Skip to content

Commit

Permalink
feat(core/prodtest): do not lock Optiga in non-production builds
Browse files Browse the repository at this point in the history 
[no changelog]
  • Loading branch information
@matejcik @andrewkozlik
matejcik authored and andrewkozlik committed May 3, 2024
1 parent ed43a5b commit 45a973b
Showing 1 changed file with 12 additions and 5 deletions.
17 changes: 12 additions & 5 deletions core/embed/prodtest/optiga_prodtest.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,13 @@ void pair_optiga(void) {
return;
}

#if PRODUCTION
#define METADATA_SET_LOCKED(metadata) \
{ metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; }
#else
#define METADATA_SET_LOCKED(metadata)
#endif

void optiga_lock(void) {
if (!optiga_paired()) return;

Expand All @@ -215,7 +222,7 @@ void optiga_lock(void) {

// Set metadata for device certificate.
memzero(&metadata, sizeof(metadata));
metadata.lcso = OPTIGA_META_LCS_OPERATIONAL;
METADATA_SET_LOCKED(metadata);
metadata.change = OPTIGA_META_ACCESS_NEVER;
metadata.read = OPTIGA_META_ACCESS_ALWAYS;
metadata.execute = OPTIGA_META_ACCESS_ALWAYS;
Expand All @@ -225,7 +232,7 @@ void optiga_lock(void) {

// Set metadata for FIDO attestation certificate.
memzero(&metadata, sizeof(metadata));
metadata.lcso = OPTIGA_META_LCS_OPERATIONAL;
METADATA_SET_LOCKED(metadata);
metadata.change = OPTIGA_META_ACCESS_NEVER;
metadata.read = OPTIGA_META_ACCESS_ALWAYS;
metadata.execute = OPTIGA_META_ACCESS_ALWAYS;
Expand All @@ -235,7 +242,7 @@ void optiga_lock(void) {

// Set metadata for device private key.
memzero(&metadata, sizeof(metadata));
metadata.lcso = OPTIGA_META_LCS_OPERATIONAL;
METADATA_SET_LOCKED(metadata);
metadata.change = OPTIGA_META_ACCESS_NEVER;
metadata.read = OPTIGA_META_ACCESS_NEVER;
metadata.execute = ACCESS_PAIRED;
Expand All @@ -246,7 +253,7 @@ void optiga_lock(void) {

// Set metadata for FIDO attestation private key.
memzero(&metadata, sizeof(metadata));
metadata.lcso = OPTIGA_META_LCS_OPERATIONAL;
METADATA_SET_LOCKED(metadata);
metadata.change = OPTIGA_META_ACCESS_NEVER;
metadata.read = OPTIGA_META_ACCESS_NEVER;
metadata.execute = ACCESS_PAIRED;
Expand All @@ -257,7 +264,7 @@ void optiga_lock(void) {

// Set metadata for pairing key.
memzero(&metadata, sizeof(metadata));
metadata.lcso = OPTIGA_META_LCS_OPERATIONAL;
METADATA_SET_LOCKED(metadata);
metadata.change = OPTIGA_META_ACCESS_NEVER;
metadata.read = OPTIGA_META_ACCESS_NEVER;
metadata.execute = OPTIGA_META_ACCESS_ALWAYS;
Expand Down

0 comments on commit 45a973b

Please sign in to comment.