Skip to content

Add T3W1 emulator certificates #6917

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
onvej-sl wants to merge 28 commits into
base: main
Choose a base branch
from
Draft

Add T3W1 emulator certificates #6917

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
11a9421
chore: create phony target in makefiles
onvej-sl May 13, 2026
19d14da
chore(core): replace `gen.sh` with `generate_certificates.py`
onvej-sl May 12, 2026
e5b0d24
fix(core): disable writing MCU attestation certificate in firmware
onvej-sl May 12, 2026
5241aa5
feat(core): use empty MCU attestation certificate in prodtest
onvej-sl May 12, 2026
c4363ac
feat(core/prodtest): enable writing MCU attestation certificate
onvej-sl May 13, 2026
21db7d3
chore: add debug root ed25519 key
onvej-sl May 13, 2026
dd7667b
chore: add debug root ML-DSA key
onvej-sl May 12, 2026
393985c
chore(core): add testing MCU attestation certificate
onvej-sl May 12, 2026
9068d30
chore(core): add testing tropic attestation key and certificate
onvej-sl May 12, 2026
d76a763
fixup! chore(core): add testing MCU attestation certificate
onvej-sl May 29, 2026
67d01de
fixup! chore: add debug root ed25519 key
onvej-sl May 29, 2026
c76a01f
chore: introduce new debug root P-256 key
onvej-sl May 29, 2026
092e49c
fixup! chore(core): add testing tropic attestation key and certificate
onvej-sl May 29, 2026
8d46c86
fix(core): fix testing Optiga certificates
onvej-sl May 27, 2026
c5bdf60
feat(tests): check key identifier
onvej-sl May 31, 2026
2e1bea7
fixup! chore: add debug root ed25519 key
onvej-sl May 31, 2026
81b143a
feat(tests): test serial numbers in certificates match
onvej-sl May 31, 2026
b508c16
feat(tests): always check basic constraints extension
onvej-sl May 31, 2026
5dfdffa
fixup! feat(tests): test serial numbers in certificates match
onvej-sl Jun 1, 2026
8467bbf
fixup! feat(tests): check key identifier
onvej-sl Jun 1, 2026
24fc452
fixup! chore(core): add testing tropic attestation key and certificate
onvej-sl Jun 1, 2026
0501dad
fixup! feat(tests): always check basic constraints extension
onvej-sl Jun 1, 2026
421844b
fix(tests): make `verify_cert_chain()` accept longer certificate chains
onvej-sl Jun 1, 2026
a345c58
refactor(tests): refactor `verify_cert_chain()`
onvej-sl Jun 1, 2026
37aa8d9
fixup! chore: add debug root ed25519 key
onvej-sl Jun 1, 2026
b72813b
fixup! chore: introduce new debug root P-256 key
onvej-sl Jun 1, 2026
cf80626
refactor(tests): import HSM keys
onvej-sl Jun 1, 2026
d1d5f08
fixup! chore: introduce new debug root P-256 key
onvej-sl Jun 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 34 additions & 2 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,29 @@
.PHONY: help \
style_check style \
pystyle_check pystyle_quick_check pystyle \
changelog_check changelog_style \
translations_style translations_style_check \
yaml_check editor_check \
cstyle_check cstyle \
protostyle protostyle_check \
defs_check \
ruststyle ruststyle_check \
typecheck pyright \
mocks mocks_check \
templates templates_check \
solana_templates solana_templates_check \
icons icons_check \
protobuf protobuf_check \
docs_summary_check \
vendorheader vendorheader_check \
bootloader_hashes bootloader_hashes_check \
lsgen lsgen_check \
tropic_model_config tropic_model_config_check \
hsm_keys hsm_keys_check \
certs certs_check \
gen gen_check \
uvlock_check

## help commands:

help: ## show this help
Expand Down Expand Up @@ -199,9 +225,15 @@ hsm_keys:
hsm_keys_check:
./core/tools/generate_hsm_keys.py --check

gen: templates mocks icons protobuf vendorheader solana_templates bootloader_hashes lsgen tropic_model_config hsm_keys ## regenerate auto-generated files from sources
certs:
./core/tools/generate_certificates.py

certs_check:
./core/tools/generate_certificates.py --check

gen: templates mocks icons protobuf vendorheader solana_templates bootloader_hashes lsgen tropic_model_config hsm_keys certs ## regenerate auto-generated files from sources

gen_check: templates_check mocks_check icons_check protobuf_check vendorheader_check solana_templates_check bootloader_hashes_check lsgen_check tropic_model_config_check hsm_keys_check ## check validity of auto-generated files
gen_check: templates_check mocks_check icons_check protobuf_check vendorheader_check solana_templates_check bootloader_hashes_check lsgen_check tropic_model_config_check hsm_keys_check certs_check ## check validity of auto-generated files
Comment thread
coderabbitai[bot] marked this conversation as resolved.

uvlock_check: ## check that uv.lock is up to date
@echo [UVLOCK-CHECK]
Expand Down
2 changes: 2 additions & 0 deletions ci/hardware_tests/tpmb/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
.PHONY: default compile

default: compile

compile:
Expand Down
5 changes: 4 additions & 1 deletion common/hsm_keys.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,12 @@
"DEV_AUTH_ROOT_PROD_BACKUP_P256": "04c6a673af4ec44b10441b1d78676e15173ad0e36df9f7f2fa1cd819955f20fe32917b60da5fed3b3aa54a9ab8b3ed27d198b3768cad26eef5935cd87af0af065e",
"DEV_AUTH_ROOT_PROD_BACKUP_ED25519": "5612606584ee7e0bc313b13f7ac94156bb4cb75bd77585ddbe579301306e85f1",
"DEV_AUTH_ROOT_PROD_BACKUP_MLDSA44": "fedf8b0c16164b9cec427882aa03d3bd6a1588cfbaebaf93cf2fc52f275417777433a938dcd6516345148f728c935a40ef3b6c41fd3ed831fea13774bd39887da8b06e2e671cc32a1c72e44a13d1cd985dc2ddcb63e457bbd29d38186ddb776b8e73b645c8bf616309f890d175538a9d10c82e595dea03f70564ff69b53497ecefd51fd8320041d9b1092386033ed37a93dd9b4b9da1297f808eac21020b8dc4747e01854ebdc407a04fc18b2758720125acb41f0c60e16cd53707a65392feed06c9fcc28a3e738dbc91614e89e5d535274c6b226d83f335a0dd088755571cf62496ca4642ec8e65eba8be2b8cec46416c6a3ad4be10569ac532e02d6e06b6ce0c0d4b7a99a11c910f9f0631b0cd72e20637237eeff723e722f7aa626732434c47843a099739e96e31267d8d6905d8b2b712a5a69d9343a3c1e07afb414b73950f4b1df196243005fb61c6200ef346826d6c0f4cc8ede052ed48235997bb366dade4483bfc11fe65fd0c5539e89d8bd271e54e30da6e5192a0f343dea3806aa798d12d62251a063d071ba67c35d3a26e582c2d361cf2d0fc36fb1b5a46e469669338b1c1744bdfe365700a6a1c641ab2b7906e2b7c0c0a9af8862ab5751a678e3e0156847ff6093ca7ebd48dd8b1d6f7736c2039e705c1e20f42ed5cac6db3dc7a7e2facbb75411e7fb8a156df52a2926afa9070937cde4dd4bd456294ba59bdcf123f11dcda267d475721abfecab1b31848a27236aa751e5b55015f033d87fb9cf5c086e09f1667cf7ec2e72436c907c5763690d698fffa997709bb89526cae772bb962c06ed1b89d418835672b85e1a1b2e3c55f4e607ecad09bdb3a18224b9805659aa2ecf0b62dbf6265e27d4101450edb590d52d525b62b1114dad2eb06c951a2c77c7ecfbf5f1f6fe285f39727958ce0b5cfe8fd465420c270309999e6694ee31fcb7d6480a75d0d72558cd6a050b8d11a9a6d7736700027fbe14b48949b7e1af2ca148ad4e4b4b93e9575a4119afd1b57c250606d5a4e258c2393c104d651995b1e75887f492ff05e92e1630332f176d86a0453b412d0869d98d6ab27377a74766e3cadde29c1853e6398a9edfa48c0d14e7c148b048f1bf25d11979e94878cb86eaf1e55638c1b39e0ac5254a009bf957f4b624796753c3451246e5a7b9022926aa77b7a1b4ae7d25f776d4395ba98a37d9e21b221da29564e50a669056650a40489386e8909c6ca21d369c3495c44b2f71373a392c9fa89c9085f467d24d6219fcdd2b56126792eb6a14269c4264a56926b1a7d9a1c03d9649d157f938abfdc2a56c20795065774838030da41a4c6178919cc1c6c88de1458d9baa1e51a4a1994e6d5cc94b049b15c235c5cf46d2cf23f09d565c5a5497ef0b3a5fbc8d1be8ed78f3794c49d4936139b0419faaffc52b55cb91f6e1bafacd55523c0b7eec56d98e4228cd0f9d00bc9866dac71e43db2b2cf311999d7bc3a49219836f558cbb5d8faa79e83079c6ce92288aae852553b655ef6bc87fbb25ca3ab482aecaf0a86eecc92341906cc89d234087f5abd6d2100a60d361d516d460d436b46706ad44b8b4ef3fe54ea198ffc2cf8c8e144ec62c4ce86ed5d181283fc17c926668ca4e0b8683e0c7bc662a54ea7f4c830365ad1cdea58abee9a726168ce9870729972884ecfe5baf06f1ee664aa422e26f9f76e20908d72e78c1a2dcd94fe1c07573d7706d7bdc07d0b41498c0d52ec3a90d6e7c0fcef597a884fb2caba29c2279569a1e64dd6c7ed4b312d2197b6391407899b25d21cefd1408eca42204f76cb0436f44c0a9c2e1eca19df8d93255c0da6469dc47da883e186387f76011cc8",
"DEV_AUTH_ROOT_DEBUG_P256": "04521192e173a9da4e3023f747d836563725372681eba3079c56ff11b2fc137ab189eb4155f371127651b5594f8c332fc1e9c0f3b80d4212822668b63189706578",
"DEV_AUTH_ROOT_DEBUG_P256_OLD": "04521192e173a9da4e3023f747d836563725372681eba3079c56ff11b2fc137ab189eb4155f371127651b5594f8c332fc1e9c0f3b80d4212822668b63189706578",
"DEV_AUTH_ROOT_DEBUG_P256": "0423bf3b9859e851a40820d6c142074f495fd7d2714064e26cc5abcb09bff287b4ca835f861c5da427221adc8f5c009925fee638d1ee4d8a85cb2e0754b6069576",
"DEV_AUTH_ROOT_STAGING_P256": "0465e88f9b2cea67e8364f0cfcfacd500af24e9040b357beee629ccc4fce1704d1a7ef7284f387708f92ef14600e2caad6894016fee819d623b95d66210c3e7519",
"DEV_AUTH_ROOT_DEBUG_ED25519": "04e3856182309678a15767451f931ed86617b1d25462afcbddc81dc80bfc1661",
"DEV_AUTH_ROOT_STAGING_ED25519": "cd318dc8405ae4f4144e3284dcb7b0cb0f0c2195c2ca14a0f6fccd9104e32a4b",
"DEV_AUTH_ROOT_DEBUG_MLDSA44": "61f55aab34281075da5440809d050570777666b5253715f26b1c0f092410953b2e6ca3deba7ec51f35201019eeaedd2e121177a9a3cb90319d431ef422ea7b28dfcdbb09686f7103e5ad6604c0e988cd48e199312106f80d7cf3a65a8bb47cce171442eb98a9c361181418db7ba3d315a4dd4b305f8b5ae4af33828ad53770246dacff8d5061a3df3569e79112063d054abd9d2e67443b7183e5b2078be23c6cd5a53db1a318778176cd61e6e0d90fd06d6012d258c0b968956ddf39d198e373b6b588dd6470eb33425f734f739ca5b2716da2a2116a90dedff18d311052ee366981661b679682069a639824a1acf80efcc98aace2b03491e3bd4a973ddfbf36921cc3e65e5fecbe924fc3936534a145c7dbfaa07854637e53a328a342691ba2fa602bc84759992c2177f299e9cc2e9fed1b1fcd95a1fb20b9b7081f8949177ede03b03890f6cf234a0a8947754e3811460e4c0d096d57da3f433d14de41e662700f0b07940cca64a8b083f714bf5da74105fd536c379925c7fa5d559bb2d77ffdd2e41cd7db3a13cb68f849e2214ce3f0c3dbec66059b7973dc87012065f34fa0b3a66627526da319ffe4577433b6cb95ac932d119cb4b3d8dd718e96763dbd0e99052b8da8d74f19b1a355e9babb6a1e5639da18396b0b21023a6d29b354681801c62a20272460337ce3d5ebcf2ab07d248eb6e7cb2cc3e64fdc5f7c414e42fe3748dbf9a2b8fdb02e7c5ae6cac416fb9016f03905e24d59fe41793768f5af7411659d393abfced35763c2e69fe9c3114af3a4d90ed953e88eff7b0684fdcaddcea277dac68629adf27911c2565741eebd3413dceab3909c04c327e991f63dde2315e5297af2e7e598e238ef09ca86f6b748753412718ef0f6f77065747771b9e1f4e1f46acea36d298865bde8b7aece61378d6a79942417201bb3b6ce3ae81bc838a40ebb8759fedb7cfa0f05acc62e365a2f74262944ba8e097bfa7bfd68800923628f9bd02293bdc4935a392787fb893d08134729461e74c6718752a69b83788911b99e327aadb1ff57fc6b506ccd832372f94bf0c7f06add3cb337d232494413a82874687e9476da4687c7ff7a8c587d33b63a595ba8e42655046d8f880e66d489f1a9a2db8af1e428257dc0dedb9c97187b47efc347d28dc1bac6d73f5b15fe5030a2ac9bf3b45ed631b67ab97510217675d57f46461188558a5614201648ffcf33508c95337f54b3be00fc2942ca919a941e0309a1fb7920ff507ea64085b033e2d745fb14f69add738837783ed1751d7835d9b594aa60c971027b18cddc309f29713988b7efb60af375542fc1ff770d60af53681973454109d33a96fd40463c43e49da18995cefd0278cf8b04d384c9f6c0494f26f2341bc53bed21fbff0707523dbed4a6296aa63b5c502e97d95af1b4305511c3df022ae44e3ea6ead99e199d4a02788106c0dfa989a7be20db8c2fba961d31f102ba8de6f18475932e610c164fd060eecdd16dfbd0f7a8a6922432b04733b68cb4a5fb06e1c18143d005ad5256906a17ad4ea06f2a34f2ad6a73dff03a8ae41b58383088df9ed8691d08b04c6d4979ea9f352826a670e28bd8c890a9863ee34472f1c9f9f8f070fb0083851b6deb6fd390e2db0dd8f52ca53eebd046374f4fa3fb9bcff4b951ecdcf1aa95abb647447f077344c43a6275f2d0506e784a7a98a05029e8a3c6a831387df7907be3c6723a9416c1dd20d47d9824b907ee435883afe1e9a75c65da8974e1cd5f430b97ebc4f6fde307f25a09fac614bb8313e74e00062a91bf5f06fbde976cd4eb7e36c4b8268a140d409334947ce41865665345dcc4d7d3e02d77db",
"DEV_AUTH_ROOT_STAGING_MLDSA44": "1f3e5edad45fc6980dbfd597ed17b77e4d4ad1b1ec4804e04dc061cc2cfe77bc96fbc93f698f1fe00c47177c8150276dab86cbf407add7527deb09b65a6623ef581422292d77744be64f4401ca65b9bd027e32a76f307413b086869eccbcfc5e8823be8e0b3897727bca568feeff62957cd1e261e4aab67271725d240c7e7d2a20a5c201699be83d6c6a57fdfc09ac9b6b599e2a14a50e421d246d1d1df805db0b25534e500fed76fa89975a4270e274a9fa72b528e47d999abdeca5e08e51d447ae4019f699088d485bb52d5eec7a8c725cd34ff955c16437877a131f068438b5699c2285000463e24c633b023cde279be015db2f8b16de07fa82ee9adcbf868b898e25eeef5d60d03e1da874aca6f2089b1e7c72d7b532d3a27e38936d53c0080f9908b6727b13fe961ec8b08004f077b9cce95b5eee9b44d351e79eb222aba1bc18895d36cf4843ffcdfc735e1b66f3e72db5aaf8b5ecf56dbf0d616cf53d192a60e61ad3c51a595213100fd00835434a28aab3eb5949d3405de5db1a586bd6e937444913e9f1d4c00247acd49a2ed9953636e5d74417b4c7144c6c22fd8f7e25cb6cf6c8510de6915b74c95a28c197152208096d0249b86150e807978ca985c110d07b7d0a24434039f6ef12a69d3e073af6ae44e7c4606a354a3e953bdcff10c8dc68b807f41ac563ff0d7141c328b34152a25a16e9cb8228f7707356d2d7f3caa8d778a85e3b66242c124281c0f3201ad28596b868db138149eb98b821dcaaf86b5e11c2ac1161975bf0b2ecefc111b7b7401ce261911526618044d126eeee885efe51be0e32e93aaaffe34899df5b10df7c5a9c54c5b4704671640a92e8631f0d401f44c2238b5f9a37499b3d83c1c60096f2b48c3081dd9769db325c1cd1ffe84bfd8a80dde3cd650c49e14af3ab6c317ee74bd39e976ff5b7ad490e80f3eff9edf3b3855070a5a06fbe9cbca54f521e3d74cf13a4d116e23e531a7c70232c044b7e7d02467afe2a40def14298688eced5d3d87a102d31d7cd5409918ced4bab190505df48f451deea1c29168246d621529f0346eaab0e2302f3ce206dd84837704b8bdedbadea5b5822cdecbfdb180cde14e62ee26a929f0a37a99bacfe237376a3e6c289b06b8e93ed9d1435e3ee6399ab1a06d4f70097f80e26fe6f60b27a68104f6333b8db1bc78e12d54647b23feb0f11ae070f3a6be9d9f4d89a6b5ef8595d010d410e72138cfcbd5e41cca1df33ddad657b699cf4d3dc602888e5aaa0a7a2325ba4a36d7de49c591d8e355fd1de644d772bf2a060093743388dbe5d30a2d97304abc17c547bd65276291d6aa7b0723703733239fabef39c2de47071d50074e68fbe71c88f75d4510bb5f6bc244b3e7b219eb89fe5f148459a2d693cd3fac32aa069cbdd4e27c9778096f6805bf6df9aec9671f0a58b28704f74775e81ac46826c1c4709b0e0989d6e8e73bd1795ce85d85c14ad2997cd2810272a5682e7ed9aa7a092708c0f4bc67f68d317d406a96ddd2842ea22cbf3410cd7a77005b61115b794894cf9d10ebb4f5552bec8c21d90ba97d6139d5261d7f51f4009c3618f9feb22cc929ade204eca7c0f813409ceb88a13512f85e03948314ba9c4488aafda88ce447a0e052a6a605e32d04a20e2e52c41f371247963f24fc28c5cc1ddd8fe1681a2a293daf2688e9b026303a76cc60f40290c4d823efb85f36cb5e092369cc20515a8077e7702ed54ca1565d37b83184ee46c4a6adf2840f5a5fb002db70690bbf93888e685fdd1f9ea211b42693e0bd5ba5235a6ea1b714774d13279d7db3440f7fbced53f203ce6500555bcb9251e6f36d3352326501c"
}
}
Expand Down
2 changes: 2 additions & 0 deletions common/protob/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
.PHONY: check combine clean

check: messages.pb messages-bitcoin.pb messages-ble.pb messages-bootloader.pb messages-cardano.pb messages-common.pb messages-crypto.pb messages-debug.pb messages-ethereum.pb messages-management.pb messages-monero.pb messages-nem.pb messages-ripple.pb messages-stellar.pb messages-tezos.pb messages-tron.pb messages-eos.pb messages-solana.pb messages-definitions.pb messages-telemetry.pb

%.pb: %.proto
Expand Down
2 changes: 2 additions & 0 deletions common/udev/dist/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
.PHONY: all shell

VOL_MOUNT = -v $(shell pwd):/release
IMAGETAG = trezor-udev-build-env

Expand Down
2 changes: 2 additions & 0 deletions core/embed/projects/bootloader/protob/pb/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
.PHONY: all clean

all: messages.pb.c messages-debug.pb.c

%.pb.c: %.pb %.options
Expand Down
3 changes: 3 additions & 0 deletions core/embed/projects/prodtest/cmd/common.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@ const uint8_t ROOT_KEYS_P256[][ECDSA_PUBLIC_KEY_SIZE] = {
DEV_AUTH_ROOT_PROD_BACKUP_P256,
#endif
#else
#ifdef DEV_AUTH_ROOT_DEBUG_P256_OLD
DEV_AUTH_ROOT_DEBUG_P256_OLD,
#endif
#ifdef DEV_AUTH_ROOT_DEBUG_P256
DEV_AUTH_ROOT_DEBUG_P256,
#endif
Expand Down
Loading
Loading