-dev/trussed-staging.git", trussed-manage = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "manage-v0.1.0" } trussed-wrap-key-to-file = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "wrap-key-to-file-v0.1.0" } trussed-staging = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "v0.3.0" } -trussed-auth = { git = "https://github.com/Nitrokey/trussed-auth", rev = "f89f8534a88fb1fe96c6ad6e002e6e523e0e7280" } +trussed-auth = { git = "https://github.com/Nitrokey/trussed-auth", rev = "b792b186378b81e15e1ef9e8d5a08ef0d986e9bb" } trussed-hkdf = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "hkdf-v0.2.0" } trussed-rsa-alloc = { git = "https://github.com/trussed-dev/trussed-rsa-backend.git", rev = "9732a9a3e98af72112286afdc9b7174c66c2869a" } trussed-usbip = { git = "https://github.com/Nitrokey/pc-usbip-runner.git", tag = "v0.0.1-nitrokey.3" } trussed-se050-manage = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", tag = "se050-manage-v0.1.0" } -trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", rev = "4158263c4c060be2691cf87ad400187f9ef0b0a3" } +trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", rev = "d5aee1bcff61dc55bcf87efca10cd58cd06714a0" } [profile.release] codegen-units = 1 diff --git a/components/apps/Cargo.toml b/components/apps/Cargo.toml index 16cdf32d..7f4d899d 100644 --- a/components/apps/Cargo.toml +++ b/components/apps/Cargo.toml @@ -67,8 +67,7 @@ webcrypt = ["dep:webcrypt", "backend-auth", "backend-rsa"] fido-authenticator = ["dep:fido-authenticator", "usbd-ctaphid"] opcard = ["dep:opcard", "backend-rsa", "backend-auth"] piv-authenticator = ["dep:piv-authenticator", "backend-rsa", "backend-auth"] -se050 = ["dep:se05x", "trussed-se050-backend", "trussed-se050-manage", "admin-app/se050", "se050-migration"] -se050-migration = ["dep:se05x", "trussed-se050-backend"] +se050 = ["dep:se05x", "trussed-se050-backend", "trussed-se050-manage", "admin-app/se050"] # backends backend-auth = ["trussed-auth"] diff --git a/components/apps/src/dispatch.rs b/components/apps/src/dispatch.rs index 89ffbf71..a773fb73 100644 --- a/components/apps/src/dispatch.rs +++ b/components/apps/src/dispatch.rs @@ -39,14 +39,18 @@ use trussed_manage::ManageExtension; use trussed_staging::{StagingBackend, StagingContext}; use trussed_wrap_key_to_file::WrapKeyToFileExtension; +#[cfg(feature = "backend-auth")] +use super::migrations::TRUSSED_AUTH_FS_LAYOUT; + +#[cfg(feature = "se050")] +use super::migrations::SE050_BACKEND_FS_LAYOUT; + #[cfg(feature = "webcrypt")] use webcrypt::hmacsha256p256::{ Backend as HmacSha256P256Backend, BackendContext as HmacSha256P256Context, HmacSha256P256Extension, }; -use crate::migrations::USE_MIGRATIONS; - pub struct Dispatch { #[cfg(feature = "backend-auth")] auth: AuthBackend, @@ -123,13 +127,19 @@ impl Dispatch { let _ = auth_location; Self { #[cfg(feature = "backend-auth")] - auth: AuthBackend::new(auth_location, USE_MIGRATIONS), + auth: AuthBackend::new(auth_location, TRUSSED_AUTH_FS_LAYOUT), #[cfg(feature = "webcrypt")] hmacsha256p256: Default::default(), staging: build_staging_backend(), #[cfg(feature = "se050")] se050: se050.map(|driver| { - Se050Backend::new(driver, auth_location, None, NAMESPACE, USE_MIGRATIONS) + Se050Backend::new( + driver, + auth_location, + None, + NAMESPACE, + SE050_BACKEND_FS_LAYOUT, + ) }), #[cfg(not(feature = "se050"))] __: Default::default(), @@ -146,7 +156,7 @@ impl Dispatch { // Should the backend really use the same key? let hw_key_se050 = hw_key.clone(); Self { - auth: AuthBackend::with_hw_key(auth_location, hw_key, USE_MIGRATIONS), + auth: AuthBackend::with_hw_key(auth_location, hw_key, TRUSSED_AUTH_FS_LAYOUT), #[cfg(feature = "webcrypt")] hmacsha256p256: Default::default(), staging: build_staging_backend(), @@ -157,7 +167,7 @@ impl Dispatch { auth_location, Some(hw_key_se050), NAMESPACE, - USE_MIGRATIONS, + SE050_BACKEND_FS_LAYOUT, ) }), #[cfg(not(feature = "se050"))] diff --git a/components/apps/src/lib.rs b/components/apps/src/lib.rs index 7c5c1299..a3707f99 100644 --- a/components/apps/src/lib.rs +++ b/components/apps/src/lib.rs @@ -35,49 +35,7 @@ fn is_default(value: &T) -> bool { value == &Default::default() } -#[allow(unused)] -mod migrations { - use admin_app::migrations::Migrator; - use littlefs2::path; - - pub(crate) const MIGRATION_VERSION_SPACE_EFFICIENCY: u32 = 1; - - /// set to true to enable migrations for trussed-auth and se050-backend - pub(crate) const USE_MIGRATIONS: bool = false; - - // TODO: use when enabling migrations of trussed-auth and se050-backend and of fido-authenticator - pub(crate) const MIGRATORS: &[Migrator] = &[ - // We first migrate the SE050 since this migration deletes data to make sure that the other - // migrations succeed even on low block availability - #[cfg(feature = "se050-migration")] - Migrator { - migrate: |ifs, _efs| { - trussed_se050_backend::migrate::migrate_remove_all_dat(ifs, &[path!("/opcard")]) - }, - version: MIGRATION_VERSION_SPACE_EFFICIENCY, - }, - #[cfg(feature = "backend-auth")] - Migrator { - migrate: |ifs, _efs| { - trussed_auth::migrate::migrate_remove_dat( - ifs, - &[ - path!("opcard"), - path!("webcrypt"), - path!("secrets"), - path!("piv"), - ], - ) - }, - version: MIGRATION_VERSION_SPACE_EFFICIENCY, - }, - Migrator { - // FIDO migration - migrate: |_ifs, _efs| todo!("Add fido migration"), - version: MIGRATION_VERSION_SPACE_EFFICIENCY, - }, - ]; -} +mod migrations; #[derive(Debug, Default, PartialEq, Deserialize, Serialize)] pub struct Config { diff --git a/components/apps/src/migrations.rs b/components/apps/src/migrations.rs new file mode 100644 index 00000000..a72b8419 --- /dev/null +++ b/components/apps/src/migrations.rs @@ -0,0 +1,63 @@ +#![allow(unused)] + +use admin_app::migrations::Migrator; +use littlefs2::path; + +pub(crate) const MIGRATION_VERSION_SPACE_EFFICIENCY: u32 = 1; + +#[cfg(feature = "backend-auth")] +pub(crate) const TRUSSED_AUTH_FS_LAYOUT: trussed_auth::FilesystemLayout = + trussed_auth::FilesystemLayout::V0; +#[cfg(feature = "se050")] +pub(crate) const SE050_BACKEND_FS_LAYOUT: trussed_se050_backend::FilesystemLayout = + trussed_se050_backend::FilesystemLayout::V0; + +/// TODO: When enabling the filesystem layout V1, fido-authenticator will also need to be bump and have its migration enabled +const _: () = { + #[cfg(feature = "backend-auth")] + assert!(matches!( + TRUSSED_AUTH_FS_LAYOUT, + trussed_auth::FilesystemLayout::V0 + )); + #[cfg(feature = "se050")] + assert!(matches!( + SE050_BACKEND_FS_LAYOUT, + trussed_se050_backend::FilesystemLayout::V0 + )); + assert!(MIGRATORS.is_empty()); +}; + +pub(crate) const MIGRATORS: &[Migrator] = &[]; + +// TODO: use when enabling migrations of trussed-auth and se050-backend and of fido-authenticator +const _MIGRATORS: &[Migrator] = &[ + // We first migrate the SE050 since this migration deletes data to make sure that the other + // migrations succeed even on low block availability + #[cfg(feature = "se050")] + Migrator { + migrate: |ifs, _efs| { + trussed_se050_backend::migrate::migrate_remove_all_dat(ifs, &[path!("/opcard")]) + }, + version: MIGRATION_VERSION_SPACE_EFFICIENCY, + }, + #[cfg(feature = "backend-auth")] + Migrator { + migrate: |ifs, _efs| { + trussed_auth::migrate::migrate_remove_dat( + ifs, + &[ + path!("opcard"), + path!("webcrypt"), + path!("secrets"), + path!("piv"), + ], + ) + }, + version: MIGRATION_VERSION_SPACE_EFFICIENCY, + }, + Migrator { + // FIDO migration + migrate: |_ifs, _efs| todo!("Add fido migration"), + version: MIGRATION_VERSION_SPACE_EFFICIENCY, + }, +];