Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace T3T1 debug caPubKey #3765

Open
komret opened this issue May 2, 2024 · 4 comments
Open

Replace T3T1 debug caPubKey #3765

komret opened this issue May 2, 2024 · 4 comments

Comments

@komret
Copy link

komret commented May 2, 2024

Debug value for caPubKey should be:
04829e8965018feb542e9236c9b2ce08f864a55ed9183d0259564f0e05345b04676a0bef36c59d21d3c24868b5601f0b1193a6bfcf6d814e1cfb79c2256a05e953.
This is necessary to pass the check in Suite debug mode when emulator is used. Current value is:
04ba6084cb9fba7c86d5d5a86108a91d55a27056da4eabbedde88a95e1cae8bce3620889167aaf7f2db166998f950984aa195e868f96e22803c3cd991be31d39e7
It is the same key as for T2B1 - therefore validation fails here.

Suite expects these keys.
@matejcik
Copy link
Contributor

matejcik commented May 6, 2024

Just so you know, this turns out to be more difficult than anticipated. The staging environment will refuse to sign emulator's certificate because it is not issued by Optiga. We need to grab the staging HSM, install a modified firmware that lifts this restriction, and then sign the certificate.

@komret
Copy link
Author

komret commented May 6, 2024
edited

Just so you know, this turns out to be more difficult than anticipated. The staging environment will refuse to sign emulator's certificate because it is not issued by Optiga. We need to grab the staging HSM, install a modified firmware that lifts this restriction, and then sign the certificate.

Ok, I thought it would be straightforward since it works for T2B1. Worst case scenario, we can skip the authenticity checks until this is implemented, it is possible to set that in Suite settings.

Also, i notice that debug rootPubKey in Suite is wrong, the corect value is 04e48b69cd7962068d3cca3bcc6b1747ef496c1e28b5529e34ad7295215ea161dbe8fb08ae0479568f9d2cb07630cb3e52f4af0692102da5873559e45e9fa72959 is per trezor/trezor-suite#12001 (comment), I am going to fix it now.

@matejcik
Copy link
Contributor

matejcik commented May 6, 2024

Ok, I thought it would be straightforward since it works for T3B1. Worst case scenario, we can skip the authenticity checks until this is implemented, it is possible to set that in Suite settings.

that's because T3B1 is (currently) using the same authority root as T2B1, no? so we send the literal same certificate and it passes the checks on your side.
this might change in the future too btw, if we decide to use a different root for T3B1

@komret
Copy link
Author

komret commented May 6, 2024

Sorry, I meant T2B1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Firmware
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matejcik @komret