cargo vet

[obrusvit]

This PR adds cargo-vet integration to track internal audits of 3rd party crates and to offshore some reviews to trusted parties.

See https://mozilla.github.io/cargo-vet/index.html

[coderabbitai]

Walkthrough

This PR adds cargo-vet supply-chain audit verification to the Trezor firmware Rust build pipeline. It introduces the cargo-vet tool to the development environment via shell.nix, creates a new make target (vet_rust) that runs cargo vet --locked, integrates this target as a verification step in the core unit test GitHub Actions workflow, and adds two configuration files: config.toml (defining cargo-vet version, import sources, and per-crate exemptions for 277 lines) and audits.toml (declaring safe-to-deploy audit entries for specific crate versions and trusted user policies).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description lacks substantive content beyond mentioning cargo-vet integration. It does not provide context, rationale, or implementation details required for proper review.	Expand the description to explain why cargo-vet is needed, what problem it solves, the implementation approach (initial exemptions followed by imports), external audit sources used, and the vetting policy framework being established.
Title check	❓ Inconclusive	The title 'cargo vet' is vague and does not clearly convey the specific purpose of the changes, which is to introduce cargo-vet tooling and supply-chain auditing.	Use a more descriptive title such as 'Add cargo-vet supply-chain auditing tooling' to better summarize the primary objective.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch obrusvit/cargo-vet

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

en main(all)

model	device_test	click_test	persistence_test
T2T1	test(all) main(all)	test(all) main(all)	test(all) main(all)
T3B1	test(all) main(all)	test(all) main(all)	test(all) main(all)
T3T1	test(all) main(all)	test(all) main(all)	test(all) main(all)
T3W1	test(all) main(all)	test(all) main(all)	test(all) main(all)

Latest CI run: 26687998413

[mmilata]

👍 to me personally this seems like a good direction to go.

I think the main consideration is how we set up the criteria. The default policy is to require safe-to-deploy ("no obvious backdoors even when processing untrusted input") for runtime and build dependencies, and safe-to-run ("no obvious backdoors") for dev dependencies, so I'd probably start with that. Works well with the imported reviews.

Then if we feel like it we can extend this with additional criteria like unsafe-reviewed/no-unsafe and crypto-reviewed/no-crypto, and require these by a policy. Not sure whether it would make sense to set different policies for different crates like firmware/kernel/secmon. See google's criteria for an example.

skimmed doesn't seem very useful, either we should turn it into safe-to-deploy, or add the skimmed crates to the list of exemptions and don't use it in newer reviews.

[Copilot]

Pull request overview

Adds cargo vet support for the Core Rust workspace so Rust dependency supply-chain checks can run in local Nix shells and CI.

Changes:

• Adds cargo-vet to the Nix development environment.
• Adds a make vet_rust target and wires it into the Core Rust CI job.
• Introduces cargo-vet supply-chain configuration, local audits, imported audits lockfile, and exemptions.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
shell.nix	Adds the cargo-vet tool to the development shell.
core/Makefile	Adds a vet_rust target that runs cargo-vet for Core Rust dependencies.
core/embed/supply-chain/imports.lock	Adds generated locked imported audit data for cargo-vet.
core/embed/supply-chain/config.toml	Adds cargo-vet configuration, imported audit sources, policies, and exemptions.
core/embed/supply-chain/audits.toml	Adds local audits and a trusted publisher entry.
.github/workflows/core.yml	Runs the new cargo-vet target in the Core Rust CI job.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[obrusvit]

@mmilata I reworked the PR to be more comprehensive. Go by commits to see the clear progress. I ported only the reviewed crates from our Notion table and I don't introduce any new criteria. I think it's a good enough starting point.

Currently, cargo vet gives the following result:

Vetting Succeeded (33 fully audited, 62 exempted)