Merge pull request #42 from Nitrokey/fido2-attestation-cert

Update FIDO2 attestation certificate and release v1.0.3-rc.1

CHANGELOG.md

@@ -1,4 +1,11 @@
+# v1.0.3-rc.1 (2022-04-06)
+
+- Correct the FIDO2 attestation certificate (fixes authentication issue with Google, [#36][])
+
+[#36]: https://github.com/Nitrokey/nitrokey-3-firmware/issues/36
+
 # v1.0.2 (2022-01-26)
+
 No changes since rc.1.
 
 # v1.0.2-rc.1 (2022-01-25)

runners/lpc55/Cargo.toml

@@ -2,7 +2,7 @@
 
 [package]
 name = "runner"
-version = "1.0.2"
+version = "1.0.3-rc.1"
 authors = ["Nicolas Stalder <[email protected]>", "Conor Patrick <[email protected]>"]
 edition = "2018"
 resolver = "2"

runners/lpc55/config/commands.bd

@@ -1,8 +1,8 @@
 options {
 	flags = 0x8;
 	buildNumber = 0x1;
-	productVersion = "1.0.2";
-	componentVersion = "1.0.2";
+	productVersion = "1.0.3";
+	componentVersion = "1.0.3";
 	secureBinaryVersion = "2.1";
 }
 
@@ -11,8 +11,8 @@ sources {
 }
 
 section (0) {
-	version_check sec 4194306;
-	version_check nsec 4194306;
+	version_check sec 4194307;
+	version_check nsec 4194307;
 	erase 0x0..0x93000;
 	load inputFile > 0x0;
 }

runners/lpc55/src/initializer.rs

@@ -199,8 +199,9 @@ impl Initializer {
         false
     }
 
-    fn validate_cfpa(pfr: &mut Pfr<hal::Enabled>, current_version_maybe: Option<u32>, require_prince: bool) {
+    fn validate_cfpa(pfr: &mut Pfr<hal::Enabled>, current_version_maybe: Option<u32>, require_prince: bool) -> u32 {
         let mut cfpa = pfr.read_latest_cfpa().unwrap();
+        let old_version = cfpa.secure_fw_version;
         if let Some(current_version) = current_version_maybe {
             if cfpa.secure_fw_version < current_version || cfpa.ns_fw_version < current_version {
                 info!("updating cfpa from {} to {}", cfpa.secure_fw_version, current_version);
@@ -221,6 +222,8 @@ impl Initializer {
                 cfpa.key_provisioned(hal::peripherals::pfr::KeyType::PrinceRegion2)
             );
         }
+
+        old_version
     }
 
     fn try_enable_fm11nc08 <T: Ctimer<hal::Enabled>>(
@@ -379,7 +382,8 @@ impl Initializer {
         }
 
         let mut pfr = pfr.enabled(&clocks).unwrap();
-        Self::validate_cfpa(&mut pfr, self.config.secure_firmware_version, self.config.require_prince);
+        let old_firmware_version =
+            Self::validate_cfpa(&mut pfr, self.config.secure_firmware_version, self.config.require_prince);
 
         if self.config.boot_to_bootrom && three_buttons.is_some() {
             info!("bootrom request start {}", perf_timer.elapsed().0/1000);
@@ -400,6 +404,7 @@ impl Initializer {
             adc,
             three_buttons,
             rgb: Some(rgb),
+            old_firmware_version,
         }
     }
 
@@ -750,6 +755,22 @@ impl Initializer {
         trussed
     }
 
+    pub fn perform_data_migrations(&self, basic: &stages::Basic, filesystem: &stages::Filesystem) {
+        // FIDO2 attestation cert (<= 1.0.2)
+        if basic.old_firmware_version <= 4194306 {
+            debug!("data migration: updating FIDO2 attestation cert");
+            let res = trussed::store::store(
+                filesystem.store,
+                trussed::types::Location::Internal,
+                &littlefs2::path::PathBuf::from("fido/x5c/00"),
+                include_bytes!("../data/fido-cert.der"),
+            );
+            if res.is_err() {
+                error!("failed to replace attestation cert");
+            }
+        }
+    }
+
     #[inline(never)]
     pub fn initialize_all(&mut self,
         iocon: hal::Iocon<Unknown>,
@@ -825,6 +846,8 @@ impl Initializer {
             rtc,
         );
 
+        self.perform_data_migrations(&basic_stage, &filesystem_stage);
+
         stages::All {
             trussed: trussed,
             filesystem: filesystem_stage,

runners/lpc55/src/initializer/stages.rs

@@ -42,6 +42,8 @@ pub struct Basic {
     pub adc: Option<hal::Adc<hal::Enabled>>,
     pub three_buttons: Option<board::ThreeButtons>,
     pub rgb: Option<board::RgbLed>,
+
+    pub old_firmware_version: u32,
 }
 
 /// Initialized NFC Iso14443 transport