Automatically enable the se050 for opcard if opcard has never been used

Cargo.toml

@@ -17,12 +17,12 @@ version = "1.7.0-rc.1"
 memory-regions = { path = "components/memory-regions" }
 
 # forked
-admin-app = { git = "https://github.com/Nitrokey/admin-app.git", rev = "v0.1.0-nitrokey.12" }
+admin-app = { git = "https://github.com/Nitrokey/admin-app.git", rev = "da6ccda351c4b7edbd7677ff636b7d0c9edb5199" }
 cbor-smol = { git = "https://github.com/Nitrokey/cbor-smol.git", tag = "v0.4.0-nitrokey.2"}
 fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git",  tag = "v0.1.1-nitrokey.14" }
 lpc55-hal = { git = "https://github.com/Nitrokey/lpc55-hal", tag = "v0.3.0-nitrokey.2" }
 serde-indexed = { git = "https://github.com/nitrokey/serde-indexed.git", tag = "v0.1.0-nitrokey.2" }
-trussed = { git = "https://github.com/Nitrokey/trussed.git", rev = "371e8f7a07817c2ed57978bd86e3412bd9877647" }
+trussed = { git = "https://github.com/Nitrokey/trussed.git", tag = "v0.1.0-nitrokey.19" }
 
 # unreleased upstream changes
 apdu-dispatch = { git = "https://github.com/Nitrokey/apdu-dispatch.git", tag = "v0.1.2-nitrokey.3" }
@@ -43,12 +43,12 @@ trussed-chunked = { git = "https://github.com/trussed-dev/trussed-staging.git",
 trussed-manage = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "manage-v0.1.0" }
 trussed-wrap-key-to-file = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "wrap-key-to-file-v0.1.0" }
 trussed-staging = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "v0.3.0" }
-trussed-auth = { git = "https://github.com/Nitrokey/trussed-auth", tag = "v0.3.0-nitrokey.1" }
+trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth", rev = "deeba516cdfc280170d8b4f4cd1e024bac21ee13" }
 trussed-hkdf = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "hkdf-v0.2.0" }
 trussed-rsa-alloc = { git = "https://github.com/trussed-dev/trussed-rsa-backend.git", rev = "9732a9a3e98af72112286afdc9b7174c66c2869a" }
 trussed-usbip = { git = "https://github.com/Nitrokey/pc-usbip-runner.git", tag = "v0.0.1-nitrokey.3" }
 trussed-se050-manage = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", tag = "se050-manage-v0.1.0" }
-trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", tag = "v0.3.1" }
+trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", rev = "cd42bd5d70be4ee282cdc1967d0ad0f5fe04e4fc" }
 
 [profile.release]
 codegen-units = 1

components/apps/src/dispatch.rs

@@ -5,10 +5,13 @@ use trussed::{
     api::{Reply, Request},
     error::Error as TrussedError,
     service::ServiceResources,
-    types::{Context, Location},
+    types::{Context},
     Platform,
 };
 
+#[cfg(feature =  "backend-auth")]
+use trussed::types::Location;
+
 use littlefs2::{path, path::Path};
 
 use if_chain::if_chain;
@@ -118,13 +121,14 @@ const NAMESPACE: trussed_se050_backend::namespacing::Namespace = {
     ])
 };
 
+#[cfg(any(feature = "backend-auth", feature = "se050"))]
+pub const AUTH_LOCATION: Location = Location::Internal;
+
 impl<T: Twi, D: Delay> Dispatch<T, D> {
     pub fn new(
-        auth_location: Location,
+        #[cfg(any(feature = "backend-auth", feature = "se050"))] auth_location: Location,
         #[cfg(feature = "se050")] se050: Option<Se05X<T, D>>,
     ) -> Self {
-        #[cfg(not(all(feature = "backend-auth", feature = "se050")))]
-        let _ = auth_location;
         Self {
             #[cfg(feature = "backend-auth")]
             auth: AuthBackend::new(auth_location, TRUSSED_AUTH_FS_LAYOUT),

components/apps/src/lib.rs

@@ -14,11 +14,21 @@ use ctaphid_dispatch::app::App as CtaphidApp;
 #[cfg(feature = "se050")]
 use embedded_hal::blocking::delay::DelayUs;
 use heapless::Vec;
+#[cfg(all(feature = "opcard", any(feature = "factory-reset", feature = "se050")))]
+use littlefs2::path;
 use serde::{Deserialize, Serialize};
+#[cfg(all(feature = "opcard", feature = "se050"))]
+use trussed::{api::NotBefore, service::Filestore};
 use trussed::{
-    backend::BackendId, client::ClientBuilder, interrupt::InterruptFlag, platform::Syscall,
-    store::filestore::ClientFilestore, types::Path, ClientImplementation, Platform, Service,
+    backend::BackendId,
+    client::ClientBuilder,
+    interrupt::InterruptFlag,
+    platform::Syscall,
+    store::filestore::ClientFilestore,
+    types::{Location, Path},
+    ClientImplementation, Platform, Service,
 };
+
 use utils::Version;
 
 pub use admin_app::Reboot;
@@ -31,6 +41,9 @@ mod dispatch;
 use dispatch::Backend;
 pub use dispatch::Dispatch;
 
+#[cfg(any(feature = "backend-auth", feature = "se050"))]
+pub use dispatch::AUTH_LOCATION;
+
 fn is_default<T: Default + PartialEq>(value: &T) -> bool {
     value == &Default::default()
 }
@@ -161,9 +174,9 @@ impl OpcardConfig {
     ) -> Option<(&'static Path, &'static ResetSignalAllocation)> {
         match key {
             #[cfg(feature = "factory-reset")]
-            "" => Some((littlefs2::path!("opcard"), &OPCARD_RESET_SIGNAL)),
+            "" => Some((path!("opcard"), &OPCARD_RESET_SIGNAL)),
             #[cfg(feature = "se050")]
-            "use_se050_backend" => Some((littlefs2::path!("opcard"), &OPCARD_RESET_SIGNAL)),
+            "use_se050_backend" => Some((path!("opcard"), &OPCARD_RESET_SIGNAL)),
             _ => None,
         }
     }
@@ -378,6 +391,34 @@ impl<R: Runner> Apps<R> {
             )
         });
 
+        #[cfg(all(feature = "opcard", feature = "se050"))]
+        if !data.init_status.contains(InitStatus::CONFIG_ERROR)
+            && app.config().fs_version == 0
+            && !app.config().opcard.use_se050_backend
+        {
+            let trussed_auth_used = trussed_auth::AuthBackend::is_client_active(
+                trussed_auth::FilesystemLayout::V0,
+                dispatch::AUTH_LOCATION,
+                path!("opcard"),
+                data.store,
+            )
+            .unwrap_or_default();
+            let mut opcard_used = false;
+            let mut fs = ClientFilestore::new(path!("opcard").into(), data.store);
+            if fs
+                .read_dir_first(path!(""), Location::External, &NotBefore::None)
+                .unwrap_or_default()
+                .is_none()
+            {
+                opcard_used = true;
+            }
+
+            if !trussed_auth_used && !opcard_used {
+                // No need to factory reset because the app is not yet created yet
+                app.config_mut().opcard.use_se050_backend = true;
+            }
+        }
+
         let migration_version = used_migrators
             .iter()
             .map(|m| m.version)
@@ -698,7 +739,7 @@ impl<R: Runner> App<R> for FidoApp<R> {
         };
         let large_blobs = if cfg!(feature = "test") && runner.is_efs_available() {
             Some(fido_authenticator::LargeBlobsConfig {
-                location: trussed::types::Location::External,
+                location: Location::External,
                 max_size: 4096,
             })
         } else {
@@ -738,7 +779,7 @@ impl<R: Runner> App<R> for WebcryptApp<R> {
         Webcrypt::new_with_options(
             trussed,
             webcrypt::Options::new(
-                trussed::types::Location::External,
+                Location::External,
                 [uuid[0], uuid[1], uuid[2], uuid[3]],
                 WEBCRYPT_APP_CREDENTIALS_COUNT_LIMIT,
             ),
@@ -766,7 +807,7 @@ impl<R: Runner> App<R> for SecretsApp<R> {
     fn with_client(runner: &R, trussed: Client<R>, _: (), _: &()) -> Self {
         let uuid = runner.uuid();
         let options = secrets_app::Options::new(
-            trussed::types::Location::External,
+            Location::External,
             CustomStatus::ReverseHotpSuccess.into(),
             CustomStatus::ReverseHotpError.into(),
             [uuid[0], uuid[1], uuid[2], uuid[3]],
@@ -804,7 +845,7 @@ impl<R: Runner> App<R> for OpcardApp<R> {
         // See scd/app-openpgp.c in GnuPG for the manufacturer IDs
         options.manufacturer = 0x000Fu16.to_be_bytes();
         options.serial = [uuid[0], uuid[1], uuid[2], uuid[3]];
-        options.storage = trussed::types::Location::External;
+        options.storage = Location::External;
         #[cfg(feature = "se050")]
         {
             if config.use_se050_backend {

components/boards/src/init.rs

@@ -2,7 +2,10 @@ use apdu_dispatch::{
     dispatch::ApduDispatch,
     interchanges::{Channel as CcidChannel, Responder as CcidResponder, SIZE as CCID_SIZE},
 };
+#[cfg(any(feature = "trussed-auth", feature = "se050"))]
+use apps::AUTH_LOCATION;
 use apps::{AdminData, Data, Dispatch, FidoData, InitStatus};
+
 use ctaphid_dispatch::{dispatch::Dispatch as CtaphidDispatch, types::Channel as CtapChannel};
 #[cfg(not(feature = "no-delog"))]
 use delog::delog;
@@ -11,7 +14,7 @@ use nfc_device::Iso14443;
 use rand::{CryptoRng, Rng as _, RngCore, SeedableRng};
 use rand_chacha::ChaCha8Rng;
 use ref_swap::OptionRefSwap;
-use trussed::{interrupt::InterruptFlag, platform::Store as _, types::Location};
+use trussed::{interrupt::InterruptFlag, platform::Store as _};
 use usb_device::{
     bus::UsbBusAllocator,
     device::{UsbDevice, UsbDeviceBuilder, UsbVidPid},
@@ -257,21 +260,22 @@ pub fn init_trussed<B: Board, R: CryptoRng + RngCore>(
     #[cfg(feature = "trussed-auth")]
     let dispatch = if let Some(hw_key) = hw_key {
         Dispatch::with_hw_key(
-            Location::Internal,
+            AUTH_LOCATION,
             trussed::types::Bytes::from_slice(hw_key).unwrap(),
             #[cfg(feature = "se050")]
             se050,
         )
     } else {
         Dispatch::new(
-            Location::Internal,
+            AUTH_LOCATION,
             #[cfg(feature = "se050")]
             se050,
         )
     };
     #[cfg(not(feature = "trussed-auth"))]
     let dispatch = Dispatch::new(
-        Location::Internal,
+        #[cfg(feature = "se050")]
+        AUTH_LOCATION,
         #[cfg(feature = "se050")]
         se050,
     );