trezor
diff --git a/‎Makefile‎
Lines changed: 8 additions & 2 deletions b/‎Makefile‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎core/embed/projects/prodtest/.changelog.d/6829.added‎
Lines changed: 1 addition & 0 deletions b/‎core/embed/projects/prodtest/.changelog.d/6829.added‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎core/embed/projects/prodtest/cmd/common.c‎
Lines changed: 31 additions & 28 deletions b/‎core/embed/projects/prodtest/cmd/common.c‎
Lines changed: 31 additions & 28 deletions
diff --git a/‎core/embed/projects/prodtest/cmd/common.h‎
Lines changed: 2 additions & 0 deletions b/‎core/embed/projects/prodtest/cmd/common.h‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎core/embed/projects/prodtest/cmd/prodtest_backup_ram.c‎
Lines changed: 22 additions & 11 deletions b/‎core/embed/projects/prodtest/cmd/prodtest_backup_ram.c‎
Lines changed: 22 additions & 11 deletions
@@ -199,6 +199,12 @@ hsm_keys:
 hsm_keys_check:
 	./core/tools/generate_hsm_keys.py --check
 
-gen:  templates mocks icons protobuf vendorheader solana_templates bootloader_hashes lsgen tropic_model_config hsm_keys ## regenerate auto-generated files from sources
+prodtest_error_codes: ## generate prodtest error codes JSON
+	python3 core/tools/prodtest_error_codes.py
 
-gen_check: templates_check mocks_check icons_check protobuf_check vendorheader_check solana_templates_check bootloader_hashes_check lsgen_check tropic_model_config_check hsm_keys_check ## check validity of auto-generated files
+prodtest_error_codes_check: ## check prodtest error codes JSON is up to date
+	python3 core/tools/prodtest_error_codes.py --check
+
+gen:  templates mocks icons protobuf vendorheader solana_templates bootloader_hashes lsgen tropic_model_config hsm_keys prodtest_error_codes ## regenerate auto-generated files from sources
+
+gen_check: templates_check mocks_check icons_check protobuf_check vendorheader_check solana_templates_check bootloader_hashes_check lsgen_check tropic_model_config_check hsm_keys_check prodtest_error_codes_check ## check validity of auto-generated files
@@ -0,0 +1 @@
+Introduce prodtest error codes.
@@ -224,7 +224,7 @@ static bool get_authority_key_digest(cli_t* cli, DER_ITEM* tbs_cert,
                                      const uint8_t** authority_key_digest) {
   DER_ITEM extensions = {0};
   if (!get_cert_extensions(tbs_cert, &extensions)) {
-    cli_error(cli, CLI_ERROR,
+    cli_error(cli, PRODTEST_ERR_COMMON_CERT_EXTENSIONS,
               "get_authority_key_digest, extensions not found.");
     return false;
   }
@@ -234,7 +234,7 @@ static bool get_authority_key_digest(cli_t* cli, DER_ITEM* tbs_cert,
   if (!get_extension_value(OID_AUTHORITY_KEY_IDENTIFIER,
                            sizeof(OID_AUTHORITY_KEY_IDENTIFIER), &extensions,
                            &extension_value)) {
-    cli_error(cli, CLI_ERROR,
+    cli_error(cli, PRODTEST_ERR_COMMON_CERT_AUTH_KEY_NOT_FOUND,
               "get_authority_key_digest, authority key identifier extension "
               "not found.");
     return false;
@@ -244,7 +244,7 @@ static bool get_authority_key_digest(cli_t* cli, DER_ITEM* tbs_cert,
   DER_ITEM auth_key_id = {0};
   if (!der_read_item_expected(&extension_value.buf, DER_SEQUENCE,
                               &auth_key_id)) {
-    cli_error(cli, CLI_ERROR,
+    cli_error(cli, PRODTEST_ERR_COMMON_CERT_AUTH_KEY_EXTNVALUE,
               "get_authority_key_digest, failed to open authority key "
               "identifier extnValue.");
     return false;
@@ -254,15 +254,15 @@ static bool get_authority_key_digest(cli_t* cli, DER_ITEM* tbs_cert,
   DER_ITEM key_id = {0};
   if (!der_read_item_expected(&auth_key_id.buf, DER_X509_KEY_IDENTIFIER,
                               &key_id)) {
-    cli_error(cli, CLI_ERROR,
+    cli_error(cli, PRODTEST_ERR_COMMON_CERT_AUTH_KEY_FIELD,
               "get_authority_key_digest, failed to find keyIdentifier field.");
     return false;
   }
 
   // Return the pointer to the keyIdentifier data.
   if (buffer_remaining(&key_id.buf) != SHA1_DIGEST_LENGTH ||
       !buffer_ptr(&key_id.buf, authority_key_digest)) {
-    cli_error(cli, CLI_ERROR,
+    cli_error(cli, PRODTEST_ERR_COMMON_CERT_AUTH_KEY_LEN,
               "get_authority_key_digest, invalid length of keyIdentifier.");
     return false;
   }
@@ -442,7 +442,7 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
     cert_count += 1;
     DER_ITEM cert = {0};
     if (!der_read_item_expected(&chain_reader, DER_SEQUENCE, &cert)) {
-      cli_error(cli, CLI_ERROR,
+      cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_READ_CERT,
                 "check_device_cert_chain, der_read_item 1, cert %d.",
                 cert_count);
       return false;
@@ -451,7 +451,7 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
     // Read the tbsCertificate.
     DER_ITEM tbs_cert = {0};
     if (!der_read_item_expected(&cert.buf, DER_SEQUENCE, &tbs_cert)) {
-      cli_error(cli, CLI_ERROR,
+      cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_READ_TBS,
                 "check_device_cert_chain, der_read_item 2, cert %d.",
                 cert_count);
       return false;
@@ -461,7 +461,7 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
     DER_ITEM der_item = {0};
     for (int i = 0; i < 5; ++i) {
       if (!der_read_item(&tbs_cert.buf, &der_item)) {
-        cli_error(cli, CLI_ERROR,
+        cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_READ_TBS_PRELUDE,
                   "check_device_cert_chain, der_read_item 3, cert %d.",
                   cert_count);
         return false;
@@ -471,7 +471,7 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
     // Read the subject.
     DER_ITEM subject = {0};
     if (!der_read_item_expected(&tbs_cert.buf, DER_SEQUENCE, &subject)) {
-      cli_error(cli, CLI_ERROR,
+      cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_READ_SUBJECT,
                 "check_device_cert_chain, der_read_item 4, cert %d.",
                 cert_count);
       return false;
@@ -487,7 +487,7 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
           common_name_size != sizeof(SUBJECT_COMMON_NAME) ||
           memcmp(common_name, SUBJECT_COMMON_NAME,
                  sizeof(SUBJECT_COMMON_NAME)) != 0) {
-        cli_error(cli, CLI_ERROR,
+        cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_COMMON_NAME,
                   "check_device_cert_chain, invalid common name.");
         return false;
       }
@@ -499,7 +499,7 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
       if (!unit_properties_get_sn(device_sn, sizeof(device_sn),
                                   &device_sn_size) ||
           device_sn_size == 0) {
-        cli_error(cli, CLI_ERROR,
+        cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_DEVICE_SN,
                   "check_device_cert_chain, device_sn not set.");
       }
 
@@ -508,13 +508,13 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
       if (!get_name_attribute(&subject, OID_SERIAL_NUMBER,
                               sizeof(OID_SERIAL_NUMBER), &subject_sn,
                               &subject_sn_size)) {
-        cli_error(cli, CLI_ERROR,
+        cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_SERIAL_NUM,
                   "check_device_cert_chain, serialNumber not set.");
       }
 
       if (subject_sn_size != device_sn_size ||
           memcmp(subject_sn, device_sn, device_sn_size) != 0) {
-        cli_error(cli, CLI_ERROR,
+        cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_SN_MISMATCH,
                   "check_device_cert_chain, serial number mismatch.");
         return false;
       }
@@ -524,7 +524,7 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
     // Read the Subject Public Key Info.
     DER_ITEM pub_key_info = {0};
     if (!der_read_item_expected(&tbs_cert.buf, DER_SEQUENCE, &pub_key_info)) {
-      cli_error(cli, CLI_ERROR,
+      cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_READ_SPKI,
                 "check_device_cert_chain, der_read_item 5, cert %d.",
                 cert_count);
       return false;
@@ -534,7 +534,7 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
     DER_ITEM alg = {0};
     if (!der_read_item_expected(&pub_key_info.buf, DER_SEQUENCE, &alg) ||
         !get_algorithm(&alg, &alg_id)) {
-      cli_error(cli, CLI_ERROR,
+      cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_ALGORITHM,
                 "check_device_cert_chain, reading algorithm, cert %d.",
                 cert_count);
       return false;
@@ -545,15 +545,15 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
     uint8_t unused_bits = 0;
     if (!der_read_item_expected(&pub_key_info.buf, DER_BIT_STRING,
                                 &pub_key_val)) {
-      cli_error(cli, CLI_ERROR,
+      cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_READ_PUBKEY_BITS,
                 "check_device_cert_chain, der_read_item 6, cert %d.",
                 cert_count);
       return false;
     }
 
     if (!buffer_get(&pub_key_val.buf, &unused_bits) ||
         !buffer_ptr(&pub_key_val.buf, &pub_key)) {
-      cli_error(cli, CLI_ERROR,
+      cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_PUBKEY,
                 "check_device_cert_chain, reading public key, cert %d.",
                 cert_count);
       return false;
@@ -563,7 +563,7 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
     // Verify the previous signature.
     if (!verify_signature(alg_id, pub_key, pub_key_size, sig, sig_size, message,
                           message_size)) {
-      cli_error(cli, CLI_ERROR,
+      cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_VERIFY_SIG,
                 "check_device_cert_chain, verify_signature, cert %d.",
                 cert_count);
       return false;
@@ -583,7 +583,7 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
     // skip the signatureAlgorithm
     DER_ITEM sig_alg = {0};
     if (!der_read_item_expected(&cert.buf, DER_SEQUENCE, &sig_alg)) {
-      cli_error(cli, CLI_ERROR,
+      cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_READ_SIG_ALG,
                 "check_device_cert_chain, der_read_item 7, cert %d.", "%d.",
                 cert_count);
       return false;
@@ -594,7 +594,7 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
     if (!der_read_item_expected(&cert.buf, DER_BIT_STRING, &sig_val) ||
         !buffer_get(&sig_val.buf, &unused_bits) || unused_bits != 0 ||
         !buffer_ptr(&sig_val.buf, &sig)) {
-      cli_error(cli, CLI_ERROR,
+      cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_SIG_VALUE,
                 "check_device_cert_chain, reading signatureValue, cert %d.",
                 cert_count);
       return false;
@@ -612,7 +612,7 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
 
     uint8_t decoded_sig[64] = {0};
     if (ecdsa_sig_from_der(sig, sig_size, decoded_sig) != 0) {
-      cli_error(cli, CLI_ERROR,
+      cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_ECDSA_DER,
                 "check_device_cert_chain, ecdsa_sig_from_der root.");
       return false;
     }
@@ -632,7 +632,7 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
       }
     }
     if (!matches) {
-      cli_error(cli, CLI_ERROR,
+      cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_ECDSA_ROOT,
                 "check_device_cert_chain, ecdsa_verify_digest root.");
       return false;
     }
@@ -643,7 +643,7 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
     const char msg[] =
         "check_device_cert_chain, failed to get root public key.";
 #if PRODUCTION
-    cli_error(cli, CLI_ERROR, msg);
+    cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_ROOT_KEY, msg);
     return false;
 #else
     // In non-production mode we succeed and write the certificate even if the
@@ -656,7 +656,7 @@ bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
   // Verify the last signature.
   if (!verify_signature(alg_id, pub_key, pub_key_size, sig, sig_size, message,
                         message_size)) {
-    cli_error(cli, CLI_ERROR,
+    cli_error(cli, PRODTEST_ERR_COMMON_CERT_CHAIN_ROOT_SIG,
               "check_device_cert_chain, verify_signature, cert %d.",
               cert_count);
     return false;
@@ -708,7 +708,8 @@ void binary_update(cli_t* cli, bool (*finalize)(uint8_t* data, size_t len)) {
     }
 
     if (!binary_update_in_progress) {
-      cli_error(cli, CLI_ERROR, "Update not started. Use 'begin' first.");
+      cli_error(cli, PRODTEST_ERR_COMMON_UPDATE_NOT_STARTED,
+                "Update not started. Use 'begin' first.");
       goto cleanup;
     }
 
@@ -732,13 +733,14 @@ void binary_update(cli_t* cli, bool (*finalize)(uint8_t* data, size_t len)) {
     }
 
     if (binary_len == 0) {
-      cli_error(cli, CLI_ERROR, "No data received");
+      cli_error(cli, PRODTEST_ERR_COMMON_UPDATE_NO_DATA, "No data received");
       goto cleanup;
     }
 
     if (!finalize(binary_buffer, binary_len)) {
       binary_len = 0;
-      cli_error(cli, CLI_ERROR, "Error while finalizing the update");
+      cli_error(cli, PRODTEST_ERR_COMMON_UPDATE_FINALIZE,
+                "Error while finalizing the update");
       goto cleanup;
     }
 
@@ -750,7 +752,8 @@ void binary_update(cli_t* cli, bool (*finalize)(uint8_t* data, size_t len)) {
     binary_update_in_progress = false;
 
   } else {
-    cli_error(cli, CLI_ERROR, "Unknown phase '%s' (begin|chunk|end)", phase);
+    cli_error(cli, PRODTEST_ERR_COMMON_UPDATE_UNKNOWN_PHASE,
+              "Unknown phase '%s' (begin|chunk|end)", phase);
     goto cleanup;
   }
 
 
@@ -21,6 +21,8 @@
 
 #include <rtl/cli.h>
 
+#include "prodtest_error_codes.h"
+
 #define CHALLENGE_SIZE 16
 
 bool check_cert_chain(cli_t* cli, const uint8_t* chain, size_t chain_size,
 
@@ -26,14 +26,17 @@
 #include <sec/backup_ram.h>
 #include <sys/systick.h>
 
+#include "prodtest_error_codes.h"
+
 static void prodtest_backup_ram_list(cli_t* cli) {
   if (cli_arg_count(cli) > 0) {
     cli_error_arg_count(cli);
     return;
   }
 
   if (!backup_ram_init()) {
-    cli_error(cli, CLI_ERROR, "Failed to initialize backup RAM");
+    cli_error(cli, PRODTEST_ERR_BACKUP_RAM_LIST_INIT,
+              "Failed to initialize backup RAM");
     return;
   }
 
@@ -45,7 +48,8 @@ static void prodtest_backup_ram_list(cli_t* cli) {
     if (backup_ram_read(key, NULL, 0, &data_size)) {
       cli_trace(cli, "Key #%d: %d bytes", key, data_size);
     } else {
-      cli_error(cli, CLI_ERROR, "Failed to read key #%d info", key);
+      cli_error(cli, PRODTEST_ERR_BACKUP_RAM_KEY_INFO_READ,
+                "Failed to read key #%d info", key);
       return;
     }
     key++;
@@ -68,7 +72,8 @@ static void prodtest_backup_ram_erase(cli_t* cli) {
   }
 
   if (!backup_ram_init()) {
-    cli_error(cli, CLI_ERROR, "Failed to initialize backup RAM");
+    cli_error(cli, PRODTEST_ERR_BACKUP_RAM_ERASE_INIT,
+              "Failed to initialize backup RAM");
     return;
   }
 
@@ -90,19 +95,22 @@ static void prodtest_backup_ram_read(cli_t* cli) {
   }
 
   if (!backup_ram_init()) {
-    cli_error(cli, CLI_ERROR, "Failed to initialize backup RAM");
+    cli_error(cli, PRODTEST_ERR_BACKUP_RAM_READ_INIT,
+              "Failed to initialize backup RAM");
     return;
   }
 
   if (!backup_ram_read(key, NULL, 0, NULL)) {
-    cli_error(cli, CLI_ERROR, "Key #%d not found", key);
+    cli_error(cli, PRODTEST_ERR_BACKUP_RAM_KEY_NOT_FOUND, "Key #%d not found",
+              key);
     return;
   }
 
   uint8_t data[BACKUP_RAM_MAX_KEY_DATA_SIZE];
   size_t data_size = 0;
   if (!backup_ram_read(key, data, sizeof(data), &data_size)) {
-    cli_error(cli, CLI_ERROR, "Failed to read the key #%d", key);
+    cli_error(cli, PRODTEST_ERR_BACKUP_RAM_KEY_READ,
+              "Failed to read the key #%d", key);
     return;
   }
 
@@ -114,7 +122,7 @@ static void prodtest_backup_ram_read(cli_t* cli) {
     char block_hex[16 * 2 + 1];
     if (!cstr_encode_hex(block_hex, sizeof(block_hex), &data[offset],
                          block_size)) {
-      cli_error(cli, CLI_ERROR_FATAL, "Buffer too small.");
+      cli_error(cli, PRODTEST_ERR_BACKUP_RAM_HEX_ENCODE, "Buffer too small.");
       return;
     }
     cli_trace(cli, "%04x: %s", offset, block_hex);
@@ -149,21 +157,24 @@ static void prodtest_backup_ram_write(cli_t* cli) {
   if (cli_has_arg(cli, "hex-data")) {
     if (!cli_arg_hex(cli, "hex-data", data, sizeof(data), &len)) {
       if (len == sizeof(data)) {
-        cli_error(cli, CLI_ERROR, "Data too long.");
+        cli_error(cli, PRODTEST_ERR_BACKUP_RAM_DATA_TOO_LONG, "Data too long.");
       } else {
-        cli_error(cli, CLI_ERROR, "Hexadecimal decoding error.");
+        cli_error(cli, PRODTEST_ERR_BACKUP_RAM_HEX_DECODE,
+                  "Hexadecimal decoding error.");
       }
       return;
     }
   }
 
   if (!backup_ram_init()) {
-    cli_error(cli, CLI_ERROR, "Failed to initialize backup RAM");
+    cli_error(cli, PRODTEST_ERR_BACKUP_RAM_WRITE_INIT,
+              "Failed to initialize backup RAM");
     return;
   }
 
   if (!backup_ram_write(key, type, data, len)) {
-    cli_error(cli, CLI_ERROR, "Failed to write key #%d", key);
+    cli_error(cli, PRODTEST_ERR_BACKUP_RAM_KEY_WRITE, "Failed to write key #%d",
+              key);
     return;
   }