refactor: Move HSM keys to common/hsm_keys.json

[no changelog]

Author: andrewkozlik

Makefile

@@ -193,6 +193,12 @@ tropic_model_config:
 tropic_model_config_check:
 	./core/tools/generate_tropic_model_config.py --check
 
-gen:  templates mocks icons protobuf vendorheader solana_templates bootloader_hashes lsgen tropic_model_config ## regenerate auto-generated files from sources
+hsm_keys:
+	./core/tools/generate_hsm_keys.py
 
-gen_check: templates_check mocks_check icons_check protobuf_check vendorheader_check solana_templates_check bootloader_hashes_check lsgen_check tropic_model_config_check ## check validity of auto-generated files
+hsm_keys_check:
+	./core/tools/generate_hsm_keys.py --check
+
+gen:  templates mocks icons protobuf vendorheader solana_templates bootloader_hashes lsgen tropic_model_config hsm_keys ## regenerate auto-generated files from sources
+
+gen_check: templates_check mocks_check icons_check protobuf_check vendorheader_check solana_templates_check bootloader_hashes_check lsgen_check tropic_model_config_check hsm_keys_check ## check validity of auto-generated files

common/hsm_keys.json

@@ -0,0 +1,33 @@
+{
+  "shared": {
+    "HSM_PUBLIC_DEBUG_X25519": "cfce80f7c87ea1e93d0d80983fecc998a0ddb6aa7a36366b6c7dd409325f674b"
+  },
+  "models": {
+    "T2B1": {
+      "DEV_AUTH_ROOT_PROD_P256": "04ca97480ac0d7b1e6efafe518cd433cec2bf8ab9822d76eafd34363b55d63e60380bff20acc75cde03cffcb50ab6f8ce70c878e37ebc58ff7cca0a83b16b15fa5",
+      "DEV_AUTH_ROOT_DEBUG_P256": "047f77368dea2d4d61e989f474a56723c3212dacf8a808d8795595ef38441427c4389bc454f02089d7f08b873005e4c28d432468997871c0bf286fd3861e21e96a"
+    },
+    "T3B1": {
+      "DEV_AUTH_ROOT_PROD_P256": "045b5c3fdd01f3602092834209b86df0ca86a9faf25cac35c73bf6237d66eb21eafcec3706f1ccd5eb4cc7f2fa1751213eccb1c78389afba89a5788ff31ee46a5d",
+      "DEV_AUTH_ROOT_DEBUG_P256": "047f77368dea2d4d61e989f474a56723c3212dacf8a808d8795595ef38441427c4389bc454f02089d7f08b873005e4c28d432468997871c0bf286fd3861e21e96a"
+    },
+    "T3T1": {
+      "DEV_AUTH_ROOT_PROD_P256": "041854b27fb1d9f65abb66828e78c9dc0ca301e66081ab0c6a4d104f9df1cd0ad5a7c75f77a8c092f55cf825d2abaf734f934c9394d5e75f75a5a06a5ee9be93ae",
+      "DEV_AUTH_ROOT_DEBUG_P256": "04e48b69cd7962068d3cca3bcc6b1747ef496c1e28b5529e34ad7295215ea161dbe8fb08ae0479568f9d2cb07630cb3e52f4af0692102da5873559e45e9fa72959"
+    },
+    "T3W1": {
+      "HSM_PUBLIC_PROD_X25519": "ba792d15c687b4a531be201e887386aa7b9f24092db77ac95b84eeb33666475c",
+      "HSM_PUBLIC_PROD_BACKUP_X25519": "077ae8f9f8839a8f0773c49889402186f9f9a8f4b2e7ac0ee583a2f7e6638254",
+      "DEV_AUTH_ROOT_PROD_P256": "040dde0d3e0d4da593fac6fd02a461d0e7eef238aca55c7c50b4e9ec37f3873303b6429ef1c9b78b4411a7dcbbc5dde5225979c1c2da3b073e82b1ed3f5f9825bb",
+      "DEV_AUTH_ROOT_PROD_ED25519": "59237acd17134061d655b3f8d624573ca06ce8d862f38ba4e05140ce1d3d609d",
+      "DEV_AUTH_ROOT_PROD_MLDSA44": "ea67d6000e79d16bc9119cea88b3415369d612f02a6bca6e18e0dbe5e2d37da716b993a05258a642c656a4e1c80f2db1f2818e5ebcbe5715448389079526895f8e620001b1c1dc857aa6165ec1d0b731127c424cbf0dec1ae33bbce500b9e7974d2a83626fe0be91555d79e1f91fbcb5df821738385cba29dc1a71c3ef2d1d3b3165ff66b4638b7121db9ecdfeb39d20163732d1685f7604956de9f549c5a7fcbf2a27b913a94107904cdbfe486df4a62dc27f0f7ba14c1103f9de86480c12bcaf1bab70584277a9fdac50d03d50e9e7bb6dd3b8b61cafe07c5513c4fbb35d14766fef0582ca1d78ebc4fb246ee3ac231eef770e74ad4207dddc8f3666700c84aa1446cb5ceef0b6f113041a9eeb8708564a4c43fdb46203dd1a2b2c48a0e485bc10a72a8a8e5b006d3d398941b33365b04b54d14d230950c7df048afd2c16ff1515387a97b712f68f65f08fd722d4b75c97007c4f7dfff5e5f22908b56bf40acd5263cc419007a355bcd1f4a3dd201286e58be1165e0eedf6c236c7aaa7cff3a8fbd6aee5d3ea5368bbf0aad8f41147ce874e2c97ed3fdfe859def143f63c1e7a093ce18615016a857e875a4099d7a56b036c7bdba205ff21841c4693ecfe08ae8faf10c73fe3a8e202a585c39ae8b084f2879a2c20faf8abe5163eb8acfffde4b9a73a9706bb5d3ae91235f673df8f20f5dd72c06df8a7401924c614eb12d915deffacba689738612780877f39a891b3cc0673c728653f72874386d6a097516d56c196c9f1515a62b5ddbab2c795d48be8b6a304533034f323c6970d43a08957d8b0db7cf80e6c02589069f9bf622e60f6953bfd10d68cac3d421bf9145169fa0b10d2384212556e042d95686c44bacd01b8b2e698163ca6d2b965557e8e16f0d3672bb32c0dc3bbced78f75918df59742fcb9834925b50c568ec305db53e3d7915851620f0763820ad511896041d7a836b764b51273f6ab1e4021e67bcc5095c02f55c132b674d47b36271830508c6d08e7578181fcf95c9027c43bebc56b0d083d6bbde10e70113ae41102181f147bd6aad58898d296b14ec4f7e049ff47831949b8f5aa29a2c74e7ea26a4270e84d4ace36407b255767f9eb9676d15559d1c403b1a5949a9ca2a74e6e0f2719b11306911799be9dea597ec8b375bac646f8a9a03e6f2271d9fb5b695c51d7fe2125a08e243d63e5d426b6dbbc149a87e65f8b1888465f99ce519ce4dd8d51432e45e4bd01a41893189a8656bc9c9226fc4bbc38441569d3be87180c833d63d53adc15d953ec6fcd1643aa00f20aea7cc169efeeb962ebb724ba0008861a1fda988c93d3ea0e3224d4c72c0c2fecf4f954f9fcf47b5f39b59a9c4c12423382ae2ef547310490bb3d57661a51b9ee356d0720f6e376e2374c38e738e158dbec8d7cc5a23a6269a3ca441a4ec406ddeef5a0d6007d0b3590ba19eeb2a6da67fe21b68625d1d422739c928c7b9a49163a6ffe60cfce4cfa918b690fe5b300022e88ff164020ce9815d18c97a63ad3383e1101eb523c5e1d20482dd6d0411b13b75c89e864fa6bede2674bfa5c3283a1487a3093ff05dba3f86420a7a9ac62c59971fa9d10c9ebc68f36d65e798f95c3a2cb11993ae1454855cda4d8290f2f0aa8f48cbddad92211a1e1a38588822159c257c077a7bd1c1afeb3644e6001a1f0dc0833993c068879f484d6a4da8c1fb85959d282be52583225b60c31cf1ebe0e74bbd3fc74caf039ad3c03f59b5da694fa810e199ad7587b593548c828a18c6a9b657df6cb39e839f36beffc07c6e85c8bbd7e98646af879bead4d3e1b79c401eb6449a4200f1cbdad39329fc43c5553a286a0",
+      "DEV_AUTH_ROOT_PROD_BACKUP_P256": "04c6a673af4ec44b10441b1d78676e15173ad0e36df9f7f2fa1cd819955f20fe32917b60da5fed3b3aa54a9ab8b3ed27d198b3768cad26eef5935cd87af0af065e",
+      "DEV_AUTH_ROOT_PROD_BACKUP_ED25519": "5612606584ee7e0bc313b13f7ac94156bb4cb75bd77585ddbe579301306e85f1",
+      "DEV_AUTH_ROOT_PROD_BACKUP_MLDSA44": "fedf8b0c16164b9cec427882aa03d3bd6a1588cfbaebaf93cf2fc52f275417777433a938dcd6516345148f728c935a40ef3b6c41fd3ed831fea13774bd39887da8b06e2e671cc32a1c72e44a13d1cd985dc2ddcb63e457bbd29d38186ddb776b8e73b645c8bf616309f890d175538a9d10c82e595dea03f70564ff69b53497ecefd51fd8320041d9b1092386033ed37a93dd9b4b9da1297f808eac21020b8dc4747e01854ebdc407a04fc18b2758720125acb41f0c60e16cd53707a65392feed06c9fcc28a3e738dbc91614e89e5d535274c6b226d83f335a0dd088755571cf62496ca4642ec8e65eba8be2b8cec46416c6a3ad4be10569ac532e02d6e06b6ce0c0d4b7a99a11c910f9f0631b0cd72e20637237eeff723e722f7aa626732434c47843a099739e96e31267d8d6905d8b2b712a5a69d9343a3c1e07afb414b73950f4b1df196243005fb61c6200ef346826d6c0f4cc8ede052ed48235997bb366dade4483bfc11fe65fd0c5539e89d8bd271e54e30da6e5192a0f343dea3806aa798d12d62251a063d071ba67c35d3a26e582c2d361cf2d0fc36fb1b5a46e469669338b1c1744bdfe365700a6a1c641ab2b7906e2b7c0c0a9af8862ab5751a678e3e0156847ff6093ca7ebd48dd8b1d6f7736c2039e705c1e20f42ed5cac6db3dc7a7e2facbb75411e7fb8a156df52a2926afa9070937cde4dd4bd456294ba59bdcf123f11dcda267d475721abfecab1b31848a27236aa751e5b55015f033d87fb9cf5c086e09f1667cf7ec2e72436c907c5763690d698fffa997709bb89526cae772bb962c06ed1b89d418835672b85e1a1b2e3c55f4e607ecad09bdb3a18224b9805659aa2ecf0b62dbf6265e27d4101450edb590d52d525b62b1114dad2eb06c951a2c77c7ecfbf5f1f6fe285f39727958ce0b5cfe8fd465420c270309999e6694ee31fcb7d6480a75d0d72558cd6a050b8d11a9a6d7736700027fbe14b48949b7e1af2ca148ad4e4b4b93e9575a4119afd1b57c250606d5a4e258c2393c104d651995b1e75887f492ff05e92e1630332f176d86a0453b412d0869d98d6ab27377a74766e3cadde29c1853e6398a9edfa48c0d14e7c148b048f1bf25d11979e94878cb86eaf1e55638c1b39e0ac5254a009bf957f4b624796753c3451246e5a7b9022926aa77b7a1b4ae7d25f776d4395ba98a37d9e21b221da29564e50a669056650a40489386e8909c6ca21d369c3495c44b2f71373a392c9fa89c9085f467d24d6219fcdd2b56126792eb6a14269c4264a56926b1a7d9a1c03d9649d157f938abfdc2a56c20795065774838030da41a4c6178919cc1c6c88de1458d9baa1e51a4a1994e6d5cc94b049b15c235c5cf46d2cf23f09d565c5a5497ef0b3a5fbc8d1be8ed78f3794c49d4936139b0419faaffc52b55cb91f6e1bafacd55523c0b7eec56d98e4228cd0f9d00bc9866dac71e43db2b2cf311999d7bc3a49219836f558cbb5d8faa79e83079c6ce92288aae852553b655ef6bc87fbb25ca3ab482aecaf0a86eecc92341906cc89d234087f5abd6d2100a60d361d516d460d436b46706ad44b8b4ef3fe54ea198ffc2cf8c8e144ec62c4ce86ed5d181283fc17c926668ca4e0b8683e0c7bc662a54ea7f4c830365ad1cdea58abee9a726168ce9870729972884ecfe5baf06f1ee664aa422e26f9f76e20908d72e78c1a2dcd94fe1c07573d7706d7bdc07d0b41498c0d52ec3a90d6e7c0fcef597a884fb2caba29c2279569a1e64dd6c7ed4b312d2197b6391407899b25d21cefd1408eca42204f76cb0436f44c0a9c2e1eca19df8d93255c0da6469dc47da883e186387f76011cc8",
+      "DEV_AUTH_ROOT_DEBUG_P256": "04521192e173a9da4e3023f747d836563725372681eba3079c56ff11b2fc137ab189eb4155f371127651b5594f8c332fc1e9c0f3b80d4212822668b63189706578",
+      "DEV_AUTH_ROOT_STAGING_P256": "0465e88f9b2cea67e8364f0cfcfacd500af24e9040b357beee629ccc4fce1704d1a7ef7284f387708f92ef14600e2caad6894016fee819d623b95d66210c3e7519",
+      "DEV_AUTH_ROOT_STAGING_ED25519": "cd318dc8405ae4f4144e3284dcb7b0cb0f0c2195c2ca14a0f6fccd9104e32a4b",
+      "DEV_AUTH_ROOT_STAGING_MLDSA44": "1f3e5edad45fc6980dbfd597ed17b77e4d4ad1b1ec4804e04dc061cc2cfe77bc96fbc93f698f1fe00c47177c8150276dab86cbf407add7527deb09b65a6623ef581422292d77744be64f4401ca65b9bd027e32a76f307413b086869eccbcfc5e8823be8e0b3897727bca568feeff62957cd1e261e4aab67271725d240c7e7d2a20a5c201699be83d6c6a57fdfc09ac9b6b599e2a14a50e421d246d1d1df805db0b25534e500fed76fa89975a4270e274a9fa72b528e47d999abdeca5e08e51d447ae4019f699088d485bb52d5eec7a8c725cd34ff955c16437877a131f068438b5699c2285000463e24c633b023cde279be015db2f8b16de07fa82ee9adcbf868b898e25eeef5d60d03e1da874aca6f2089b1e7c72d7b532d3a27e38936d53c0080f9908b6727b13fe961ec8b08004f077b9cce95b5eee9b44d351e79eb222aba1bc18895d36cf4843ffcdfc735e1b66f3e72db5aaf8b5ecf56dbf0d616cf53d192a60e61ad3c51a595213100fd00835434a28aab3eb5949d3405de5db1a586bd6e937444913e9f1d4c00247acd49a2ed9953636e5d74417b4c7144c6c22fd8f7e25cb6cf6c8510de6915b74c95a28c197152208096d0249b86150e807978ca985c110d07b7d0a24434039f6ef12a69d3e073af6ae44e7c4606a354a3e953bdcff10c8dc68b807f41ac563ff0d7141c328b34152a25a16e9cb8228f7707356d2d7f3caa8d778a85e3b66242c124281c0f3201ad28596b868db138149eb98b821dcaaf86b5e11c2ac1161975bf0b2ecefc111b7b7401ce261911526618044d126eeee885efe51be0e32e93aaaffe34899df5b10df7c5a9c54c5b4704671640a92e8631f0d401f44c2238b5f9a37499b3d83c1c60096f2b48c3081dd9769db325c1cd1ffe84bfd8a80dde3cd650c49e14af3ab6c317ee74bd39e976ff5b7ad490e80f3eff9edf3b3855070a5a06fbe9cbca54f521e3d74cf13a4d116e23e531a7c70232c044b7e7d02467afe2a40def14298688eced5d3d87a102d31d7cd5409918ced4bab190505df48f451deea1c29168246d621529f0346eaab0e2302f3ce206dd84837704b8bdedbadea5b5822cdecbfdb180cde14e62ee26a929f0a37a99bacfe237376a3e6c289b06b8e93ed9d1435e3ee6399ab1a06d4f70097f80e26fe6f60b27a68104f6333b8db1bc78e12d54647b23feb0f11ae070f3a6be9d9f4d89a6b5ef8595d010d410e72138cfcbd5e41cca1df33ddad657b699cf4d3dc602888e5aaa0a7a2325ba4a36d7de49c591d8e355fd1de644d772bf2a060093743388dbe5d30a2d97304abc17c547bd65276291d6aa7b0723703733239fabef39c2de47071d50074e68fbe71c88f75d4510bb5f6bc244b3e7b219eb89fe5f148459a2d693cd3fac32aa069cbdd4e27c9778096f6805bf6df9aec9671f0a58b28704f74775e81ac46826c1c4709b0e0989d6e8e73bd1795ce85d85c14ad2997cd2810272a5682e7ed9aa7a092708c0f4bc67f68d317d406a96ddd2842ea22cbf3410cd7a77005b61115b794894cf9d10ebb4f5552bec8c21d90ba97d6139d5261d7f51f4009c3618f9feb22cc929ade204eca7c0f813409ceb88a13512f85e03948314ba9c4488aafda88ce447a0e052a6a605e32d04a20e2e52c41f371247963f24fc28c5cc1ddd8fe1681a2a293daf2688e9b026303a76cc60f40290c4d823efb85f36cb5e092369cc20515a8077e7702ed54ca1565d37b83184ee46c4a6adf2840f5a5fb002db70690bbf93888e685fdd1f9ea211b42693e0bd5ba5235a6ea1b714774d13279d7db3440f7fbced53f203ce6500555bcb9251e6f36d3352326501c"
+    }
+  }
+}

core/embed/projects/prodtest/cmd/common.c

@@ -33,7 +33,10 @@
 #include "sha2.h"
 #include "string.h"
 
+#ifdef USE_MCU_ATTESTATION
 #include <mldsa_native.h>
+#include <sec/mcu_attestation.h>
+#endif
 
 // HSM root certification authority public keys.
 const uint8_t ROOT_KEYS_P256[][ECDSA_PUBLIC_KEY_SIZE] = {
@@ -72,24 +75,25 @@ const ed25519_public_key ROOT_KEYS_ED25519[] = {
 #endif
 };
 
-const uint8_t
-    ROOT_KEYS_MLDSA44[][MLDSA_PUBLICKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)] = {
+#ifdef USE_MCU_ATTESTATION
+const uint8_t ROOT_KEYS_MLDSA44[][MCU_ATTESTATION_PUBKEY_SIZE] = {
 #if PRODUCTION
 #ifdef DEV_AUTH_ROOT_PROD_MLDSA44
-        DEV_AUTH_ROOT_PROD_MLDSA44,
+    DEV_AUTH_ROOT_PROD_MLDSA44,
 #endif
 #ifdef DEV_AUTH_ROOT_PROD_BACKUP_MLDSA44
-        DEV_AUTH_ROOT_PROD_BACKUP_MLDSA44,
+    DEV_AUTH_ROOT_PROD_BACKUP_MLDSA44,
 #endif
 #else
 #ifdef DEV_AUTH_ROOT_DEBUG_MLDSA44
-        DEV_AUTH_ROOT_DEBUG_MLDSA44,
+    DEV_AUTH_ROOT_DEBUG_MLDSA44,
 #endif
 #ifdef DEV_AUTH_ROOT_STAGING_MLDSA44
-        DEV_AUTH_ROOT_STAGING_MLDSA44,
+    DEV_AUTH_ROOT_STAGING_MLDSA44,
 #endif
 #endif
 };
+#endif  // USE_MCU_ATTESTATION
 
 // Identifier of context-specific constructed tag 3, which is used for
 // extensions in X.509.
@@ -346,8 +350,9 @@ static bool verify_signature(alg_id_t alg_id, const uint8_t* pub_key,
     return true;
   }
 
+#ifdef USE_MCU_ATTESTATION
   if (alg_id == ALG_ID_MLDSA44) {
-    if (pub_key_size != MLDSA_PUBLICKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)) {
+    if (pub_key_size != MCU_ATTESTATION_PUBKEY_SIZE) {
       return false;
     }
 
@@ -358,6 +363,7 @@ static bool verify_signature(alg_id_t alg_id, const uint8_t* pub_key,
 
     return true;
   }
+#endif  // USE_MCU_ATTESTATION
 
   return false;
 }
@@ -379,11 +385,13 @@ static bool get_root_public_key(
       root_key_count = sizeof(ROOT_KEYS_ED25519) / sizeof(ROOT_KEYS_ED25519[0]);
       root_key_size = sizeof(ROOT_KEYS_ED25519[0]);
       break;
+#ifdef USE_MCU_ATTESTATION
     case ALG_ID_MLDSA44:
       root_keys = (const uint8_t*)ROOT_KEYS_MLDSA44;
       root_key_count = sizeof(ROOT_KEYS_MLDSA44) / sizeof(ROOT_KEYS_MLDSA44[0]);
       root_key_size = sizeof(ROOT_KEYS_MLDSA44[0]);
       break;
+#endif  // USE_MCU_ATTESTATION
     default:
       return false;
   }