keystore: fewer securechip calls when checking password #1619
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
benma
force-pushed
the
sc-events
branch
2 times, most recently
from
8e21085 to
e741db0
Compare
`show_and_confirm_mnemonic(hal: ...)` did not use the HAL for all UI: show_mnemonic and confirm_mnemonic directly used the BitBox02 menu workflow without going through HAL. Can't use `hal().ui().menu(...)`, becaus: - these functions bolt a cancel prompt on top - show_mnemonic is not a normal menu where one can pick an entry, it's just a scroll-through for displaying the mnemonic This should make it possible to mock/fake/test the mneomnic workflow functions, and provide different implementations for them in future BitBox hardware.
The default implementation is in terms of other HAL/UI functions. For unit tests (e.g. in show_mnemonic.rs or bip85.rs), it is useful to be able to skip over the implementation details, so the tests don't have to mock selecting the right words in the quiz.
This also allows us to keep track of the number of secure chip operations in all the scenarios.
The sanity check to see if the seed has changed does not need a securechip operation, it can use the retained seed hash instead, same as `unlock_bip39()`. This reduces the number of securechip operations needed to do a password check, which reduces the risk of running into the Optiga throttling security mechanism.
NickeZ
approved these changes
Oct 6, 2025
| if (!_check_retained_seed(seed, seed_len)) { | ||
| Abort("Seed has suddenly changed. This should never happen."); | ||
| } | ||
| }; |
| // copy_seed() instead to check the seed, so they end up hacing the same number of | ||
| // events.crate::securechip::fake_event_counter_reset(); | ||
| for _ in 0..2 { | ||
| // Further calls perform a password check.The password check does not do the rentention |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The sanity check to see if the seed has changed does not need a securechip operation, it can use the retained seed hash instead, same as
unlock_bip39(). This reduces the number of securechip operations needed to do a password check, which reduces the risk of running into the Optiga throttling security mechanism.This is based on #1621 so the reduction can be seen in the show_mnemonic unit test too