trezor
diff --git a/‎core/tools/generate_tropic_model_config.py‎
Lines changed: 10 additions & 95 deletions b/‎core/tools/generate_tropic_model_config.py‎
Lines changed: 10 additions & 95 deletions
diff --git a/‎tests/tropic_model/README.md‎
Lines changed: 1 addition & 23 deletions b/‎tests/tropic_model/README.md‎
Lines changed: 1 addition & 23 deletions
diff --git a/‎tests/tropic_model/base_config.yml‎
Lines changed: 43 additions & 0 deletions b/‎tests/tropic_model/base_config.yml‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎tests/tropic_model/config.yml‎
Lines changed: 27 additions & 14 deletions b/‎tests/tropic_model/config.yml‎
Lines changed: 27 additions & 14 deletions
diff --git a/‎tests/tropic_model/root_cert.pem‎
Lines changed: 0 additions & 9 deletions b/‎tests/tropic_model/root_cert.pem‎
Lines changed: 0 additions & 9 deletions
diff --git a/‎tests/tropic_model/root_key.pem‎
Lines changed: 0 additions & 3 deletions b/‎tests/tropic_model/root_key.pem‎
Lines changed: 0 additions & 3 deletions
diff --git a/‎tests/tropic_model/tropic_key.pem‎
Lines changed: 0 additions & 3 deletions b/‎tests/tropic_model/tropic_key.pem‎
Lines changed: 0 additions & 3 deletions
@@ -1,27 +1,16 @@
 #!/usr/bin/env python3
 
-import hashlib
 import os
 from pathlib import Path
 
 import click
 import yaml
-from cryptography import x509
-from cryptography.hazmat.primitives import serialization
 
 HERE = Path(__file__).parent
 ROOT = HERE.parent.parent.resolve()
 CONFIG_DIR = ROOT / "tests" / "tropic_model"
 DEST_PATH = CONFIG_DIR / "config.yml"
-
-# private key used by the Tropic model to sign
-TROPIC_KEY = CONFIG_DIR / "tropic_key.pem"
-
-# certificate of the Tropic model - signed by the root authority
-TROPIC_CERT = CONFIG_DIR / "tropic_cert.pem"
-
-# certificate of the root authority
-ROOT_CERT = CONFIG_DIR / "root_cert.pem"
+BASE_CONFIG = CONFIG_DIR / "base_config.yml"
 
 VENDOR_CONFIG_DIR = ROOT / "vendor" / "ts-tvl" / "model_configs" / "example_config"
 EXTRA_FILES = [
@@ -34,83 +23,22 @@
 @click.command()
 @click.option("--check", is_flag=True)
 def generate_config(check: bool) -> None:
-    tropic_key = serialization.load_pem_private_key(
-        TROPIC_KEY.read_bytes(), password=None
-    )
-
-    tropic_a = tropic_key.public_key().public_bytes(
-        encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw
-    )
-
-    tropic_private_key_bytes = tropic_key.private_bytes(
-        encoding=serialization.Encoding.Raw,
-        format=serialization.PrivateFormat.Raw,
-        encryption_algorithm=serialization.NoEncryption(),
-    )
-
-    # perform clamping
-    # https://www.jcraige.com/an-explainer-on-ed25519-clamping
-    h = hashlib.sha512(tropic_private_key_bytes).digest()
-    tropic_s = bytearray(h[:32])
-    tropic_s[0] &= 248
-    tropic_s[31] &= 63
-    tropic_s[31] |= 64
-    tropic_s = bytes(tropic_s)
-
-    tropic_prefix = hashlib.sha512(tropic_s).digest()[:32]
-
-    tropic_cert = x509.load_pem_x509_certificate(TROPIC_CERT.read_bytes())
-    tropic_cert_der_bytes = tropic_cert.public_bytes(serialization.Encoding.DER)
-
-    root_cert = x509.load_pem_x509_certificate(ROOT_CERT.read_bytes())
-    root_cert_der_bytes = root_cert.public_bytes(serialization.Encoding.DER)
-
-    # certificate chain with the length prefix
-    all_cert_bytes = (
-        (len(tropic_cert_der_bytes) + len(root_cert_der_bytes)).to_bytes(2, "big")
-        + tropic_cert_der_bytes
-        + root_cert_der_bytes
-    )
-
-    SLOT_LEN = 444
-
-    # make sure they fit in 3 slots, which is what we have available
-    assert len(all_cert_bytes) < SLOT_LEN * 3
-
-    # split the data in 3 slots
-    slot_1_bytes = all_cert_bytes[:SLOT_LEN]
-    slot_2_bytes = all_cert_bytes[SLOT_LEN : SLOT_LEN * 2]
-    slot_3_bytes = all_cert_bytes[SLOT_LEN * 2 : SLOT_LEN * 3]
-
-    # save the data starting at slot 3
-    # see https://github.com/trezor/trezor-firmware/blob/main/core/embed/sec/tropic/inc/sec/tropic.h#L31
-    TROPIC_DEVICE_CERT_FIRST_SLOT = 3
-    user_data = {}
-    for i, data in enumerate([slot_1_bytes, slot_2_bytes, slot_3_bytes]):
-        if len(data) != 0:
-            if len(data) < SLOT_LEN:  # pad last slot
-                data += b"\x00" * (SLOT_LEN - len(data))
-            user_data[TROPIC_DEVICE_CERT_FIRST_SLOT + i] = {"value": data}
-
     config_dict = {
         "s_t_priv": "tropic01_ese_private_key_1.pem",
         "s_t_pub": "tropic01_ese_public_key_1.pem",
         "x509_certificate": "tropic01_ese_certificate_1.pem",
         "debug_random_value": b"\x00\xc0\xff\xee",
-        "r_user_data": user_data,  # certificate chain
-        "r_ecc_keys": {  # signing key at index 0
-            0: {
-                "a": tropic_a,
-                "s": tropic_s,
-                "prefix": tropic_prefix,
-                "origin": 2,  # imported key
-            }
-        },
         "riscv_fw_version": "1.0.0",  # Version of the RISCV Firmware (also know as Application FW) used in TS7 devices
         "spect_fw_version": "1.0.0",
     }
 
-    config = yaml.dump(config_dict)
+    base_config = yaml.safe_load(BASE_CONFIG.read_text())
+    overlap = config_dict.keys() & base_config.keys()
+    if overlap:
+        raise click.ClickException(
+            f"Key collision between base_config and generated config: {overlap}"
+        )
+    config = yaml.dump({**base_config, **config_dict})
 
     if check:
         if not DEST_PATH.exists():
@@ -128,24 +56,11 @@ def generate_config(check: bool) -> None:
                 print(f"{extra_file_dest} is out of date")
                 raise click.ClickException("Extra config file is out of date")
     else:
-        tropic_key_stat = TROPIC_KEY.stat()
-        tropic_cert_stat = TROPIC_CERT.stat()
-        root_cert_stat = ROOT_CERT.stat()
         DEST_PATH.write_text(config)
+        base_config_stat = BASE_CONFIG.stat()
         os.utime(
             DEST_PATH,
-            ns=(
-                max(
-                    tropic_key_stat.st_atime_ns,
-                    tropic_cert_stat.st_atime_ns,
-                    root_cert_stat.st_atime_ns,
-                ),
-                max(
-                    tropic_key_stat.st_mtime_ns,
-                    tropic_cert_stat.st_mtime_ns,
-                    root_cert_stat.st_mtime_ns,
-                ),
-            ),
+            ns=(base_config_stat.st_atime_ns, base_config_stat.st_mtime_ns),
         )
 
         for extra_file in EXTRA_FILES:
 
@@ -4,29 +4,7 @@ The Tropic model requires:
  * (I) a keypair and a certificate it will use to communicate to the host (`tropic01_ese_*`) - these are simply copied from [example_config](https://github.com/tropicsquare/ts-tvl/tree/master/model_configs/example_config)
  * (II) a certificate chain and a keypair that will be used during Trezor's authenticity check
 
-The root key, certificate chain and keypair are generated using these commands:
-
-```
-# generate root keypair
-openssl genpkey -algorithm Ed25519 -out root_key.pem
-openssl pkey -in root_key.pem -pubout -out root_pubkey.pem
-
-# see the root pubkey - to be used in test
-openssl pkey -in root_pubkey.pem -pubin -outform DER | tail -c 32 | xxd -p -c 256
-
-# generate root certificate (signed by the root key)
-openssl req -new -x509 -key root_key.pem -out root_cert.pem -days 36500
-
-# generate device key pair
-openssl genpkey -algorithm Ed25519 -out tropic_key.pem
-openssl pkey -in tropic_key.pem -pubout -out tropic_pubkey.pem
-
-# generate certificate signing request
-openssl req -new -key tropic_key.pem -out tropic.csr -subj "/CN=T3W1"
-
-# use the signing request to generate a device certificate signed by the authority
-openssl x509 -req -in tropic.csr -CA root_cert.pem -CAkey root_key.pem -CAcreateserial -out tropic_cert.pem -days 36500
-```
+ The root key, certificate chain, and keypair were generated by provisioning a prodtest emulator using testing keys and copying the Tropic model's saved config.
 
 `ts-tvl` then uses a YAML config file to load the above keys and certificates.
  * (I) go into: `s_t_priv`, `s_t_pub` and `x509_certificate` as required by [`ts-tvl`](https://github.com/tropicsquare/ts-tvl/blob/master/model_configs/example_config/example_config.yml)
 
@@ -0,0 +1,43 @@
+r_ecc_keys:
+  0:
+    a: !!binary |
+      9oDGtfPu3mRwCJaejPsZ//YkEh8NfwIrKr7N+WxNoEE=
+    origin: 1
+    prefix: !!binary |
+      CnPByiITyYOnUGxdTN8cqFJPe0GvBmHAKQ3KdYcxeIw=
+    s: !!binary |
+      /ax6IByM43A2QFc8ZhtxuCTUKnI4aN92uMu/jyTzdgg=
+r_user_data:
+  3:
+    free: false
+    value: !!binary |
+      A1gwggGPMIIBQaADAgECAghp+14Y3dtpRTAFBgMrZXAwTzELMAkGA1UEBhMCQ1oxHjAcBgNVBAoM
+      FVRyZXpvciBDb21wYW55IHMuci5vLjEgMB4GA1UEAwwXVHJlem9yIE1hbnVmYWN0dXJpbmcgQ0Ew
+      IBcNMjYwNTA2MTUyODI1WhgPMjA1NjA1MDYxNTI4MjVaMEcxGzAZBgNVBAMMElQzVzEgVHJlem9y
+      IFNhZmUgNzEXMBUGA1UEBRMOMTIzNDU2Nzg5MDEyMzQxDzANBgNVBC4TBlRyb3BpYzAqMAUGAytl
+      cAMhAPaAxrXz7t5kcAiWnoz7Gf/2JBIfDX8CKyq+zflsTaBBo0EwPzAOBgNVHQ8BAf8EBAMCAIAw
+      DAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQUqVoIj2To/jFMcZRn6iOSWgNFLzAFBgMrZXADQQBS
+      7OZFc++tY4vDy3H/9P/P96iu6Nj/Acc73sQn6I8U4QwuWo8BG/CPfOLC9Q0uyft0c/8D6bQZtJEo
+      pnz74u0PMIIBwTCCAXOgAwIBAgIIafteGJa66SowBQYDK2VwMFQxCzAJBgNV
+  4:
+    free: false
+    value: !!binary |
+      BAYTAkNaMR4wHAYDVQQKDBVUcmV6b3IgQ29tcGFueSBzLnIuby4xJTAjBgNVBAMMHFRyZXpvciBN
+      YW51ZmFjdHVyaW5nIFJvb3QgQ0EwIBcNMjYwNTA2MTUyODI1WhgPMjA1NjA1MDYxNTI4MjVaME8x
+      CzAJBgNVBAYTAkNaMR4wHAYDVQQKDBVUcmV6b3IgQ29tcGFueSBzLnIuby4xIDAeBgNVBAMMF1Ry
+      ZXpvciBNYW51ZmFjdHVyaW5nIENBMCowBQYDK2VwAyEAWoUPt8reO7zfK2QepOuUtKibeX8UN+bL
+      tw82YFfo23mjZjBkMA4GA1UdDwEB/wQEAwICBDASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQW
+      BBQUqVoIj2To/jFMcZRn6iOSWgNFLzAfBgNVHSMEGDAWgBRUnfqULSF0erM7XBrqPsO7p7D5IjAF
+      BgMrZXADQQCAIPusstEozIfzhnlCV/wuwHwJ/4s/Rv/0ElSpa04rvf3XO0DwsD3O2WCjhLdOrcHK
+      65q6wWdPfDvsoKNcFMsLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+  5:
+    free: false
+    value: !!binary |
+      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@@ -3,27 +3,40 @@ debug_random_value: !!binary |
 r_ecc_keys:
   0:
     a: !!binary |
-      /znnOD2vDW1Znx2ymKbAur+8R+x3vj8uL/e5VUqnH38=
-    origin: 2
+      9oDGtfPu3mRwCJaejPsZ//YkEh8NfwIrKr7N+WxNoEE=
+    origin: 1
     prefix: !!binary |
-      a2BLVJLG4DGBZBPl5ipLvlLOj8zovqvCgejgJtWKGw8=
+      CnPByiITyYOnUGxdTN8cqFJPe0GvBmHAKQ3KdYcxeIw=
     s: !!binary |
-      2JitRIPXXNvDPBcYOyKAWEEGn1k97MfNKx+z4/kNQEk=
+      /ax6IByM43A2QFc8ZhtxuCTUKnI4aN92uMu/jyTzdgg=
 r_user_data:
   3:
+    free: false
     value: !!binary |
-      AhwwgeUwgZgCFAYbogFv5WvsoMxMwanH3uF4NejHMAUGAytlcDANMQswCQYDVQQGEwJDWjAgFw0y
-      NTEwMDExNTU5MjBaGA8yMTI1MDkwNzE1NTkyMFowHDELMAkGA1UEBhMCQ1oxDTALBgNVBAMMBFQz
-      VzEwKjAFBgMrZXADIQD/Oec4Pa8NbVmfHbKYpsC6v7xH7He+Py4v97lVSqcffzAFBgMrZXADQQC/
-      Sg/OI9Oa4IcjAGkqswmsZY782uzrHqqOdb8C9QHMQEJFKggXH39rxtXRU2kmj+ryTkYNA4vUhIKm
-      +zvKUGkEMIIBMDCB46ADAgECAhRMR5WXXWH8xNquZfZtCCchQO757TAFBgMrZXAwDTELMAkGA1UE
-      BhMCQ1owIBcNMjUxMDAxMTUzMzA2WhgPMjEyNTA5MDcxNTMzMDZaMA0xCzAJBgNVBAYTAkNaMCow
-      BQYDK2VwAyEAGrHF8S9FcODeXBao2f7qOB9TyNgT/usOsvt/OT8ra1+jUzBRMB0GA1UdDgQWBBSY
-      DtrUTbT8JI4eHR/OIHl787VZ1zAfBgNVHSMEGDAWgBSYDtrUTbT8JI4eHR/O
+      A1gwggGPMIIBQaADAgECAghp+14Y3dtpRTAFBgMrZXAwTzELMAkGA1UEBhMCQ1oxHjAcBgNVBAoM
+      FVRyZXpvciBDb21wYW55IHMuci5vLjEgMB4GA1UEAwwXVHJlem9yIE1hbnVmYWN0dXJpbmcgQ0Ew
+      IBcNMjYwNTA2MTUyODI1WhgPMjA1NjA1MDYxNTI4MjVaMEcxGzAZBgNVBAMMElQzVzEgVHJlem9y
+      IFNhZmUgNzEXMBUGA1UEBRMOMTIzNDU2Nzg5MDEyMzQxDzANBgNVBC4TBlRyb3BpYzAqMAUGAytl
+      cAMhAPaAxrXz7t5kcAiWnoz7Gf/2JBIfDX8CKyq+zflsTaBBo0EwPzAOBgNVHQ8BAf8EBAMCAIAw
+      DAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQUqVoIj2To/jFMcZRn6iOSWgNFLzAFBgMrZXADQQBS
+      7OZFc++tY4vDy3H/9P/P96iu6Nj/Acc73sQn6I8U4QwuWo8BG/CPfOLC9Q0uyft0c/8D6bQZtJEo
+      pnz74u0PMIIBwTCCAXOgAwIBAgIIafteGJa66SowBQYDK2VwMFQxCzAJBgNV
   4:
+    free: false
     value: !!binary |
-      IHl787VZ1zAPBgNVHRMBAf8EBTADAQH/MAUGAytlcANBAD2wmHseXqtUk2QJuwRUpdoestUlhKGR
-      xrD1yhY8fxCvCzU+b4qZffXCyyk4qgDiTgdNHMz04zL6nKcNhT+geAQAAAAAAAAAAAAAAAAAAAAA
+      BAYTAkNaMR4wHAYDVQQKDBVUcmV6b3IgQ29tcGFueSBzLnIuby4xJTAjBgNVBAMMHFRyZXpvciBN
+      YW51ZmFjdHVyaW5nIFJvb3QgQ0EwIBcNMjYwNTA2MTUyODI1WhgPMjA1NjA1MDYxNTI4MjVaME8x
+      CzAJBgNVBAYTAkNaMR4wHAYDVQQKDBVUcmV6b3IgQ29tcGFueSBzLnIuby4xIDAeBgNVBAMMF1Ry
+      ZXpvciBNYW51ZmFjdHVyaW5nIENBMCowBQYDK2VwAyEAWoUPt8reO7zfK2QepOuUtKibeX8UN+bL
+      tw82YFfo23mjZjBkMA4GA1UdDwEB/wQEAwICBDASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQW
+      BBQUqVoIj2To/jFMcZRn6iOSWgNFLzAfBgNVHSMEGDAWgBRUnfqULSF0erM7XBrqPsO7p7D5IjAF
+      BgMrZXADQQCAIPusstEozIfzhnlCV/wuwHwJ/4s/Rv/0ElSpa04rvf3XO0DwsD3O2WCjhLdOrcHK
+      65q6wWdPfDvsoKNcFMsLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+  5:
+    free: false
+    value: !!binary |
+      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
       AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA