diff --git a/core/embed/prodtest/optiga_prodtest.c b/core/embed/prodtest/optiga_prodtest.c index 9fe08ba0d..616a0d446 100644 --- a/core/embed/prodtest/optiga_prodtest.c +++ b/core/embed/prodtest/optiga_prodtest.c @@ -198,6 +198,13 @@ void pair_optiga(void) { return; } +#if PRODUCTION +#define METADATA_SET_LOCKED(metadata) \ + { metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; } +#else +#define METADATA_SET_LOCKED(metadata) +#endif + void optiga_lock(void) { if (!optiga_paired()) return; @@ -215,7 +222,7 @@ void optiga_lock(void) { // Set metadata for device certificate. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + METADATA_SET_LOCKED(metadata); metadata.change = OPTIGA_META_ACCESS_NEVER; metadata.read = OPTIGA_META_ACCESS_ALWAYS; metadata.execute = OPTIGA_META_ACCESS_ALWAYS; @@ -225,7 +232,7 @@ void optiga_lock(void) { // Set metadata for FIDO attestation certificate. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + METADATA_SET_LOCKED(metadata); metadata.change = OPTIGA_META_ACCESS_NEVER; metadata.read = OPTIGA_META_ACCESS_ALWAYS; metadata.execute = OPTIGA_META_ACCESS_ALWAYS; @@ -235,7 +242,7 @@ void optiga_lock(void) { // Set metadata for device private key. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + METADATA_SET_LOCKED(metadata); metadata.change = OPTIGA_META_ACCESS_NEVER; metadata.read = OPTIGA_META_ACCESS_NEVER; metadata.execute = ACCESS_PAIRED; @@ -246,7 +253,7 @@ void optiga_lock(void) { // Set metadata for FIDO attestation private key. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + METADATA_SET_LOCKED(metadata); metadata.change = OPTIGA_META_ACCESS_NEVER; metadata.read = OPTIGA_META_ACCESS_NEVER; metadata.execute = ACCESS_PAIRED; @@ -257,7 +264,7 @@ void optiga_lock(void) { // Set metadata for pairing key. memzero(&metadata, sizeof(metadata)); - metadata.lcso = OPTIGA_META_LCS_OPERATIONAL; + METADATA_SET_LOCKED(metadata); metadata.change = OPTIGA_META_ACCESS_NEVER; metadata.read = OPTIGA_META_ACCESS_NEVER; metadata.execute = OPTIGA_META_ACCESS_ALWAYS;