kmwebnet/OpenSK
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'firmware_protection' into env_console

Browse Source
This commit is contained in:
Julien Cretin
2022-03-08 15:02:34 +01:00
parent f09e5a77e8 95ba81b9ed
commit 0acafb107f
28 changed files with 2280 additions and 1883 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/env/mod.rs vendored
View File

@@ -3,7 +3,7 @@ use crate::api::upgrade_storage::UpgradeStorage;
use crate::ctap::hid::ChannelID;
use crate::ctap::status_code::Ctap2StatusCode;
use crypto::rng256::Rng256;
use persistent_store::{Storage, StorageResult};
use persistent_store::{Storage, Store};
#[cfg(feature = "std")]
pub mod test;
@@ -27,16 +27,13 @@ pub trait Env {
fn rng(&mut self) -> &mut Self::Rng;
fn user_presence(&mut self) -> &mut Self::UserPresence;
fn store(&mut self) -> &mut Store<Self::Storage>;
/// Returns the unique storage instance.
/// Returns the upgrade storage instance.
///
/// This function is called at most once. Implementation may panic if called more than once.
fn storage(&mut self) -> StorageResult<Self::Storage>;
/// Returns the unique upgrade storage instance.
///
/// This function is called at most once. Implementation may panic if called more than once.
fn upgrade_storage(&mut self) -> StorageResult<Self::UpgradeStorage>;
/// Upgrade storage is optional, so implementations may return `None`. However, implementations
/// should either always return `None` or always return `Some`.
fn upgrade_storage(&mut self) -> Option<&mut Self::UpgradeStorage>;
fn firmware_protection(&mut self) -> &mut Self::FirmwareProtection;

52
src/env/test/mod.rs vendored
View File

@@ -4,13 +4,15 @@ use crate::ctap::hid::ChannelID;
use crate::ctap::status_code::Ctap2StatusCode;
use crate::env::{Env, UserPresence};
use crypto::rng256::ThreadRng256;
use persistent_store::{BufferOptions, BufferStorage, StorageResult};
use persistent_store::{BufferOptions, BufferStorage, Store};
mod upgrade_storage;
pub struct TestEnv {
rng: ThreadRng256,
user_presence: TestUserPresence,
store: Store<BufferStorage>,
upgrade_storage: Option<BufferUpgradeStorage>,
}
pub struct TestUserPresence {
@@ -25,13 +27,40 @@ impl core::fmt::Write for TestWrite {
}
}
fn new_storage() -> BufferStorage {
// Use the Nordic configuration.
const PAGE_SIZE: usize = 0x1000;
const NUM_PAGES: usize = 20;
let store = vec![0xff; NUM_PAGES * PAGE_SIZE].into_boxed_slice();
let options = BufferOptions {
word_size: 4,
page_size: PAGE_SIZE,
max_word_writes: 2,
max_page_erases: 10000,
strict_mode: true,
};
BufferStorage::new(store, options)
}
impl TestEnv {
pub fn new() -> Self {
let rng = ThreadRng256 {};
let user_presence = TestUserPresence {
check: Box::new(|_| Ok(())),
};
TestEnv { rng, user_presence }
let storage = new_storage();
let store = Store::new(storage).ok().unwrap();
let upgrade_storage = Some(BufferUpgradeStorage::new().unwrap());
TestEnv {
rng,
user_presence,
store,
upgrade_storage,
}
}
pub fn disable_upgrade_storage(&mut self) {
self.upgrade_storage = None;
}
}
@@ -69,23 +98,12 @@ impl Env for TestEnv {
&mut self.user_presence
}
fn storage(&mut self) -> StorageResult<Self::Storage> {
// Use the Nordic configuration.
const PAGE_SIZE: usize = 0x1000;
const NUM_PAGES: usize = 20;
let store = vec![0xff; NUM_PAGES * PAGE_SIZE].into_boxed_slice();
let options = BufferOptions {
word_size: 4,
page_size: PAGE_SIZE,
max_word_writes: 2,
max_page_erases: 10000,
strict_mode: true,
};
Ok(BufferStorage::new(store, options))
fn store(&mut self) -> &mut Store<Self::Storage> {
&mut self.store
}
fn upgrade_storage(&mut self) -> StorageResult<Self::UpgradeStorage> {
BufferUpgradeStorage::new()
fn upgrade_storage(&mut self) -> Option<&mut Self::UpgradeStorage> {
self.upgrade_storage.as_mut()
}
fn firmware_protection(&mut self) -> &mut Self::FirmwareProtection {

110
src/env/tock/mod.rs vendored
View File

@@ -1,11 +1,9 @@
use self::storage::{SyscallStorage, SyscallUpgradeStorage};
pub use self::storage::{TockStorage, TockUpgradeStorage};
use crate::api::firmware_protection::FirmwareProtection;
use crate::ctap::hid::{ChannelID, CtapHid, KeepaliveStatus, ProcessedPacket};
use crate::ctap::hid::{ChannelID, CtapHid, CtapHidCommand, KeepaliveStatus, ProcessedPacket};
use crate::ctap::status_code::Ctap2StatusCode;
use crate::env::{Env, UserPresence};
use core::cell::Cell;
#[cfg(feature = "debug_ctap")]
use core::fmt::Write;
use core::sync::atomic::{AtomicBool, Ordering};
use crypto::rng256::TockRng256;
use libtock_core::result::{CommandError, EALREADY};
@@ -14,46 +12,45 @@ use libtock_drivers::console::Console;
use libtock_drivers::result::{FlexUnwrap, TockError};
use libtock_drivers::timer::Duration;
use libtock_drivers::{crp, led, timer, usb_ctap_hid};
use persistent_store::StorageResult;
use persistent_store::{StorageResult, Store};
mod storage;
pub struct TockEnv {
rng: TockRng256,
storage: bool,
upgrade_storage: bool,
store: Store<TockStorage>,
upgrade_storage: Option<TockUpgradeStorage>,
}
impl TockEnv {
/// Returns the unique instance of the Tock environment.
///
/// This function returns `Some` the first time it is called. Afterwards, it repeatedly returns
/// `None`.
pub fn new() -> Option<Self> {
// Make sure the environment was not already taken.
static TAKEN: AtomicBool = AtomicBool::new(false);
if TAKEN.fetch_or(true, Ordering::SeqCst) {
return None;
}
Some(TockEnv {
/// # Panics
///
/// - If called a second time.
pub fn new() -> Self {
// We rely on `take_storage` to ensure that this function is called only once.
let storage = take_storage().unwrap();
let store = Store::new(storage).ok().unwrap();
let upgrade_storage = TockUpgradeStorage::new().ok();
TockEnv {
rng: TockRng256 {},
storage: false,
upgrade_storage: false,
})
store,
upgrade_storage,
}
}
}
/// Creates a new storage instance.
/// Returns the unique storage instance.
///
/// # Safety
/// # Panics
///
/// It is probably technically memory-safe to hame multiple storage instances at the same time, but
/// for extra precaution we mark the function as unsafe. To ensure correct usage, this function
/// should only be called if the previous storage instance was dropped.
// This function is exposed for example binaries testing the hardware. This could probably be
// cleaned up by having the persistent store return its storage.
pub unsafe fn steal_storage() -> StorageResult<SyscallStorage> {
SyscallStorage::new()
/// - If called a second time.
pub fn take_storage() -> StorageResult<TockStorage> {
// Make sure the storage was not already taken.
static TAKEN: AtomicBool = AtomicBool::new(false);
assert!(!TAKEN.fetch_or(true, Ordering::SeqCst));
TockStorage::new()
}
impl UserPresence for TockEnv {
@@ -78,8 +75,8 @@ impl FirmwareProtection for TockEnv {
impl Env for TockEnv {
type Rng = TockRng256;
type UserPresence = Self;
type Storage = SyscallStorage;
type UpgradeStorage = SyscallUpgradeStorage;
type Storage = TockStorage;
type UpgradeStorage = TockUpgradeStorage;
type FirmwareProtection = Self;
type Write = Console;
@@ -91,14 +88,12 @@ impl Env for TockEnv {
self
}
fn storage(&mut self) -> StorageResult<Self::Storage> {
assert_once(&mut self.storage);
unsafe { steal_storage() }
fn store(&mut self) -> &mut Store<Self::Storage> {
&mut self.store
}
fn upgrade_storage(&mut self) -> StorageResult<Self::UpgradeStorage> {
assert_once(&mut self.upgrade_storage);
SyscallUpgradeStorage::new()
fn upgrade_storage(&mut self) -> Option<&mut Self::UpgradeStorage> {
self.upgrade_storage.as_mut()
}
fn firmware_protection(&mut self) -> &mut Self::FirmwareProtection {
@@ -110,69 +105,54 @@ impl Env for TockEnv {
}
}
/// Asserts a boolean is false and sets it to true.
fn assert_once(b: &mut bool) {
assert!(!*b);
*b = true;
}
// Returns whether the keepalive was sent, or false if cancelled.
fn send_keepalive_up_needed(
env: &mut TockEnv,
cid: ChannelID,
timeout: Duration<isize>,
) -> Result<(), Ctap2StatusCode> {
let keepalive_msg = CtapHid::keepalive(env, cid, KeepaliveStatus::UpNeeded);
let keepalive_msg = CtapHid::keepalive(cid, KeepaliveStatus::UpNeeded);
for mut pkt in keepalive_msg {
let status = usb_ctap_hid::send_or_recv_with_timeout(&mut pkt, timeout);
match status {
None => {
#[cfg(feature = "debug_ctap")]
writeln!(Console::new(), "Sending a KEEPALIVE packet timed out").unwrap();
debug_ctap!(env, "Sending a KEEPALIVE packet timed out");
// TODO: abort user presence test?
}
Some(usb_ctap_hid::SendOrRecvStatus::Error) => panic!("Error sending KEEPALIVE packet"),
Some(usb_ctap_hid::SendOrRecvStatus::Sent) => {
#[cfg(feature = "debug_ctap")]
writeln!(Console::new(), "Sent KEEPALIVE packet").unwrap();
debug_ctap!(env, "Sent KEEPALIVE packet");
}
Some(usb_ctap_hid::SendOrRecvStatus::Received) => {
// We only parse one packet, because we only care about CANCEL.
let (received_cid, processed_packet) = CtapHid::process_single_packet(&pkt);
if received_cid != &cid {
#[cfg(feature = "debug_ctap")]
writeln!(
Console::new(),
debug_ctap!(
env,
"Received a packet on channel ID {:?} while sending a KEEPALIVE packet",
received_cid,
)
.unwrap();
);
return Ok(());
}
match processed_packet {
ProcessedPacket::InitPacket { cmd, .. } => {
if cmd == CtapHid::COMMAND_CANCEL {
if cmd == CtapHidCommand::Cancel as u8 {
// We ignore the payload, we can't answer with an error code anyway.
#[cfg(feature = "debug_ctap")]
writeln!(Console::new(), "User presence check cancelled").unwrap();
debug_ctap!(env, "User presence check cancelled");
return Err(Ctap2StatusCode::CTAP2_ERR_KEEPALIVE_CANCEL);
} else {
#[cfg(feature = "debug_ctap")]
writeln!(
Console::new(),
debug_ctap!(
env,
"Discarded packet with command {} received while sending a KEEPALIVE packet",
cmd,
)
.unwrap();
);
}
}
ProcessedPacket::ContinuationPacket { .. } => {
#[cfg(feature = "debug_ctap")]
writeln!(
Console::new(),
debug_ctap!(
env,
"Discarded continuation packet received while sending a KEEPALIVE packet",
)
.unwrap();
);
}
}
}

20
src/env/tock/storage.rs vendored
View File

@@ -115,7 +115,7 @@ fn erase_page(ptr: usize, page_length: usize) -> StorageResult<()> {
block_command(DRIVER_NUMBER, command_nr::ERASE_PAGE, ptr, page_length)
}
pub struct SyscallStorage {
pub struct TockStorage {
word_size: usize,
page_size: usize,
num_pages: usize,
@@ -124,7 +124,7 @@ pub struct SyscallStorage {
storage_locations: Vec<&'static [u8]>,
}
impl SyscallStorage {
impl TockStorage {
/// Provides access to the embedded flash if available.
///
/// # Errors
@@ -134,8 +134,8 @@ impl SyscallStorage {
/// - The page size is a power of two.
/// - The page size is a multiple of the word size.
/// - The storage is page-aligned.
pub fn new() -> StorageResult<SyscallStorage> {
let mut syscall = SyscallStorage {
pub fn new() -> StorageResult<TockStorage> {
let mut syscall = TockStorage {
word_size: get_info(command_nr::get_info_nr::WORD_SIZE, 0)?,
page_size: get_info(command_nr::get_info_nr::PAGE_SIZE, 0)?,
num_pages: 0,
@@ -175,7 +175,7 @@ impl SyscallStorage {
}
}
impl Storage for SyscallStorage {
impl Storage for TockStorage {
fn word_size(&self) -> usize {
self.word_size
}
@@ -217,13 +217,13 @@ impl Storage for SyscallStorage {
}
}
pub struct SyscallUpgradeStorage {
pub struct TockUpgradeStorage {
page_size: usize,
partition: ModRange,
metadata: ModRange,
}
impl SyscallUpgradeStorage {
impl TockUpgradeStorage {
/// Provides access to the other upgrade partition and metadata if available.
///
/// The implementation assumes that storage locations returned by the kernel through
@@ -238,8 +238,8 @@ impl SyscallUpgradeStorage {
/// Returns a `NotAligned` error if partitions or metadata ranges are
/// - not exclusive or,
/// - not consecutive.
pub fn new() -> StorageResult<SyscallUpgradeStorage> {
let mut locations = SyscallUpgradeStorage {
pub fn new() -> StorageResult<TockUpgradeStorage> {
let mut locations = TockUpgradeStorage {
page_size: get_info(command_nr::get_info_nr::PAGE_SIZE, 0)?,
partition: ModRange::new_empty(),
metadata: ModRange::new_empty(),
@@ -287,7 +287,7 @@ impl SyscallUpgradeStorage {
}
}
impl UpgradeStorage for SyscallUpgradeStorage {
impl UpgradeStorage for TockUpgradeStorage {
fn read_partition(&self, offset: usize, length: usize) -> StorageResult<&[u8]> {
if length == 0 {
return Err(StorageError::OutOfBounds);