-
-
Notifications
You must be signed in to change notification settings - Fork 655
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flash area API for Python, test speedup #3565
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@andrewkozlik please review this change in particular.
one interesting point to note, with this API it would now be possible to request hashing of a specific firmware chunk, which would make the whole operation even faster, to the point of imperceptibility by the user.
(otoh if we did that, it might open the window for an attacker to essentially read out the firmware kilobyte by kilobyte, which might be a problem if some boundary check somewhere got messed up)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if speed is a concern here, lets reconsider using sha256 on U5 models here too, so we can use hw accelerator.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This file LGTM.
request hashing of a specific firmware chunk, which would make the whole operation even faster
Why would we want to hash only a specific chunk? We have to hash the entire firmware, so doing it by chunks seems inefficient.
read out the firmware
Reading out the firmware is not a concern, so since you mention boundary checks, I assume you are concerned about reading out the norcow storage. That might be a concern, however, since the code requires offset and length alignment to 1024 bytes, you can't even read out the firmware.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why would we want to hash only a specific chunk? We have to hash the entire firmware, so doing it by chunks seems inefficient.
We don't technically need to. A malicious firmware will not be able to respond to a random partial challenge either -- unless, that is, most of the image is the same and only a small piece is changed.
Of course, that is something that is much easier to achieve deliberately. So doing partial challenges would be much weaker. (which could be offset, in some scenarios, by the ability to do one every N seconds).
anyway, just thinking out loud here
STATIC const mp_rom_map_elem_t mod_trezorio_flash_area_globals_table[] = { | ||
{MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_flash_area)}, | ||
MP_ROM_FLASH_AREA(BOARDLOADER), | ||
MP_ROM_FLASH_AREA(BOOTLOADER), | ||
MP_ROM_FLASH_AREA(FIRMWARE), | ||
MP_ROM_FLASH_AREA(STORAGE_A), | ||
MP_ROM_FLASH_AREA(STORAGE_B), | ||
MP_ROM_FLASH_AREA(TRANSLATIONS), | ||
#if USE_OPTIGA && !defined(TREZOR_EMULATOR) | ||
MP_ROM_FLASH_AREA(SECRET), | ||
#endif |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO: in production mode, we should also not create objects for storage / secret
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
on U5 models, SECRET area is inaccessible to FW even in debug, so maybe that shouldn't be created there regardless on PRODUCTION
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reviewed modtrezorio-flash.h
only
STATIC const mp_rom_map_elem_t mod_trezorio_flash_area_globals_table[] = { | ||
{MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_flash_area)}, | ||
MP_ROM_FLASH_AREA(BOARDLOADER), | ||
MP_ROM_FLASH_AREA(BOOTLOADER), | ||
MP_ROM_FLASH_AREA(FIRMWARE), | ||
MP_ROM_FLASH_AREA(STORAGE_A), | ||
MP_ROM_FLASH_AREA(STORAGE_B), | ||
MP_ROM_FLASH_AREA(TRANSLATIONS), | ||
#if USE_OPTIGA && !defined(TREZOR_EMULATOR) | ||
MP_ROM_FLASH_AREA(SECRET), | ||
#endif |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
on U5 models, SECRET area is inaccessible to FW even in debug, so maybe that shouldn't be created there regardless on PRODUCTION
and add debuglink messages for reading/writing flash this also refactors get_firmware_hash to use the flash area API instead of the original hardcoded function
29f75dd
to
fa4321f
Compare
This PR implements API for direct access to flash areas from MicroPython. This is then exposed over debuglink to allow us to mess with installed firmware and test inconsistency handling.
The second part of the PR uses this capability to check that the tested Trezor is in desired state. Storage will only be wiped when necessary. This should significantly speed up hardware tests.
tagging:
@mmilata for overall review
@andrewkozlik for specific code comments
@TychoVrahe for review of the flash area interface, i.e., most of the code in
modtrezorio-flash.h