New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Soft-locking for Trezor T #958
Conversation
Yeah, I was wondering what the plans are around this, because I couldn't see where to put the button. I had two ideas:
|
here is a full list of not sentThese fields are either not sent by T1, or only sent in bootloader:
only sent when unlocked
always sent
Personally I find it strange that On the TT as currently implemented, the I would propose the following fields to be hidden on the TT when device is locked:
in addition to T1 fields, |
It turns out that on TT with locked storage, we cannot tell if the device was initialized. So we'll have to add |
Did a quick review of @andrewkozlik's code. LGTM on the surface, but I don't have a deep enough understanding of the FIDO2 implementation to be the judge of that. Can someone else review that? @onvej-sl perhaps? |
e9ec61b
to
be509bd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great 🎉. Few comments, other than that LGTM.
There are few todos, which you are probably aware of (legacy's fsm_msgEndSession
, trezorlib.clear_session
and wire/__init__.py
for example).
And +1 for adding the input_signal in the layout directly via create_tasks
instead of providing it in ctx.wait
every time. It is way clearer!
be509bd
to
dd545f5
Compare
404695e
to
b06b29f
Compare
b2c4ca8
to
f45ab7c
Compare
with an unexpectedly minor changeset, autolock is now implemented |
A problem with this approach is that pending actions will never return when the autolock engages. We would need to send an explicit exception to the workflow tasks. |
b06b29f
to
4548aee
Compare
so that pytest doesn't think it is a testcase
The original wait_layout was unreliable, because there are no guarantees re order of arrival of the respective events. Still, TT's event handling is basically deterministic, so as long as the host sent its messages close enough to each other, the order worked out. This is no longer the case with the introduction of loop.spawn: TT's behavior is still deterministic, but now ButtonAck is processed *before* the corresponding wait_layout, so the waiting side waits forever. In the new process, the host must first register to receive layout events, and then receives all of them (so the number of calls to wait_layout must match the number of layout changes). DebugLinkWatchLayout message must be version-gated, because of an unfortunate collection of bugs in previous versions wrt unknown message handling; and this interests us because upgrade-tests are using wait_layout feature.
this makes sense, really: close_others() requests UI exclusivity, and that is something that generally happens at the same places we emit a ButtonRequest
This will have unintended consequences if you call a wirelink function on the debulink interface. TT allows this ... and will behave badly.
This prevents a race condition where sometimes an Initialize message could arrive before the homescreen was fully booted -- and Recovery homescreen would cancel it as part of its bootup sequence.
This avoids problems with large timeouts causing the scheduler queue to think the time counter has overflown, and ordering the autolock task before immediate tasks. The maximum reasonable time difference is 0x20000000, which in microseconds is ~8 minutes, but in milliseconds a more reasonable ~6 days.
093f886
to
38bb3ff
Compare
implements #949, also includes messages and some preliminaries for #912
Summary
Initialize
,GetFeatures
,Ping
etc. were moved out of "homescreen app" intoapps.base
.apps.homescreen
was refactored into a separate "lockscreen" (used in boot.py and for softlock) and "homescreen", with common avatar rendering.workflow
was changed and should be a little easier to understand again.apps.base.set_homescreen
makes sure to start the homescreen appropriate for the current situation.ClearSession
was renamed toLockDevice
and enables soft-lock on TT. This causes the test suite to fail!Most of the behavior is implemented through extracting
get_workflow_handler
out ofwire
. Registered handlers are looked up through a callback. When the device is soft-locked, this callback will wrap everything other thanInitialize
andGetFeatures
so that it asks for PIN first.If we wanted, we could also use this mechanism for recovery homescreen (to block all messages unrelated to recovery), or for other homescreens (#114 comes to mind - this paves the road for various unattended modes).
In the future, we might even want to tie together the selected homescreen with the handler lookup.
TBD
LockDevice
having an effect, we will need to modify the test suite. It will involve reviewing all uses ofclient.clear_session()
. Maybeclear_session
should not be called by default, too?user-interaction locking, if we want it. It's simple in terms of code, I have a working prototype, but just putting a button on the homescreen is ugly. Some UI love would be appreciated.should we allow soft-lock when PIN is not set but SD protect is enabled? As noted in the summary doc, this makes sense conceptually (storage is locked, sessions might be encrypted in the future (Encrypt session cache when device is soft-locked #957)). But it defies user expectations: while the device is displaying "Locked", any message from the host will transparently unlock it with no interaction from the user-> soft-lock is only enabled when PIN is set
dimming the lock screen, which has proven more complicated than I expected, due to how the layout engine workswill be done separately in Dim Trezor T screen while locked #974Features
are returned properly wrt storage lock status. There are differences in what T1 returns that make sense.