forked from trezor/trezor-firmware
-
Notifications
You must be signed in to change notification settings - Fork 0
/
storage.c
1767 lines (1516 loc) · 53.4 KB
/
storage.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/*
* This file is part of the Trezor project, https://trezor.io/
*
* Copyright (c) SatoshiLabs
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <assert.h>
#include <string.h>
#include "chacha20poly1305/rfc7539.h"
#include "common.h"
#include "hmac.h"
#include "memzero.h"
#include "norcow.h"
#include "pbkdf2.h"
#include "rand.h"
#include "random_delays.h"
#include "sha2.h"
#include "storage.h"
#include "storage_utils.h"
#include "time_estimate.h"
#if USE_OPTIGA
#include "optiga.h"
#endif
#ifdef STM32U5
#include "secure_aes.h"
#endif
// The APP namespace which is reserved for storage related values.
#define APP_STORAGE 0x00
// Norcow storage keys.
// PIN entry log and PIN success log.
#define PIN_LOGS_KEY ((APP_STORAGE << 8) | 0x01)
// Combined salt, EDEK, ESAK and PIN verification code entry.
#define EDEK_PVC_KEY ((APP_STORAGE << 8) | 0x02)
// PIN set flag.
#define PIN_NOT_SET_KEY ((APP_STORAGE << 8) | 0x03)
// Authenticated storage version.
// NOTE: This should equal the norcow version unless an upgrade is in progress.
#define VERSION_KEY ((APP_STORAGE << 8) | 0x04)
// Storage authentication tag.
#define STORAGE_TAG_KEY ((APP_STORAGE << 8) | 0x05)
// Wipe code data. Introduced in storage version 2.
#define WIPE_CODE_DATA_KEY ((APP_STORAGE << 8) | 0x06)
// Storage upgrade flag. Introduced in storage version 2.
#define STORAGE_UPGRADED_KEY ((APP_STORAGE << 8) | 0x07)
// Unauthenticated storage version. Introduced in storage version 3.
// NOTE: This should always equal the value in VERSION_KEY.
#define UNAUTH_VERSION_KEY ((APP_STORAGE << 8) | 0x08)
// The PIN value corresponding to an empty PIN.
const uint8_t *PIN_EMPTY = (const uint8_t *)"";
// The uint32 representation of an empty PIN, used prior to storage version 3.
const uint32_t V0_PIN_EMPTY = 1;
// Maximum number of PIN digits allowed prior to storage version 3.
#define V0_MAX_PIN_LEN 9
// Maximum length of the wipe code.
// Some limit should be imposed on the length, because the wipe code takes up
// storage space proportional to the length, as opposed to the PIN, which takes
// up constant storage space.
#define MAX_WIPE_CODE_LEN 50
// The total number of iterations to use in PBKDF2.
#define PIN_ITER_COUNT 20000
// The minimum number of milliseconds between progress updates.
#define MIN_PROGRESS_UPDATE_MS 100
// The length of the hashed hardware salt in bytes.
#define HARDWARE_SALT_SIZE SHA256_DIGEST_LENGTH
// The length of the data encryption key in bytes.
#define DEK_SIZE 32
// The length of the storage authentication key in bytes.
#define SAK_SIZE 16
// The combined length of the data encryption key and the storage authentication
// key in bytes.
#define KEYS_SIZE (DEK_SIZE + SAK_SIZE)
// The length of the PIN verification code in bytes.
#define PVC_SIZE 8
// The length of the storage authentication tag in bytes.
#define STORAGE_TAG_SIZE 16
// The length of the Poly1305 authentication tag in bytes.
#define POLY1305_TAG_SIZE 16
// The length of the ChaCha20 IV (aka nonce) in bytes as per RFC 7539.
#define CHACHA20_IV_SIZE 12
// The length of the ChaCha20 block in bytes.
#define CHACHA20_BLOCK_SIZE 64
// The byte length of the salt used in checking the wipe code.
#define WIPE_CODE_SALT_SIZE 8
// The byte length of the tag used in checking the wipe code.
#define WIPE_CODE_TAG_SIZE 8
// The value corresponding to an unconfigured wipe code.
// NOTE: This is intentionally different from an empty PIN so that we don't need
// special handling when both the PIN and wipe code are not set.
const uint8_t WIPE_CODE_EMPTY[] = {0, 0, 0, 0};
#define WIPE_CODE_EMPTY_LEN 4
// The uint32 representation of an empty wipe code used in storage version 2.
#define V2_WIPE_CODE_EMPTY 0
CONFIDENTIAL static secbool initialized = secfalse;
CONFIDENTIAL static secbool unlocked = secfalse;
static PIN_UI_WAIT_CALLBACK ui_callback = NULL;
static uint32_t ui_total = 0;
static uint32_t ui_begin = 0;
static uint32_t ui_next_update = 0;
static enum storage_ui_message_t ui_message = NO_MSG;
CONFIDENTIAL static uint8_t cached_keys[KEYS_SIZE] = {0};
CONFIDENTIAL static uint8_t *const cached_dek = cached_keys;
CONFIDENTIAL static uint8_t *const cached_sak = cached_keys + DEK_SIZE;
CONFIDENTIAL uint8_t authentication_sum[SHA256_DIGEST_LENGTH] = {0};
CONFIDENTIAL static uint8_t hardware_salt[HARDWARE_SALT_SIZE] = {0};
CONFIDENTIAL static uint32_t norcow_active_version = 0;
static const uint8_t TRUE_BYTE = 0x01;
static const uint8_t FALSE_BYTE = 0x00;
static const uint32_t TRUE_WORD = 0xC35A69A5;
static const uint32_t FALSE_WORD = 0x3CA5965A;
static void __handle_fault(const char *msg, const char *file, int line);
#define handle_fault(msg) (__handle_fault(msg, __FILE_NAME__, __LINE__))
static uint32_t pin_to_int(const uint8_t *pin, size_t pin_len);
static secbool storage_upgrade(void);
static secbool storage_upgrade_unlocked(const uint8_t *pin, size_t pin_len,
const uint8_t *ext_salt);
static secbool storage_set_encrypted(const uint16_t key, const void *val,
const uint16_t len);
static secbool storage_get_encrypted(const uint16_t key, void *val_dest,
const uint16_t max_len, uint16_t *len);
#include "flash.h"
#ifdef FLASH_BIT_ACCESS
#include "pinlogs_bitwise.h"
#else
#include "pinlogs_blockwise.h"
#endif
static secbool secequal(const void *ptr1, const void *ptr2, size_t n) {
const uint8_t *p1 = ptr1;
const uint8_t *p2 = ptr2;
uint8_t diff = 0;
size_t i = 0;
for (i = 0; i < n; ++i) {
diff |= *p1 ^ *p2;
++p1;
++p2;
}
// Check loop completion in case of a fault injection attack.
if (i != n) {
handle_fault("loop completion check");
}
return diff ? secfalse : sectrue;
}
static secbool secequal32(const void *ptr1, const void *ptr2, size_t n) {
assert(n % sizeof(uint32_t) == 0);
assert((uintptr_t)ptr1 % sizeof(uint32_t) == 0);
assert((uintptr_t)ptr2 % sizeof(uint32_t) == 0);
size_t wn = n / sizeof(uint32_t);
const uint32_t *p1 = (const uint32_t *)ptr1;
const uint32_t *p2 = (const uint32_t *)ptr2;
uint32_t diff = 0;
size_t i = 0;
for (i = 0; i < wn; ++i) {
uint32_t mask = random32();
diff |= (*p1 + mask - *p2) ^ mask;
++p1;
++p2;
}
// Check loop completion in case of a fault injection attack.
if (i != wn) {
handle_fault("loop completion check");
}
return diff ? secfalse : sectrue;
}
static secbool is_protected(uint16_t key) {
const uint8_t app = key >> 8;
return ((app & FLAG_PUBLIC) == 0 && app != APP_STORAGE) ? sectrue : secfalse;
}
/*
* Initialize the storage authentication tag for freshly wiped storage.
*/
static secbool auth_init(void) {
uint8_t tag[SHA256_DIGEST_LENGTH] = {0};
memzero(authentication_sum, sizeof(authentication_sum));
hmac_sha256(cached_sak, SAK_SIZE, authentication_sum,
sizeof(authentication_sum), tag);
return norcow_set(STORAGE_TAG_KEY, tag, STORAGE_TAG_SIZE);
}
/*
* Update the storage authentication tag with the given key.
*/
static secbool auth_update(uint16_t key) {
if (sectrue != is_protected(key)) {
return sectrue;
}
uint8_t tag[SHA256_DIGEST_LENGTH] = {0};
hmac_sha256(cached_sak, SAK_SIZE, (uint8_t *)&key, sizeof(key), tag);
for (uint32_t i = 0; i < SHA256_DIGEST_LENGTH; i++) {
authentication_sum[i] ^= tag[i];
}
hmac_sha256(cached_sak, SAK_SIZE, authentication_sum,
sizeof(authentication_sum), tag);
return norcow_set(STORAGE_TAG_KEY, tag, STORAGE_TAG_SIZE);
}
/*
* A secure version of norcow_set(), which updates the storage authentication
* tag.
*/
static secbool auth_set(uint16_t key, const void *val, uint16_t len) {
secbool found = secfalse;
secbool ret = norcow_set_ex(key, val, len, &found);
if (sectrue == ret && secfalse == found) {
ret = auth_update(key);
if (sectrue != ret) {
norcow_delete(key);
}
}
return ret;
}
/*
* A secure version of norcow_get(), which checks the storage authentication
* tag.
*/
static secbool auth_get(uint16_t key, const void **val, uint16_t *len) {
*val = NULL;
*len = 0;
uint32_t sum[SHA256_DIGEST_LENGTH / sizeof(uint32_t)] = {0};
// Prepare inner and outer digest.
uint32_t odig[SHA256_DIGEST_LENGTH / sizeof(uint32_t)] = {0};
uint32_t idig[SHA256_DIGEST_LENGTH / sizeof(uint32_t)] = {0};
hmac_sha256_prepare(cached_sak, SAK_SIZE, odig, idig);
// Prepare SHA-256 message padding.
uint32_t g[SHA256_BLOCK_LENGTH / sizeof(uint32_t)] = {0};
uint32_t h[SHA256_BLOCK_LENGTH / sizeof(uint32_t)] = {0};
g[15] = (SHA256_BLOCK_LENGTH + 2) * 8;
h[15] = (SHA256_BLOCK_LENGTH + SHA256_DIGEST_LENGTH) * 8;
h[8] = 0x80000000;
uint32_t offset = 0;
uint16_t k = 0;
uint16_t l = 0;
uint16_t tag_len = 0;
uint16_t entry_count = 0; // Mitigation against fault injection.
uint16_t other_count = 0; // Mitigation against fault injection.
const void *v = NULL;
const void *tag_val = NULL;
while (sectrue == norcow_get_next(&offset, &k, &v, &l)) {
++entry_count;
if (k == key) {
*val = v;
*len = l;
} else {
++other_count;
}
if (sectrue != is_protected(k)) {
if (k == STORAGE_TAG_KEY) {
tag_val = v;
tag_len = l;
}
continue;
}
g[0] = (((uint32_t)k & 0xff) << 24) | (((uint32_t)k & 0xff00) << 8) |
0x8000; // Add SHA message padding.
sha256_Transform(idig, g, h);
sha256_Transform(odig, h, h);
for (uint32_t i = 0; i < SHA256_DIGEST_LENGTH / sizeof(uint32_t); i++) {
sum[i] ^= h[i];
}
}
memcpy(h, sum, sizeof(sum));
sha256_Transform(idig, h, h);
sha256_Transform(odig, h, h);
memzero(odig, sizeof(odig));
memzero(idig, sizeof(idig));
// Cache the authentication sum.
for (size_t i = 0; i < SHA256_DIGEST_LENGTH / sizeof(uint32_t); i++) {
#if BYTE_ORDER == LITTLE_ENDIAN
REVERSE32(sum[i], ((uint32_t *)authentication_sum)[i]);
#else
((uint32_t *)authentication_sum)[i] = sum[i];
#endif
}
// Check loop completion in case of a fault injection attack.
if (secfalse != norcow_get_next(&offset, &k, &v, &l)) {
handle_fault("loop completion check");
}
// Check storage authentication tag.
#if BYTE_ORDER == LITTLE_ENDIAN
for (size_t i = 0; i < SHA256_DIGEST_LENGTH / sizeof(uint32_t); i++) {
REVERSE32(h[i], h[i]);
}
#endif
if (tag_val == NULL || tag_len != STORAGE_TAG_SIZE ||
sectrue != secequal(h, tag_val, STORAGE_TAG_SIZE)) {
handle_fault("storage tag check");
}
if (*val == NULL) {
// Check for fault injection.
if (other_count != entry_count) {
handle_fault("sanity check");
}
return secfalse;
}
return sectrue;
}
static secbool set_wipe_code(const uint8_t *wipe_code, size_t wipe_code_len) {
if (wipe_code_len > MAX_WIPE_CODE_LEN ||
wipe_code_len > UINT16_MAX - WIPE_CODE_SALT_SIZE - WIPE_CODE_TAG_SIZE) {
return secfalse;
}
if (wipe_code_len == 0) {
// This is to avoid having to check pin != PIN_EMPTY when checking the wipe
// code.
wipe_code = WIPE_CODE_EMPTY;
wipe_code_len = WIPE_CODE_EMPTY_LEN;
}
// The format of the WIPE_CODE_DATA_KEY entry is:
// wipe code (variable), random salt (8 bytes), authentication tag (8 bytes)
// NOTE: We allocate extra space for the HMAC result.
uint8_t data[(MAX_WIPE_CODE_LEN + WIPE_CODE_SALT_SIZE +
SHA256_DIGEST_LENGTH)] = {0};
uint8_t *salt = data + wipe_code_len;
uint8_t *tag = salt + WIPE_CODE_SALT_SIZE;
memcpy(data, wipe_code, wipe_code_len);
random_buffer(salt, WIPE_CODE_SALT_SIZE);
hmac_sha256(salt, WIPE_CODE_SALT_SIZE, wipe_code, wipe_code_len, tag);
secbool ret =
norcow_set(WIPE_CODE_DATA_KEY, data,
wipe_code_len + WIPE_CODE_SALT_SIZE + WIPE_CODE_TAG_SIZE);
memzero(data, sizeof(data));
return ret;
}
static secbool is_not_wipe_code(const uint8_t *pin, size_t pin_len) {
uint8_t salt[WIPE_CODE_SALT_SIZE] = {0};
uint8_t stored_tag[WIPE_CODE_TAG_SIZE] = {0};
uint8_t computed_tag1[SHA256_DIGEST_LENGTH] = {0};
uint8_t computed_tag2[SHA256_DIGEST_LENGTH] = {0};
// Read the wipe code data from the storage.
const void *wipe_code_data = NULL;
uint16_t len = 0;
if (sectrue != norcow_get(WIPE_CODE_DATA_KEY, &wipe_code_data, &len) ||
len <= WIPE_CODE_SALT_SIZE + WIPE_CODE_TAG_SIZE) {
handle_fault("no wipe code");
return secfalse;
}
const uint8_t *wipe_code = (const uint8_t *)wipe_code_data;
size_t wipe_code_len = len - WIPE_CODE_SALT_SIZE - WIPE_CODE_TAG_SIZE;
memcpy(salt, (uint8_t *)wipe_code_data + wipe_code_len, sizeof(salt));
memcpy(stored_tag,
(uint8_t *)wipe_code_data + wipe_code_len + WIPE_CODE_SALT_SIZE,
sizeof(stored_tag));
// Check integrity in case of flash read manipulation attack.
hmac_sha256(salt, WIPE_CODE_SALT_SIZE, wipe_code, wipe_code_len,
computed_tag1);
if (sectrue != secequal(stored_tag, computed_tag1, sizeof(stored_tag))) {
handle_fault("wipe code tag");
return secfalse;
}
// Prepare the authentication tag of the entered PIN.
wait_random();
hmac_sha256(salt, WIPE_CODE_SALT_SIZE, pin, pin_len, computed_tag1);
// Recompute to check for fault injection attack.
wait_random();
hmac_sha256(salt, WIPE_CODE_SALT_SIZE, pin, pin_len, computed_tag2);
memzero(salt, sizeof(salt));
if (sectrue !=
secequal(computed_tag1, computed_tag2, sizeof(computed_tag1))) {
handle_fault("wipe code fault");
return secfalse;
}
// Compare wipe code with the entered PIN via the authentication tag.
wait_random();
if (secfalse != secequal(stored_tag, computed_tag1, sizeof(stored_tag))) {
return secfalse;
}
memzero(stored_tag, sizeof(stored_tag));
return sectrue;
}
static uint32_t ui_estimate_time_ms(storage_pin_op_t op) {
uint32_t time_ms = 0;
#if USE_OPTIGA
time_ms += optiga_estimate_time_ms(op);
#endif
uint32_t pbkdf2_ms = time_estimate_pbkdf2_ms(PIN_ITER_COUNT);
switch (op) {
case STORAGE_PIN_OP_SET:
case STORAGE_PIN_OP_VERIFY:
time_ms += pbkdf2_ms;
break;
case STORAGE_PIN_OP_CHANGE:
time_ms += 2 * pbkdf2_ms;
break;
default:
return 1;
}
return time_ms;
}
static void ui_progress_init(storage_pin_op_t op) {
ui_total = ui_estimate_time_ms(op);
ui_next_update = 0;
}
static void ui_progress_add(uint32_t added_ms) { ui_total += added_ms; }
static secbool ui_progress(void) {
uint32_t now = hal_ticks_ms();
if (ui_callback == NULL || ui_message == 0 || now < ui_next_update) {
return secfalse;
}
// The UI dialog is initialized by calling ui_callback() with progress = 0. If
// this is the first call, i.e. ui_next_update == 0, then make sure that
// progress comes out exactly 0.
if (ui_next_update == 0) {
ui_begin = now;
}
ui_next_update = now + MIN_PROGRESS_UPDATE_MS;
uint32_t ui_elapsed = now - ui_begin;
// Round the remaining time to the nearest second.
uint32_t ui_rem_sec = (ui_total - ui_elapsed + 500) / 1000;
#ifndef TREZOR_EMULATOR
uint32_t progress = 0;
if (ui_total < 1000000) {
progress = 1000 * ui_elapsed / ui_total;
} else {
// Avoid uint32 overflow. Precise enough.
progress = ui_elapsed / (ui_total / 1000);
}
#else
// In the emulator we derive the progress from the number of remaining seconds
// to avoid flaky UI tests.
uint32_t ui_total_sec = (ui_total + 500) / 1000;
uint32_t progress = 1000 - 1000 * ui_rem_sec / ui_total_sec;
#endif
// Avoid reaching progress = 1000 or overflowing the total time, since calling
// ui_callback() with progress = 1000 terminates the UI dialog.
if (progress >= 1000) {
progress = 999;
ui_elapsed = ui_total;
}
return ui_callback(ui_rem_sec, progress, ui_message);
}
static void ui_progress_finish(void) {
// The UI dialog is terminated by calling ui_callback() with progress = 1000.
if (ui_callback != NULL && ui_message != 0) {
ui_callback(0, 1000, ui_message);
}
}
#if !USE_OPTIGA
static void derive_kek_v4(const uint8_t *pin, size_t pin_len,
const uint8_t *storage_salt, const uint8_t *ext_salt,
uint8_t kek[SHA256_DIGEST_LENGTH],
uint8_t keiv[SHA256_DIGEST_LENGTH]) {
// Legacy PIN verification method used in storage versions 1, 2, 3 and 4.
uint8_t salt[HARDWARE_SALT_SIZE + STORAGE_SALT_SIZE + EXTERNAL_SALT_SIZE] = {
0};
size_t salt_len = 0;
memcpy(salt + salt_len, hardware_salt, HARDWARE_SALT_SIZE);
salt_len += HARDWARE_SALT_SIZE;
memcpy(salt + salt_len, storage_salt, STORAGE_SALT_SIZE);
salt_len += STORAGE_SALT_SIZE;
if (ext_salt != NULL) {
memcpy(salt + salt_len, ext_salt, EXTERNAL_SALT_SIZE);
salt_len += EXTERNAL_SALT_SIZE;
}
PBKDF2_HMAC_SHA256_CTX ctx = {0};
pbkdf2_hmac_sha256_Init(&ctx, pin, pin_len, salt, salt_len, 1);
for (int i = 1; i <= 5; i++) {
pbkdf2_hmac_sha256_Update(&ctx, PIN_ITER_COUNT / 10);
ui_progress();
}
#ifdef STM32U5
uint8_t pre_kek[SHA256_DIGEST_LENGTH] = {0};
pbkdf2_hmac_sha256_Final(&ctx, pre_kek);
ensure(secure_aes_ecb_encrypt_hw(pre_kek, SHA256_DIGEST_LENGTH, kek,
SECURE_AES_KEY_XORK),
"secure_aes derive kek failed");
memzero(pre_kek, sizeof(pre_kek));
#else
pbkdf2_hmac_sha256_Final(&ctx, kek);
#endif
pbkdf2_hmac_sha256_Init(&ctx, pin, pin_len, salt, salt_len, 2);
for (int i = 6; i <= 10; i++) {
pbkdf2_hmac_sha256_Update(&ctx, PIN_ITER_COUNT / 10);
ui_progress();
}
pbkdf2_hmac_sha256_Final(&ctx, keiv);
memzero(&ctx, sizeof(PBKDF2_HMAC_SHA256_CTX));
memzero(&salt, sizeof(salt));
}
#endif
static void stretch_pin(const uint8_t *pin, size_t pin_len,
const uint8_t storage_salt[STORAGE_SALT_SIZE],
const uint8_t *ext_salt,
uint8_t stretched_pin[SHA256_DIGEST_LENGTH]) {
// Combining the PIN with the storage salt aims to ensure that if the
// MCU-Optiga communication is compromised, then a user with a low-entropy PIN
// remains protected against an attacker who is not able to read the contents
// of the MCU storage. Stretching the PIN with PBKDF2 ensures that even if
// Optiga itself is completely compromised, it will not reduce the security
// of the device below that of earlier Trezor models which also use PBKDF2
// with the same number of iterations.
uint8_t salt[HARDWARE_SALT_SIZE + STORAGE_SALT_SIZE + EXTERNAL_SALT_SIZE] = {
0};
size_t salt_len = 0;
memcpy(salt + salt_len, hardware_salt, HARDWARE_SALT_SIZE);
salt_len += HARDWARE_SALT_SIZE;
memcpy(salt + salt_len, storage_salt, STORAGE_SALT_SIZE);
salt_len += STORAGE_SALT_SIZE;
if (ext_salt != NULL) {
memcpy(salt + salt_len, ext_salt, EXTERNAL_SALT_SIZE);
salt_len += EXTERNAL_SALT_SIZE;
}
PBKDF2_HMAC_SHA256_CTX ctx = {0};
pbkdf2_hmac_sha256_Init(&ctx, pin, pin_len, salt, salt_len, 1);
memzero(&salt, sizeof(salt));
for (int i = 1; i <= 10; i++) {
pbkdf2_hmac_sha256_Update(&ctx, PIN_ITER_COUNT / 10);
ui_progress();
}
#ifdef STM32U5
uint8_t stretched_pin_tmp[SHA256_DIGEST_LENGTH] = {0};
pbkdf2_hmac_sha256_Final(&ctx, stretched_pin_tmp);
ensure(secure_aes_ecb_encrypt_hw(stretched_pin_tmp, SHA256_DIGEST_LENGTH,
stretched_pin, SECURE_AES_KEY_XORK),
"secure_aes pin stretch failed");
memzero(stretched_pin_tmp, sizeof(stretched_pin_tmp));
#else
pbkdf2_hmac_sha256_Final(&ctx, stretched_pin);
#endif
memzero(&ctx, sizeof(ctx));
}
#if USE_OPTIGA
static void derive_kek_optiga_v4(
// Legacy PIN verification method used in storage versions 3 and 4.
const uint8_t optiga_secret[OPTIGA_PIN_SECRET_SIZE],
uint8_t kek[SHA256_DIGEST_LENGTH], uint8_t keiv[SHA256_DIGEST_LENGTH]) {
PBKDF2_HMAC_SHA256_CTX ctx = {0};
pbkdf2_hmac_sha256_Init(&ctx, optiga_secret, OPTIGA_PIN_SECRET_SIZE, NULL, 0,
1);
pbkdf2_hmac_sha256_Update(&ctx, 1);
pbkdf2_hmac_sha256_Final(&ctx, kek);
pbkdf2_hmac_sha256_Init(&ctx, optiga_secret, OPTIGA_PIN_SECRET_SIZE, NULL, 0,
2);
pbkdf2_hmac_sha256_Update(&ctx, 1);
pbkdf2_hmac_sha256_Final(&ctx, keiv);
memzero(&ctx, sizeof(ctx));
}
#endif
static secbool __wur derive_kek_set(
const uint8_t *pin, size_t pin_len, const uint8_t *storage_salt,
const uint8_t *ext_salt, uint8_t stretched_pin[SHA256_DIGEST_LENGTH]) {
stretch_pin(pin, pin_len, storage_salt, ext_salt, stretched_pin);
#if USE_OPTIGA
if (!optiga_pin_set(ui_progress, stretched_pin)) {
memzero(stretched_pin, SHA256_DIGEST_LENGTH);
return secfalse;
}
#endif
return sectrue;
}
static secbool __wur derive_kek_unlock_v4(const uint8_t *pin, size_t pin_len,
const uint8_t *storage_salt,
const uint8_t *ext_salt,
uint8_t kek[SHA256_DIGEST_LENGTH],
uint8_t keiv[SHA256_DIGEST_LENGTH]) {
// Legacy PIN verification method used in storage versions 1, 2, 3 and 4.
#if USE_OPTIGA
uint8_t optiga_secret[OPTIGA_PIN_SECRET_SIZE] = {0};
uint8_t stretched_pin[OPTIGA_PIN_SECRET_SIZE] = {0};
stretch_pin(pin, pin_len, storage_salt, ext_salt, stretched_pin);
optiga_pin_result ret =
optiga_pin_verify_v4(ui_progress, stretched_pin, optiga_secret);
memzero(stretched_pin, sizeof(stretched_pin));
if (ret != OPTIGA_PIN_SUCCESS) {
memzero(optiga_secret, sizeof(optiga_secret));
if (ret == OPTIGA_PIN_COUNTER_EXCEEDED) {
// Unreachable code. Wipe should have already been triggered in unlock().
storage_wipe();
show_pin_too_many_screen();
}
ensure(ret == OPTIGA_PIN_INVALID ? sectrue : secfalse,
"optiga_pin_verify failed");
return secfalse;
}
derive_kek_optiga_v4(optiga_secret, kek, keiv);
memzero(optiga_secret, sizeof(optiga_secret));
#else
derive_kek_v4(pin, pin_len, storage_salt, ext_salt, kek, keiv);
#endif
return sectrue;
}
static secbool __wur derive_kek_unlock(
const uint8_t *pin, size_t pin_len, const uint8_t *storage_salt,
const uint8_t *ext_salt, uint8_t stretched_pin[SHA256_DIGEST_LENGTH]) {
stretch_pin(pin, pin_len, storage_salt, ext_salt, stretched_pin);
#if USE_OPTIGA
optiga_pin_result ret = optiga_pin_verify(ui_progress, stretched_pin);
if (ret != OPTIGA_PIN_SUCCESS) {
memzero(stretched_pin, SHA256_DIGEST_LENGTH);
if (ret == OPTIGA_PIN_COUNTER_EXCEEDED) {
// Unreachable code. Wipe should have already been triggered in unlock().
storage_wipe();
show_pin_too_many_screen();
}
ensure(ret == OPTIGA_PIN_INVALID ? sectrue : secfalse,
"optiga_pin_verify failed");
return secfalse;
}
#endif
return sectrue;
}
static secbool set_pin(const uint8_t *pin, size_t pin_len,
const uint8_t *ext_salt) {
// Encrypt the cached keys using the new PIN and set the new PVC.
uint8_t buffer[STORAGE_SALT_SIZE + KEYS_SIZE + POLY1305_TAG_SIZE] = {0};
uint8_t *rand_salt = buffer;
uint8_t *ekeys = buffer + STORAGE_SALT_SIZE;
uint8_t *pvc = buffer + STORAGE_SALT_SIZE + KEYS_SIZE;
uint8_t kek[SHA256_DIGEST_LENGTH] = {0};
uint8_t keiv[12] = {0};
chacha20poly1305_ctx ctx = {0};
random_buffer(rand_salt, STORAGE_SALT_SIZE);
ensure(derive_kek_set(pin, pin_len, rand_salt, ext_salt, kek),
"derive_kek_set failed");
rfc7539_init(&ctx, kek, keiv);
memzero(kek, sizeof(kek));
chacha20poly1305_encrypt(&ctx, cached_keys, ekeys, KEYS_SIZE);
rfc7539_finish(&ctx, 0, KEYS_SIZE, pvc);
memzero(&ctx, sizeof(ctx));
secbool ret = norcow_set(EDEK_PVC_KEY, buffer,
STORAGE_SALT_SIZE + KEYS_SIZE + PVC_SIZE);
memzero(buffer, sizeof(buffer));
if (ret == sectrue) {
if (pin_len == 0) {
ret = norcow_set(PIN_NOT_SET_KEY, &TRUE_BYTE, sizeof(TRUE_BYTE));
} else {
ret = norcow_set(PIN_NOT_SET_KEY, &FALSE_BYTE, sizeof(FALSE_BYTE));
}
}
return ret;
}
/*
* Initializes the values of VERSION_KEY, EDEK_PVC_KEY, PIN_NOT_SET_KEY and
* PIN_LOGS_KEY using an empty PIN. This function should be called to initialize
* freshly wiped storage.
*/
static void init_wiped_storage(void) {
if (sectrue != initialized) {
// We cannot initialize the storage contents if the hardware_salt is not
// set.
return;
}
#if USE_OPTIGA
ensure(optiga_random_buffer(cached_keys, sizeof(cached_keys)) ? sectrue
: secfalse,
"optiga_random_buffer failed");
random_xor(cached_keys, sizeof(cached_keys));
#else
random_buffer(cached_keys, sizeof(cached_keys));
#endif
unlocked = sectrue;
uint32_t version = NORCOW_VERSION;
ensure(auth_init(), "set_storage_auth_tag failed");
ensure(storage_set_encrypted(VERSION_KEY, &version, sizeof(version)),
"set_storage_version failed");
ensure(norcow_set(UNAUTH_VERSION_KEY, &version, sizeof(version)),
"set_unauth_storage_version failed");
ensure(norcow_set(STORAGE_UPGRADED_KEY, &FALSE_WORD, sizeof(FALSE_WORD)),
"set_storage_not_upgraded failed");
ensure(pin_logs_init(0), "init_pin_logs failed");
ensure(set_wipe_code(WIPE_CODE_EMPTY, WIPE_CODE_EMPTY_LEN),
"set_wipe_code failed");
ui_progress_init(STORAGE_PIN_OP_SET);
if (ui_message == NO_MSG) {
ui_message = STARTING_MSG;
} else {
ui_message = PROCESSING_MSG;
}
ensure(set_pin(PIN_EMPTY, PIN_EMPTY_LEN, NULL), "init_pin failed");
ui_progress_finish();
}
void storage_init(PIN_UI_WAIT_CALLBACK callback, const uint8_t *salt,
const uint16_t salt_len) {
initialized = secfalse;
unlocked = secfalse;
memzero(cached_keys, sizeof(cached_keys));
norcow_init(&norcow_active_version);
initialized = sectrue;
ui_callback = callback;
sha256_Raw(salt, salt_len, hardware_salt);
if (norcow_active_version < NORCOW_VERSION) {
if (sectrue != storage_upgrade()) {
storage_wipe();
ensure(secfalse, "storage_upgrade failed");
}
}
// If there is no EDEK, then generate a random DEK and SAK and store them.
const void *val = NULL;
uint16_t len = 0;
if (secfalse == norcow_get(EDEK_PVC_KEY, &val, &len)) {
init_wiped_storage();
}
}
secbool storage_pin_fails_increase(void) {
if (sectrue != initialized) {
return secfalse;
}
return pin_fails_increase();
}
secbool storage_is_unlocked(void) {
if (sectrue != initialized) {
return secfalse;
}
return unlocked;
}
void storage_lock(void) {
unlocked = secfalse;
memzero(cached_keys, sizeof(cached_keys));
memzero(authentication_sum, sizeof(authentication_sum));
}
// Returns the storage version that was used to lock the storage.
static uint32_t get_lock_version(void) {
const void *val = NULL;
uint16_t len = 0;
if (sectrue != norcow_get(UNAUTH_VERSION_KEY, &val, &len) ||
len != sizeof(uint32_t)) {
handle_fault("no lock version");
}
return *(uint32_t *)val;
}
secbool check_storage_version(void) {
uint32_t version = 0;
uint16_t len = 0;
if (sectrue !=
storage_get_encrypted(VERSION_KEY, &version, sizeof(version), &len) ||
len != sizeof(version)) {
handle_fault("storage version check");
return secfalse;
}
if (version != get_lock_version()) {
handle_fault("storage version check");
return secfalse;
}
const void *storage_upgraded = NULL;
if (sectrue != norcow_get(STORAGE_UPGRADED_KEY, &storage_upgraded, &len) ||
len != sizeof(TRUE_WORD)) {
handle_fault("storage version check");
return secfalse;
}
if (version > norcow_active_version) {
// Attack: Storage was downgraded.
storage_wipe();
handle_fault("storage version check");
return secfalse;
} else if (version < norcow_active_version) {
// Storage was upgraded.
if (*(const uint32_t *)storage_upgraded != TRUE_WORD) {
// Attack: The upgrade process was bypassed.
storage_wipe();
handle_fault("storage version check");
return secfalse;
}
norcow_set(STORAGE_UPGRADED_KEY, &FALSE_WORD, sizeof(FALSE_WORD));
storage_set_encrypted(VERSION_KEY, &norcow_active_version,
sizeof(norcow_active_version));
norcow_set(UNAUTH_VERSION_KEY, &norcow_active_version,
sizeof(norcow_active_version));
} else {
// Standard operation. The storage was neither upgraded nor downgraded.
if (*(const uint32_t *)storage_upgraded != FALSE_WORD) {
// Attack: The upgrade process was launched when it shouldn't have been.
storage_wipe();
handle_fault("storage version check");
return secfalse;
}
}
return sectrue;
}
static secbool __wur decrypt_dek(const uint8_t *pin, size_t pin_len,
const uint8_t *ext_salt) {
// Read the storage salt, EDEK, ESAK and PIN verification code entry.
const void *buffer = NULL;
uint16_t len = 0;
if (sectrue != initialized ||
sectrue != norcow_get(EDEK_PVC_KEY, &buffer, &len) ||
len != STORAGE_SALT_SIZE + KEYS_SIZE + PVC_SIZE) {
handle_fault("no EDEK");
return secfalse;
}
const uint8_t *storage_salt = (const uint8_t *)buffer;
const uint8_t *ekeys = (const uint8_t *)buffer + STORAGE_SALT_SIZE;
const uint32_t *pvc = (const uint32_t *)buffer +
(STORAGE_SALT_SIZE + KEYS_SIZE) / sizeof(uint32_t);
_Static_assert(((STORAGE_SALT_SIZE + KEYS_SIZE) & 3) == 0, "PVC unaligned");
_Static_assert((PVC_SIZE & 3) == 0, "PVC size unaligned");
// Derive the key encryption key and IV.
uint8_t kek[SHA256_DIGEST_LENGTH] = {0};
uint8_t keiv[SHA256_DIGEST_LENGTH] = {0};
if (get_lock_version() >= 5) {
if (sectrue !=
derive_kek_unlock(pin, pin_len, storage_salt, ext_salt, kek)) {
return secfalse;
}
} else {
if (sectrue !=
derive_kek_unlock_v4(pin, pin_len, storage_salt, ext_salt, kek, keiv)) {
return secfalse;
};
}
uint8_t keys[KEYS_SIZE] = {0};
uint8_t tag[POLY1305_TAG_SIZE] __attribute__((aligned(sizeof(uint32_t))));
chacha20poly1305_ctx ctx = {0};
// Decrypt the data encryption key and the storage authentication key and
// check the PIN verification code.
rfc7539_init(&ctx, kek, keiv);
memzero(kek, sizeof(kek));
memzero(keiv, sizeof(keiv));
chacha20poly1305_decrypt(&ctx, ekeys, keys, KEYS_SIZE);
rfc7539_finish(&ctx, 0, KEYS_SIZE, tag);
memzero(&ctx, sizeof(ctx));
wait_random();
if (secequal32(tag, pvc, PVC_SIZE) != sectrue) {
memzero(keys, sizeof(keys));
memzero(tag, sizeof(tag));
return secfalse;
}
memcpy(cached_keys, keys, sizeof(keys));
memzero(keys, sizeof(keys));
memzero(tag, sizeof(tag));
return sectrue;
}
static void ensure_not_wipe_code(const uint8_t *pin, size_t pin_len) {
if (sectrue != is_not_wipe_code(pin, pin_len)) {
storage_wipe();
show_wipe_code_screen();
}
}
static secbool unlock(const uint8_t *pin, size_t pin_len,
const uint8_t *ext_salt) {
const uint8_t *unlock_pin = pin;
size_t unlock_pin_len = pin_len;
// In case of an upgrade from version 1 or 2, encode the PIN to the old
// format.
uint32_t legacy_pin = 0;
if (get_lock_version() <= 2) {
legacy_pin = pin_to_int(pin, pin_len);
unlock_pin = (const uint8_t *)&legacy_pin;
unlock_pin_len = sizeof(legacy_pin);
}
// In case of an upgrade from version 4 or earlier bump the total time of UI
// progress to account for the set_pin() call in storage_upgrade_unlocked().
if (get_lock_version() <= 4) {
ui_progress_add(ui_estimate_time_ms(STORAGE_PIN_OP_SET));
}
// Now we can check for wipe code.
ensure_not_wipe_code(unlock_pin, unlock_pin_len);
// Get the pin failure counter
uint32_t ctr = 0;
if (sectrue != pin_get_fails(&ctr)) {
memzero(&legacy_pin, sizeof(legacy_pin));
return secfalse;
}
// Wipe storage if too many failures
wait_random();
if (ctr >= PIN_MAX_TRIES) {
storage_wipe();