Unsafe prompts #1126
Unsafe prompts #1126
Conversation
matejcik
requested review from
andrewkozlik,
onvej-sl,
prusnak and
tsusanka
as code owners
|
@andrewkozlik this is hitting you because you're a code owner of storage, but I'd appreciate a review of the Keychain design fwiw we might add you as a code owner of |
| @@ -132,6 +132,20 @@ def homescreen(client, filename): | |||
| return device.apply_settings(client, homescreen=img) | |||
|
|
|||
|
|
|||
| @cli.command() | |||
| @click.argument("allow", type=click.Choice(("on", "off"))) | |||
There was a problem hiding this comment.
Here we use "on/off" and for passphrase for example we use trezorctl set passphrase enabled. We should unify those IMHO. Also "on" might be the default value? Maybe let's create a separate issue for that?
There was a problem hiding this comment.
#1130
I am not sure what to do here. I chose "on/off" instead of "enabled/disabled" because of a vague feeling that "set unsafe-prompts disabled" sounds like the less secure setting. But that's not very strong argument. Do you think we should change it to enabled/disabled?
There was a problem hiding this comment.
I like on/off. I wouldn't mind having also "trezorctl set passphrase on". Anyway, since we are not sure I suggest to leave this as is and deal with it in #1130.
There was a problem hiding this comment.
I chose "on/off" instead of "enabled/disabled" because of a vague feeling that "set unsafe-prompts disabled" sounds like the less secure setting.
I don't think on/off vs. enabled/disabled makes a difference in this respect. If a configuration sounds less secure it's more likely because of the name of the setting.
| This is a power-user feature. With unsafe prompts enabled, Trezor will ask the user | ||
| to confirm possibly dangerous actions instead of rejecting them outright. | ||
| Use with caution. | ||
| """ |
There was a problem hiding this comment.
I suggest we display this description to the user in CLI. Also with a Continue? [y/N] to make this a bit more scarier :).
There was a problem hiding this comment.
I considered that, but OTOH the scary warning is already displayed on the Trezor screen?
There was a problem hiding this comment.
Still - we can be more descriptive here. Exactly as you are in the comment.
|
Also let's add this to CHANGELOG. |
core/src/apps/common/keychain.py
Outdated
| self.curve = curve | ||
| self.namespaces = namespaces | ||
| self.slip21_namespaces = slip21_namespaces | ||
| self.restrict = restrict |
There was a problem hiding this comment.
I am not sure how much sense it makes to set restrict per Keychain instance, because right now it's considered a global setting. On the other hand I would like to see the Keychain class moving in a direction, where it will just be holding the derived nodes that it was authorized to hold, i.e. it shouldn't keep a copy of the seed at all.
There was a problem hiding this comment.
Re restrict, it's reasonable that the Keychain would look at the setting directly; I'm honestly not sure why I did it this way originally. I'll remove it.
|
#1126 (comment) -> moving discussion to top level so that it doesn't get lost in a review comment: Re the other idea, that's intriguiging, but I'm not sure if it makes sense implementation-wise. Perhaps something like |
Yeah, I am thinking something like that. Instead of the seed you'd be keeping the root node or one or more subnodes if you know beforehand that that's all you will be needing. Typically the Authorization objects would be doing that. BTW I am not suggesting we delve into this here, that's a separate issue, but it influences the way we think about the |
|
Added commits that allow Casa/Greenaddress namespaces without prompts. @tsusanka please take a look. |
|
wrt naming: in a meeting we decided to call the setting Safety checks, with possible levels being strict (default) and prompt (configurable by trezorctl). In the future we might add more granularity, e.g., to turn off prevtx streaming. We decided to keep the naming as-is for this PR and for release. (This shouldn't even affect Connect, seeing as they won't be using this field at all.) If we come up with something good, we can reword the dialogs relatively safely after the freeze. For the next milestone (and for upcoming trezorlib release), I'm creating a separate issue for internal rewording. |
| raise FORBIDDEN_KEY_PATH | ||
|
|
||
| def _derive_with_cache( | ||
| self, prefix_len: int, path: paths.PathType, new_root: Callable[[], NodeType], |
There was a problem hiding this comment.
The name prefix_len doesn't tell me what the parameter is doing. How about calling it max_cache_depth? But the function is private so no big deal.
There was a problem hiding this comment.
i'm leaving that to #1135
matejcik
force-pushed
the
matejcik/unsafe-prompts-keychain-only
branch
from
39765eb to
f80a0f9
Compare
also make a cleaner distinction between keychain, seed, path This enables using `unsafe_prompts`, because with the original code, if there was no namespace match, we wouldn't know which curve to use. For ease of implementation, we use a LRU cache for derived keys, instead of the original design "one cache entry per namespace". SLIP21 is now treated completely separately, via `slip21_namespaces` and `derive_slip21` method. If more slip21-like things come in the future, we can instead hang them on the keychain: put a per-curve Keychain object accessible by `keychain[curve_name].derive()`, and the majority usecase will just pass around `keychain[curve_name]` instead of having to specify the curve in every `derive()` call. Or alternately we'll just specify the curve in every `derive()` call, whichever seems more appropriate.
matejcik
force-pushed
the
matejcik/unsafe-prompts-keychain-only
branch
from
f80a0f9 to
0ca9a54
Compare
matejcik
force-pushed
the
matejcik/unsafe-prompts-keychain-only
branch
from
0ca9a54 to
dde1945
Compare
|
👍 one comment. I have probably not done it via the review functionality, sorry. |
partial fix for #1064
adds a setting called "unsafe prompts", available via trezorctl. When enabled, Keychain will not raise hard errors on non-conforming paths.
This necessitated (yet another) refactor of the Keychain, in which I took the time to also make a cleaner split on files.
The current Keychain implementation has a default curve set -- which is necessary, as previously we would take curve info from the namespace, and now we are being asked to derive paths that do not belong to a namespace.
The other option would have been to specify curve at every call to
derive(), but that just seems spammy. We might come back to it in time though.This way using
"slip21"curve is not possible, so I had to introduce a separatederive_slip21()method and a correspondingslip21_namespacesargument. I don't particularly like this, but it seems best of bad options. If this grows cumbersome in the future, we could add a specialkeychain.slip21accessor (andkeychain.bip32orkeychain[curve_name]or something).in addition, I removed the
load_settingsgodfunction, in favor of individual setters.