Expected Behavior

• Installer detects that rustup is missing and gives appropriate guidance
• Install doc gives brief overview of bootstrapping Rust enough to support deployment

Actual Behavior

• Naive installation produces uncaught errors when trying to execute rustup
• Install doc assumes specific Rust setup on Linux

Steps to Reproduce the Problem

1. Follow install doc for first-time initialization of a fresh device on a Linux system without rustup

Specifications

• Version: d8c29b7
• Platform: Linux [redacted] 4.15.0-74-generic #84-Ubuntu SMP Thu Dec 19 08:06:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

$ ./setup.sh 
Submodule 'third_party/libtock-rs' (https://github.com/tock/libtock-rs) registered for path 'third_party/libtock-rs'
Submodule 'third_party/tock' (https://github.com/tock/tock) registered for path 'third_party/tock'
Cloning into '/media/S_DATA/data/linux-root/usr/local/src/sec/security-keys/OpenSK/third_party/libtock-rs'...
Cloning into '/media/S_DATA/data/linux-root/usr/local/src/sec/security-keys/OpenSK/third_party/tock'...
Submodule path 'third_party/libtock-rs': checked out 'ab2c945184b98ecae3e70ac678e9f5231deef73b'
Submodule path 'third_party/tock': checked out '862452b77ae0fc160231a2250de385dc7c358ef7'
[-] Applying patch "01-persistent-storage.patch"... DONE.
[-] Applying patch "02-usb.patch"... DONE.
[-] Applying patch "03-app-memory.patch"... DONE.
[-] Applying patch "04-rtt.patch"... DONE.
[-] Applying patch "01-linked_list_allocator.patch"... DONE.
[-] Applying patch "02-panic_console.patch"... DONE.
[-] Applying patch "03-timer.patch"... DONE.
[-] Applying patch "04-public_syscalls.patch"... DONE.
[-] Applying patch "05-bigger_heap.patch"... DONE.
Signature ok
subject=CN = Google OpenSK CA
Getting Private key
Signature ok
subject=CN = Google OpenSK Hacker Edition
Getting CA Private Key
./setup.sh: line 45: rustup: command not found
Collecting tockloader
  Downloading https://files.pythonhosted.org/packages/19/5f/8dd60c92fc9284afc304dd7a87bfba5e2d8bc0bd49305ea090808dd517b2/tockloader-1.3.1-py3-none-any.whl
Collecting colorama>=0.3.7 (from tockloader)
  Downloading https://files.pythonhosted.org/packages/c9/dc/45cdef1b4d119eb96316b3117e6d5708a08029992b2fee2c143c7a0a5cc5/colorama-0.4.3-py2.py3-none-any.whl
Collecting pytoml>=0.1.11 (from tockloader)
  Downloading https://files.pythonhosted.org/packages/a5/47/c7f8a0f210ad18576840922e0b504f0b7f5f73aea4a52ab14c5b58517edf/pytoml-0.1.21-py2.py3-none-any.whl
Collecting pyserial>=3.0.1 (from tockloader)
  Downloading https://files.pythonhosted.org/packages/0d/e4/2a744dd9e3be04a0c0907414e2a01a7c88bb3915cbe3c8cc06e209f59c30/pyserial-3.4-py2.py3-none-any.whl (193kB)
    100% |████████████████████████████████| 194kB 1.6MB/s 
Collecting crcmod>=1.7 (from tockloader)
  Downloading https://files.pythonhosted.org/packages/6b/b0/e595ce2a2527e169c3bcd6c33d2473c1918e0b7f6826a043ca1245dd4e5b/crcmod-1.7.tar.gz (89kB)
    100% |████████████████████████████████| 92kB 3.6MB/s 
Collecting argcomplete>=1.8.2 (from tockloader)
  Downloading https://files.pythonhosted.org/packages/82/7d/455e149c28c320044cb763c23af375bd77d52baca041f611f5c2b4865cf4/argcomplete-1.11.1-py2.py3-none-any.whl
Collecting importlib-metadata<2,>=0.23; python_version == "3.6" (from argcomplete>=1.8.2->tockloader)
  Downloading https://files.pythonhosted.org/packages/8b/03/a00d504808808912751e64ccf414be53c29cad620e3de2421135fcae3025/importlib_metadata-1.5.0-py2.py3-none-any.whl
Collecting zipp>=0.5 (from importlib-metadata<2,>=0.23; python_version == "3.6"->argcomplete>=1.8.2->tockloader)
  Downloading https://files.pythonhosted.org/packages/be/69/4ac28bf238f287f1677f41392e24d2c4ffafcf11648c23824f5f62ef6ccb/zipp-2.1.0-py3-none-any.whl
Building wheels for collected packages: crcmod
  Running setup.py bdist_wheel for crcmod ... done
  Stored in directory: /home/royce/.cache/pip/wheels/50/24/4d/4580ca4a299f1ad6fd63443e6e584cb21e9a07988e4aa8daac
Successfully built crcmod
Installing collected packages: colorama, pytoml, pyserial, crcmod, zipp, importlib-metadata, argcomplete, tockloader
Successfully installed argcomplete-1.11.1 colorama-0.4.3 crcmod-1.7 importlib-metadata-1.5.0 pyserial-3.4 pytoml-0.1.21 tockloader-1.3.1 zipp-2.1.0
./setup.sh: line 47: rustup: command not found
    Updating crates.io index
warning: spurious network error (2 tries remaining): failed to create temporary file '/home/royce/.cargo/registry/index/github.com-1ecc6299db9ec823/.git/objects/pack/pack_git2_qiKoAB': Permission denied; class=Os (2)
warning: spurious network error (1 tries remaining): failed to create temporary file '/home/royce/.cargo/registry/index/github.com-1ecc6299db9ec823/.git/objects/pack/pack_git2_zaDJgw': Permission denied; class=Os (2)
error: failed to fetch `https://github.com/rust-lang/crates.io-index`

Caused by:
  failed to create temporary file '/home/royce/.cargo/registry/index/github.com-1ecc6299db9ec823/.git/objects/pack/pack_git2_NpOVKv': Permission denied; class=Os (2)

$ board=nrf52840_dongle ./deploy.sh os app

Command elf2tab not found. Have you run the setup.sh script?

It would be great to outline in the README why these two boards were picked.
And whether it should also work on other boards (and which).

Very excited about yesterday's update。
I very much expect to get rid of the hardware (jlink) dependency。
I have one usb dongle (52840 dongle)，and have a try with nrfutil.

./deploy.py --board=nrf52840_dongle --opensk --programmer=nordicdfu
fatal: This board doesn't support flashing over DFU.

then I checked deploy.py file.Then changed parameters:
./deploy.py --board=nrf52840_dongle_dfu --opensk --programmer=nordicdfu

I see ,it needs nrfutil command with version 5.1.
AttributeError: 'dict' object has no attribute 'iteritems'。

Can you tell me if my operation is correct，and nrfutil's version.

Thanks !

Specifications

• Version:
• Platform: ubuntu 16.04 i686 ,python 3.5.

Does the key need to be the specific Nordic NRF52840 devoper dongle or does the key only need to have the NRF52840 SOC on the dongle?

Observed Behavior

This Travis-CI build fails with the following error https://travis-ci.org/google/OpenSK/builds/646020026

error[E0308]: mismatched types
  --> src/ctap/key_material.rs:30:47
   |
30 |   pub const ATTESTATION_PRIVATE_KEY: [u8; 32] = [
   |  _______________________________________________^
31 | |     0x00, 0xb5, 0xc4, 0xcf, 0x67, 0x32, 0x40, 0x19, 0x0c, 0xcd, 0xaa, 0x04, 0xcf, 0x83, 0x3f, 0x49,
32 | |     0xac, 0xb8, 0x3d, 0xff, 0x4a, 0x77, 0x20, 0x1a, 0xf9, 0x9b, 0x0c, 0xae, 0x9e, 0x8f, 0x2d, 0x31,
33 | |     0x60,
34 | | ];
   | |_^ expected an array with a fixed size of 32 elements, found one with 33 elements

The attestation key is generated by the tools/gen_key_materials.sh file.

Expected Behavior

The script should always generate an array of 32 bytes.

Expected Behavior

When cancelling user presence checks on Google Chrome, the transaction is cancelled and the key is ready to accept more requests.

Actual Behavior

When compiled with --panic-console, the kernel panics.

Kernel panic at /tock/chips/nrf52/src/usbd.rs:1702:
	"assertion failed: `(left == right)`
  left: `OutDelay`,
 right: `Init`"
	Kernel version release-1.4-714-gfbc863fa

Steps to Reproduce the Problem

1. Visit https://webauthn.io/ with Google Chrome, with OpenSK plugged in.
2. Click "register".
3. Click "cancel" on Chrome's popup when asked to touch the key.

Specifications

• Version: 47bd524
• Platform: Linux

Hello,

I flashed my 52840-Preview DK (v0.9.0) with app and os, but OpenSK will not work.
My actions so far:

• disconnecting debug USB
• connecting to device USB port
• after 3-4s LED1 starts kind of double-flashing (boot-loop?)
• pressing boot/reset and any other button

The PDK does not appear as any device (I tried ubuntu and win10).
Are there any other steps after flashing?

Thanks for this project!

Due to the revamp of the runtime in libtock-rs to use futures, we are currently pinned at an old version of libtock-rs (https://github.com/tock/libtock-rs/tree/ab2c945184b98ecae3e70ac678e9f5231deef73b).

However, the core part of libtock-rs has now been split out of the drivers: https://github.com/tock/libtock-rs/tree/master/core. We can update to depend on that to keep in sync with upstream, which should also allow to reduce the number of our custom patches.

However, this means that for now we'll have to import all drivers in OpenSK, given that libtock-rs's drivers are now tailored for the futures-based runtime. But we can re-use and adapt the old ones. For now our uses of libtock are:

$ git grep libtock:: | cut -d' ' -f2 | cut -d':' -f3 | cut -d';' -f1 | sort -u
buttons
console
led
result
rng
syscalls
timer

Given that libtock::{result, syscalls} are now in libtock core, this is only 5 drivers to maintain - until (1) libtock supports again synchronous drivers or (2) we migrate OpenSK to the futures-based runtime.

Expected Behavior

OpenSK on an nRF52840-DK with the --verbose option enabled can be registered on https://webauthn.io/.

Actual Behavior

Currently, the --verbose option triggers many syscalls to write to the console. This slows down the whole app, making it impractical. For example, USB packets are dropped when trying to register on https://webauthn.io/ in --verbose mode on an nRF52840-DK, so registration fails altogether in this scenario.

Steps to Reproduce the Problem

1. Flash OpenSK on a nRF52840-DK with --verbose enabled $ ./deploy.py --board nrf52840dk --opensk --panic-console --verbose.
2. Visit https://webauthn.io/ and start the registration flow.
3. Look at the console output and observe unexpected USB packets.
4. Look at the webpage and observe that the registration flow hangs.

Specifications

• Version: 284b142
• Platform: Linux

In the doc, the cable conenct to 10 pads. Which of these 10 pads/PINs are really used to connect to the dongle?

If we use other debug connector rather than Segger J-Link(JTAG mode), can we use the SWDIO, SWDCLK and GND, i.e., via SWD mode ?

Expected Behavior

NRF52840 Dongle works with/without Jlink is connected.

Actual Behavior

NRF52840 Dongle only works when Jlink is connected. This is the first time I tried to compile in dongle. Am i missing something here?

Steps to Reproduce the Problem

1. Clone latest master repo
2. Run ./setup.sh
3. Run ./deploy.py --board=nrf52840_dongle --opensk --programmer=jlink

Specifications

• Version: Latest commit: 284b142
• Platform: Linux Elementary OS, Jlink Pro

I have complied sources files and run scipts successfully ,but feeling opensk appliction and tock os not flash in board..

What will happen during and after the flash?

please check my steps

xaqfan@xaqfan:~/Tock_OS/OpenSK$ ./setup.sh
[-] Applying patch "01-persistent-storage.patch"... DONE.
[-] Applying patch "02-usb.patch"... DONE.
[-] Applying patch "03-app-memory.patch"... DONE.
[-] Applying patch "04-rtt.patch"... DONE.
[-] Applying patch "01-linked_list_allocator.patch"... DONE.
[-] Applying patch "02-panic_console.patch"... DONE.
[-] Applying patch "03-timer.patch"... DONE.
[-] Applying patch "04-public_syscalls.patch"... DONE.
[-] Applying patch "05-bigger_heap.patch"... DONE.
[-] Applying patch "06-no_spin_allocator.patch"... DONE.
Signature ok
subject=CN = Google OpenSK CA
Getting Private key
Signature ok
subject=CN = Google OpenSK Hacker Edition
Getting CA Private Key
info: syncing channel updates for 'nightly-2020-02-03-i686-unknown-linux-gnu'

nightly-2020-02-03-i686-unknown-linux-gnu unchanged - rustc 1.42.0-nightly (f43c34a13 2020-02-02)

info: checking for self-updates
Requirement already up-to-date: tockloader in /home/xaqfan/.local/lib/python3.5/site-packages/tockloader-1.4.0.dev0-py3.5.egg (1.4.0.dev0)
Requirement already satisfied, skipping upgrade: argcomplete>=1.8.2 in /home/xaqfan/.local/lib/python3.5/site-packages (from tockloader) (1.11.1)
Requirement already satisfied, skipping upgrade: colorama>=0.3.7 in /home/xaqfan/.local/lib/python3.5/site-packages (from tockloader) (0.4.3)
Requirement already satisfied, skipping upgrade: crcmod>=1.7 in /home/xaqfan/.local/lib/python3.5/site-packages (from tockloader) (1.7)
Requirement already satisfied, skipping upgrade: pyserial>=3.0.1 in /home/xaqfan/.local/lib/python3.5/site-packages (from tockloader) (3.4)
Requirement already satisfied, skipping upgrade: pytoml>=0.1.11 in /home/xaqfan/.local/lib/python3.5/site-packages (from tockloader) (0.1.21)
Requirement already satisfied, skipping upgrade: importlib-metadata<2,>=0.23; python_version == "3.5" in /home/xaqfan/.local/lib/python3.5/site-packages (from argcomplete>=1.8.2->tockloader) (1.5.0)
Requirement already satisfied, skipping upgrade: zipp>=0.5 in /home/xaqfan/.local/lib/python3.5/site-packages (from importlib-metadata<2,>=0.23; python_version == "3.5"->argcomplete>=1.8.2->tockloader) (1.1.0)
info: component 'rust-std' for target 'thumbv7em-none-eabi' is up to date
Updating crates.io index
Ignored package elf2tab v0.4.0 is already installed, use --force to override

xaqfan@xaqfan:~/Tock_OS/OpenSK$ ./deploy.py os --board=nrf52840_dongle
info: Updating rust toolchain to nightly-2020-02-03
info: syncing channel updates for 'nightly-2020-02-03-i686-unknown-linux-gnu'
info: checking for self-updates
info: component 'rust-std' for target 'thumbv7em-none-eabi' is up to date
info: Rust toolchain up-to-date
info: Installing Tock on board nrf52840_dongle
Compiling tock-cells v0.1.0 (/home/xaqfan/Tock_OS/OpenSK/third_party/tock/libraries/tock-cells)
Compiling tock-registers v0.5.0 (/home/xaqfan/Tock_OS/OpenSK/third_party/tock/libraries/tock-register-interface)
Compiling enum_primitive v0.1.0 (/home/xaqfan/Tock_OS/OpenSK/third_party/tock/libraries/enum_primitive)
Compiling tock_rt0 v0.1.0 (/home/xaqfan/Tock_OS/OpenSK/third_party/tock/libraries/tock-rt0)
Compiling nrf52840_dongle v0.1.0 (/home/xaqfan/Tock_OS/OpenSK/third_party/tock/boards/nordic/nrf52840_dongle)
Compiling kernel v0.1.0 (/home/xaqfan/Tock_OS/OpenSK/third_party/tock/kernel)
Compiling cortexm v0.1.0 (/home/xaqfan/Tock_OS/OpenSK/third_party/tock/arch/cortex-m)
Compiling nrf5x v0.1.0 (/home/xaqfan/Tock_OS/OpenSK/third_party/tock/chips/nrf5x)
Compiling capsules v0.1.0 (/home/xaqfan/Tock_OS/OpenSK/third_party/tock/capsules)
Compiling cortexm4 v0.1.0 (/home/xaqfan/Tock_OS/OpenSK/third_party/tock/arch/cortex-m4)
Compiling nrf52 v0.1.0 (/home/xaqfan/Tock_OS/OpenSK/third_party/tock/chips/nrf52)
Compiling nrf52840 v0.1.0 (/home/xaqfan/Tock_OS/OpenSK/third_party/tock/chips/nrf52840)
Compiling components v0.1.0 (/home/xaqfan/Tock_OS/OpenSK/third_party/tock/boards/components)
Compiling nrf52dk_base v0.1.0 (/home/xaqfan/Tock_OS/OpenSK/third_party/tock/boards/nordic/nrf52dk_base)
Finished release [optimized + debuginfo] target(s) in 23.73s
[STATUS ] Flashing binar(y|ies) to board...
[INFO ] Using known arch and jtag-device for known board nrf52dk
[INFO ] Finished in 7.749 seconds

xaqfan@xaqfan:~/Tock_OS/OpenSK$ ./deploy.py app --opensk
info: Updating rust toolchain to nightly-2020-02-03
info: syncing channel updates for 'nightly-2020-02-03-i686-unknown-linux-gnu'
info: checking for self-updates
info: component 'rust-std' for target 'thumbv7em-none-eabi' is up to date
info: Rust toolchain up-to-date
info: Erasing all installed applications
All apps have been erased.
info: Building OpenSK application
Updating crates.io index
Compiling pkg-config v0.3.17
Compiling cc v1.0.50
Compiling autocfg v1.0.0
Compiling libc v0.2.66
Compiling bitflags v1.2.1
Compiling openssl v0.10.28
Compiling foreign-types-shared v0.1.1
Compiling byteorder v1.3.4
Compiling lazy_static v1.4.0
Compiling cfg-if v0.1.10
Compiling linked_list_allocator v0.6.6
Compiling subtle v2.2.2
Compiling cbor v0.1.0 (/home/xaqfan/Tock_OS/OpenSK/libraries/cbor)
Compiling arrayref v0.3.6
Compiling foreign-types v0.3.2
Compiling libtock v0.1.0 (/home/xaqfan/Tock_OS/OpenSK/third_party/libtock-rs)
Compiling crypto v0.1.0 (/home/xaqfan/Tock_OS/OpenSK/libraries/crypto)
Compiling openssl-sys v0.9.54
Compiling ctap2 v0.1.0 (/home/xaqfan/Tock_OS/OpenSK)
Finished release [optimized] target(s) in 35.16s
info: Flashing padding application
info: Installing Tock application ctap2

Specifications

• Version: opensk-master
• Platform:ubuntu 16.04

Expected Behavior

Key generation proceeds after entering the correct pin at the prompt.

Actual Behavior

After entering the set pin, openssh errors out with Key enrollment failed: requested feature not supported

brittle@archdesktop .ssh]$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
Key enrollment failed: requested feature not supported

If OpenSK does not have a pin set, the key pair is generated as expected.

Steps to Reproduce the Problem

1. Set a pin on OpenSK. I used https://demo.yubico.com/playground with passwordless login on Chromium to set the pin.
2. Try to create a fido backed key pair with OpenSSH.
   ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk

Specifications

• Version: 284b142
• Platform: Arch Linux

Expected Behavior

Documentation should explain what to expect after the device has been flashed. Is there supposed to be a ttyUSB? How do you check whether the device works properly (https://webauthn.io/)?

Actual Behavior

Only setup, compiling, flashing is documented.

Steps to Reproduce the Problem

1. Follow documentation

Expected Behavior

./deploy.sh app succeeds without error on macOS

Actual Behavior

./deploy.sh complains about an illegal -A argument to declare and illegal -- argument to stat

Steps to Reproduce the Problem

1. run ./deploy.sh app on macOS

Specifications

• Version: 3d3f355
• Platform: macOS 10.15

The stat issue can be solved by installing coreutils (brew install coreutils) and changing your PATH:

PATH="/usr/local/opt/coreutils/libexec/gnubin:$PATH"

The bash issue can be solved by using a more recent version of bash (brew install bash).

Hi I am the newbie and get a new nRF52840DK board and get clone of OpenSK repository, following installation guide with all the required software installed e.g. rust, tockloader etc and flash successfully.

The question is it seems everything is flushed including the original bootloader when I config as USB HID with nRF52840DK originally. Also when I use the board as USB, use web server with chrome requested to insert security key in USB port (WebAthun) or Yubico testing U2F website, I plug my board as USB peripheral and it does not recognize.

Can you please advice me where goes wrong?
Thank you!

Hello, thanks for publishing a awesome project!

I use fish shell(not bash).
So, I cannot execute setup.sh as described in the README.
This problem does not occur with deploy.sh because #!/usr/bin/env bash exists.

Expected Behavior

> ./seup.sh
> env board=nrf52840dk ./deploy.sh os app

Actual Behavior

> ./setup.sh
Failed to execute process './setup.sh'. Reason:
exec: Exec format error
The file './setup.sh' is marked as an executable but could not be run by the operating system.

I'm the "total noob use case" smoke tester this week. 😆

Expected Behavior

• Missing JLinkExe detected and cleanly handled
• Note of JLinkExe as a dependency in docs
• Doc hints (maybe including a link to the Tock Getting Started doc?)
• If a Segger flasher or other separate flash device is required, doc this as well, including any (brief) info necessary to select a compatible unit

Actual Behavior

• Uncaught error if JLinkExe is missing (it's not clear to me if the automatic Tock "import" was supposed to also bring in JLinkExe?)

Steps to Reproduce the Problem

• Run board=nrf52840_dongle ./deploy.sh os app without JLinkExe available

Specifications

• Version: 796261d
• Platform: Linux [redacted] 4.15.0-74-generic #84-Ubuntu SMP Thu Dec 19 08:06:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

[...]
tockloader  flash --address 0x00000 --jlink --board nrf52dk target/thumbv7em-none-eabi/release/nrf52840_dongle.bin
Flashing binar(y|ies) to board...
Using known arch and jtag-device for known board nrf52dk
Traceback (most recent call last):
  File "/home/royce/.local/bin/tockloader", line 11, in <module>
    sys.exit(main())
  File "/home/royce/.local/lib/python3.6/site-packages/tockloader/main.py", line 593, in main
    args.func(args)
  File "/home/royce/.local/lib/python3.6/site-packages/tockloader/main.py", line 216, in command_flash
    tock_loader.flash_binary(binary, args.address)
  File "/home/royce/.local/lib/python3.6/site-packages/tockloader/tockloader.py", line 63, in flash_binary
    self.channel.flash_binary(address, binary)
  File "/home/royce/.local/lib/python3.6/site-packages/tockloader/jlinkexe.py", line 96, in flash_binary
    self._run_jtag_commands(commands, binary)
  File "/home/royce/.local/lib/python3.6/site-packages/tockloader/jlinkexe.py", line 63, in _run_jtag_commands
    p = subprocess.run(jlink_command.split(), stdout=subprocess.PIPE, stderr=subprocess.PIPE)
  File "/usr/lib/python3.6/subprocess.py", line 423, in run
    with Popen(*popenargs, **kwargs) as process:
  File "/usr/lib/python3.6/subprocess.py", line 729, in __init__
    restore_signals, start_new_session)
  File "/usr/lib/python3.6/subprocess.py", line 1364, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'JLinkExe': 'JLinkExe'

Makefile:24: recipe for target 'flash' failed
make: *** [flash] Error 1
make: Leaving directory '/media/S_DATA/data/linux-root/usr/local/src/sec/security-keys/OpenSK/third_party/tock/boards/nordic/nrf52840_dongle'

Expected Behavior

OpenSK can be used for login on Windows Hello.

Actual Behavior

The required FIDO2 extension HMAC-secret is not implemented yet.

Steps to Reproduce the Problem

1. Set a Windows 10 machine up.
2. Try passwordless with OpenSK

Specifications

• Version: FIDO specification 2.0+
• Platform: Windows 10

Expected Behavior

pylint/yapf isn't affected by a pull request which doesn't modify any Python file.

Actual Behavior

This fails on #97.

Run echo ::add-matcher::./.github/python_matcher.json
  echo ::add-matcher::./.github/python_matcher.json
  yapf --style=chromium --recursive --exclude third_party --diff .
  shell: /bin/bash -e {0}
  env:
    pythonLocation: /opt/hostedtoolcache/Python/3.7.6/x64
yapf: "chromium" is not a valid style or file path
##[error]Process completed with exit code 1.

Steps to Reproduce the Problem

See https://github.com/google/OpenSK/pull/97/checks?check_run_id=614885048

I bought the nRF52840 Dongle and then came to know that extra hardware is needed to load the firmware. Before I try to procure them, I want know if the firmware can be loaded from the USB?

Can this J-Link EDU Mini be used? This one appears economical for a hobbyist:
https://www.segger.com/products/debug-probes/j-link/models/j-link-edu-mini/

Just wonder why TockOS was choose vs Zephyr ( https://www.zephyrproject.org/ ) a Linux Fundation Project.

Hi, I am new to JLink and Nordic, How do you guys did the debug?
Are you guys doing it on VSCode? I need some guide on debugging this.

Expected Behavior

All formatting, tests, and builds are run through Github workflows.

We should also use the Problem matchers wherever we can to have more automated actionable content in the Github PR review system.

Actual Behavior

Continuous integration runs on Travis-CI

Steps to Reproduce the Problem

N/A

Specifications

• Version: N/A
• Platform: N/A

I'm trying to download dongle, but I made a mistake in the middle.
I have downloaded the resource files under OpenSK-master/third_party
I have no ideas.

board=nrf52840_dongle ./deploy.sh os app
nightly-2020-02-03-i686-unknown-linux-gnu unchanged - rustc 1.42.0-nightly (f43c34a13 2020-02-02)

info: checking for self-updates
info: component 'rust-std' for target 'thumbv7em-none-eabi' is up to date
make: Entering directory '/home/xaqfan/Tock_OS/OpenSK-master/third_party/tock/boards/nordic/nrf52840_dongle'
Finished release [optimized + debuginfo] target(s) in 0.01s
text data bss dec hex filename
102912 1696 260448 365056 59200 target/thumbv7em-none-eabi/release/nrf52840_dongle
tockloader flash --address 0x00000 --jlink --board nrf52dk target/thumbv7em-none-eabi/release/nrf52840_dongle.bin
Flashing binar(y|ies) to board...
Using known arch and jtag-device for known board nrf52dk
Finished in 7.745 seconds

make: Leaving directory '/home/xaqfan/Tock_OS/OpenSK-master/third_party/tock/boards/nordic/nrf52840_dongle'
Preparing to uninstall apps...
No apps are installed on the board

Updating crates.io index

error: failed to select a version for libtock.
... required by package ctap2 v0.1.0 (/home/xaqfan/Tock_OS/OpenSK-master)
versions that meet the requirements * are: 0.1.0

the package ctap2 depends on libtock, with features: panic_console but libtock does not have these features.

failed to select a version for libtock which could resolve this conflict

Would someone can help me ?
Thanks!

I know it's early in the project, but is NFC support planned?
And how does that feature look priority wise?

The release of version v0.6.6 earlier today (rust-osdev/linked-list-allocator#20) causes Travis-CI build to fail: https://travis-ci.org/google/OpenSK/builds/645900468

    Checking linked_list_allocator v0.6.6
error[E0432]: unresolved import `alloc::alloc::AllocRef`
  --> /home/travis/.cargo/registry/src/github.com-1ecc6299db9ec823/linked_list_allocator-0.6.6/src/lib.rs:14:20
   |
14 | use alloc::alloc::{AllocRef, AllocErr, Layout};
   |                    ^^^^^^^^ no `AllocRef` in `alloc`
error: aborting due to previous error

See also rust-osdev/linked-list-allocator#21.

This will likely be fixed by increasing the rust-toolchain version.

Hi! As far as I see Bluetooth is not (yet?) supported by the firmware. Are there plans to implement Bluetooth support in the firmware?

Expected Behavior

Complete the Installation step2.

Actual Behavior

I got the following error.

error[E0583]: file not found for module key_material
board_nrf52840_dongle.log

Steps to Reproduce the Problem

1. $ git clone --recursive [email protected]:google/OpenSK.git
2. $ ./setup.sh
3. $ board=nrf52840_dongle ./deploy.sh app os

When I ran ./setup.sh, src/ctap/key_material.rs wasn't generated.
setup_sh.log

Specifications

I'm using pipenv.

$ pipenv --version
pipenv, version 2018.11.26

$ python --version
Python 3.7.6

$ rustc --version
rustc 1.42.0-nightly (f43c34a13 2020-02-02)

$ openssl version
LibreSSL 2.6.5

$ sw_vers
ProductName:	Mac OS X
ProductVersion:	10.14.6
BuildVersion:	18G2022

Expected Behavior

Before (include) 2e419fe, when insert nRF52840 USB dongle to USB port, LEDs are off. When receiving CTAP2/U2F command, LEDs will blink and wait for user presence. After user press the button, it response correctly.

Actual Behavior

Now (after 2e419fe), after insert to USB port, LEDs are blinking even if it is in idle. OpenSK does not work after user presses button.

Steps to Reproduce the Problem

1. Download firmware to nRF52840 dongle as usual.
2. Replug it to USB port, take a look at the LED status, they are blinking, different from before.
3. Test it on https://webauthn.io/ or other test website.
4. Make credential and press button.

I tested source code from 752bf47 to latest. It has same behavior.

I will use Nordic nrf52840 dongle for 2FA + security key on Google login. I successfully run setup.sh, installed rustup, tockloader (via github) but when i run:

./deploy.py os --board=nrf52840_dk

I get the following error:

   Finished release [optimized + debuginfo] target(s) in 0.25s

[STATUS] Flashing binaries to board
[ INFO ] Using known arch and jtag-device for known board nrf52dk
[ERROR ] ERROR: Cannot find JLink hardware. Is USB attached ?
make: *** [flash] Error 1
fatal: Failed to execute make: Command '['make', '-C', 'third_party/tock/boards/nordic/nrf52840_dongle', 'flash']' returned non-zero exit status 2.

I tried to update the dongle driver with JLink driver but it's not working. Windows recognizes it and it is currently on port COM3

When I open JLink.exe, it tries to connect via USD but a pop up opens; "No emulators connected via USB" and it wants to connect via TCP/IP.

What are the possible solutions to this issue ? Nordic nrf52840_dongle is connected to USB port.

The 2018 edition of Rust simplified the syntax around usage of extern crates and exporting of macros. We should migrate to that.

More specifically:

• extern crate statements are not needed anymore.
• #[macro_use] attributes are replaced by importing each macro individually. In this regard, macros can be imported like other symbols, such as functions.

I didn't check for other specifics of the 2018 edition, but we could track here any other syntax changes related to it.

Hello! I'm one of the leads of https://github.com/RustCrypto

First let me start by saying I've read this:

We're currently still in the process on making the ARM® CryptoCell-310 embedded in the Nordic nRF52840 chip work to get hardware-accelerated cryptography. In the meantime we implemented the required cryptography algorithms (ECDSA, ECC secp256r1, HMAC-SHA256 and AES256) in Rust as a placeholder. Those implementations are research-quality code and haven't been reviewed. They don't provide constant-time guarantees and are not designed to be resistant against side-channel attacks.

I am also chasing down a security reference manual for a different chip from a different vendor and encountering bugs in their web site so I totally get it.

All that said, I'm wondering if you'd consider using some slightly better implementations of various algorithms than you are currently using. I was eyeing things like this in particular:

https://github.com/google/OpenSK/blob/f91d2fd/libraries/crypto/src/aes256.rs#L108

I'm aware table-based lookups in SBoxes are less of a sidechannel issue on this chipset owing to what I believe is an absence of data cache, but perhaps it'd generally be better to provide a bitsliced version anyway unless you have reasons not to do so.

I just wanted to note there's one available in the aes-soft crate, which may not be the most performant one in the world but is at least Apache 2.0+MIT licensed:

https://github.com/RustCrypto/block-ciphers/blob/master/aes/aes-soft/src/bitslice.rs

If you're amenable to this kind of thing, we would love to collaborate on high-quality pure Rust cryptography implementations, particularly ones with a focus on embedded targets, and where there are gaps in Rust as a language today for these purposes, we're also working on addressing them and would love to collaborate on that too.

Anyway, this is a very interesting project and I'm sure you're looking forward to getting the CryptoCell going!

When I run: board=nrf52840dk ./deploy.sh app os

I get the following:

No apps are installed on the board

   Compiling linked_list_allocator v0.6.6
error[E0432]: unresolved import `alloc::alloc::AllocRef`
  --> /home/gary/.cargo/registry/src/github.com-1ecc6299db9ec823/linked_list_allocator-0.6.6/src/lib.rs:14:20
   |
14 | use alloc::alloc::{AllocRef, AllocErr, Layout};
   |                    ^^^^^^^^ no `AllocRef` in `alloc`

error: aborting due to previous error

For more information about this error, try `rustc --explain E0432`.
error: could not compile `linked_list_allocator`.

Expected Behavior

Once I flash the dongle with OpenSK I'm expecting it to stay loaded even if I re insert the usb dongle

Actual Behavior

I have to re-flash the dongle every time I insert it to the USB port of my mac

Steps to Reproduce the Problem

I install the new version of tockloader ( tockloader==1.4.0.dev0 )

1. ./deploy.py --board="nrf52840_dongle_dfu" --opensk --programmer=nordicdfu
   I get the final message:

info: Flashing device using DFU...
  [####################################]  100%          
Device programmed.

Running ioreg -p IOUSB I get:

+-o Root  <class IORegistryEntry, id 0x100000100, retain 17>
  +-o AppleUSBXHCI Root Hub Simulation@14000000  <class AppleUSBRootHubDevice, id 0x100000327, registered, matched, active, busy 0$
    +-o BRCM20702 Hub@14300000  <class AppleUSBDevice, id 0x10002438a, registered, matched, active, busy 0 (0 ms), retain 12>
    | +-o Bluetooth USB Host Controller@14330000  <class AppleUSBDevice, id 0x1000243dd, registered, matched, active, busy 0 (0 ms$
    +-o Apple Internal Keyboard / Trackpad@14400000  <class AppleUSBDevice, id 0x10002439b, registered, matched, active, busy 0 (1$
    +-o OpenSK@14200000  <class AppleUSBDevice, id 0x1000277d6, registered, matched, active, busy 0 (0 ms), retain 12>

And I can test with the test web page: https://webauthn.io/
All work as expected.

But If I remove the usb dongle and re insert it It gets back to the DFU Bootloader:
Running ioreg -p IOUSB I get:

diegob@Diegos-MacBook-Pro OpenSK % ioreg -p IOUSB                 <<<=== BEFORE RE INSERT                                          
+-o Root  <class IORegistryEntry, id 0x100000100, retain 17>
  +-o AppleUSBXHCI Root Hub Simulation@14000000  <class AppleUSBRootHubDevice, id 0x100000327, registered, matched, active, busy 0$
    +-o BRCM20702 Hub@14300000  <class AppleUSBDevice, id 0x10002438a, registered, matched, active, busy 0 (0 ms), retain 12>
    | +-o Bluetooth USB Host Controller@14330000  <class AppleUSBDevice, id 0x1000243dd, registered, matched, active, busy 0 (0 ms$
    +-o Apple Internal Keyboard / Trackpad@14400000  <class AppleUSBDevice, id 0x10002439b, registered, matched, active, busy 0 (1$
    +-o OpenSK@14200000  <class AppleUSBDevice, id 0x1000277d6, registered, matched, active, busy 0 (0 ms), retain 12>

<<<<< Re Insert USB Dongle >>>>>>>>>>

diegob@Diegos-MacBook-Pro OpenSK % ioreg -p IOUSB 
+-o Root  <class IORegistryEntry, id 0x100000100, retain 17>
  +-o AppleUSBXHCI Root Hub Simulation@14000000  <class AppleUSBRootHubDevice, id 0x100000327, registered, matched, active, busy 0$
    +-o BRCM20702 Hub@14300000  <class AppleUSBDevice, id 0x10002438a, registered, matched, active, busy 0 (0 ms), retain 12>
    | +-o Bluetooth USB Host Controller@14330000  <class AppleUSBDevice, id 0x1000243dd, registered, matched, active, busy 0 (0 ms$
    +-o Apple Internal Keyboard / Trackpad@14400000  <class AppleUSBDevice, id 0x10002439b, registered, matched, active, busy 0 (1$
    +-o Open DFU Bootloader@14200000  <class AppleUSBDevice, id 0x1000277f0, registered, matched, active, busy 0 (2 ms), retain 14$

Specifications

Device: nrf52840_dongle

• Version:
• Platform: MacOS

Expected Behavior

deploy.py should build the image to be flashed.

Actual Behavior

It fails with an AttributeError, because there is no function defintion for get_binary(). Looks to me like the issue was introduced in #78

% ./deploy.py --board=nrf52840_mdk_dfu --opensk --programmer=none
info: Updating rust toolchain to nightly-2020-02-03
info: syncing channel updates for 'nightly-2020-02-03-x86_64-unknown-linux-gnu'
info: component 'rust-std' for target 'thumbv7em-none-eabi' is up to date
info: Rust toolchain up-to-date
info: Building Tock OS for board nrf52840_mdk_dfu
    Finished release [optimized + debuginfo] target(s) in 0.49s
info: Building OpenSK application
    Finished release [optimized] target(s) in 0.64s
info: Generating Tock TAB file for application/example ctap2
Traceback (most recent call last):
  File "./deploy.py", line 772, in <module>
    main(main_parser.parse_args())
  File "./deploy.py", line 645, in main
    OpenSKInstaller(args).run()
  File "./deploy.py", line 595, in run
    self.create_hex_file(dest_file)
  File "./deploy.py", line 508, in create_hex_file
    app_tab.extract_app(board_props.arch).get_binary(),
AttributeError: 'App' object has no attribute 'get_binary'

Steps to Reproduce the Problem

1. ./setup.sh
2. ./deploy.py --board=nrf52540_mdk_dfu --opensk --programmer=none

Specifications

• Version: ec1ce66
• Platform: Linux x86_64

Expected Behavior

The latest version of tockloader available via pip install is tockloader 1.3.1: https://pypi.org/project/tockloader/

Running the setup.sh script therefore installs tockloader 1.3.1 instead of a more recent version. Based on the commit history in the tockloader repository, the 'sticky' argument of the install function isn't available in 1.3.1 (released Nov. 2018): https://github.com/tock/tockloader/blob/v1.3.1/tockloader/tockloader.py#L86

It appears that this 'sticky' argument was added much more recently (Oct. 2019):
tock/tockloader@22f3465

This causes the deploy.py script that was recently released to fail due to an unexpected argument in the call to tock.install() (here's the log excerpt):

info: Installing Tock application ctap2
Traceback (most recent call last):
  File "./deploy.py", line 251, in install_elf_file
    tock.install(tabs, replace="yes",
TypeError: install() got an unexpected keyword argument 'sticky'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./deploy.py", line 430, in <module>
    main(parser.parse_args())
  File "./deploy.py", line 318, in main
    OpenSKInstaller(args).run()
  File "./deploy.py", line 305, in run
    self.build_and_install_opensk()
  File "./deploy.py", line 199, in build_and_install_opensk
    self.install_elf_file(os.path.join(
  File "./deploy.py", line 253, in install_elf_file
    except tockloader.exceptions.TockLoaderException as e:
AttributeError: module 'tockloader.tockloader' has no attribute 'exceptions'

This causes the deployment of the OpenSK application to fail. I'm not sure if there are other differences between tockloader 1.3.1 and the version that OpenSK is expecting (based on the logs in https://github.com/google/OpenSK/blob/master/docs/install.md, it appears to be a 1.4.0-dev version). It might be enough to just remove the 'sticky' argument, but there may be other breaking changes as well.

Steps to Reproduce the Problem

1. Run setup.sh - This reports that tockloader 1.3.1 is up-to-date already:
   Requirement already up-to-date: tockloader in *omitted*/python3.8/site-packages (1.3.1)
2. Run deploy.py os --board=nrf52840_dk
3. Run deploy.py app --opensk (this is where it fails)

Additional Information

1. I'm running arch linux, fully updated
2. python --version Python 3.8.1
3. pip --version pip 19.3 from /usr/lib/python3.8/site-packages/pip (python 3.8)

How can I recover dfu mode and reflash without reset button.
My board is nordic52840 dongle (PCA10059).

I have checked office doc,and find dfu trigger library.
But i not sure the library's name,and source is contains it or not.

• Version:
• Platform:

Expected Behavior

When deploying the OpenSK app with --debug enabled, the key works and debug output is visible in the console. The debug output starts with the following:

Initialization complete. Entering main loop
NRF52 HW INFO: Variant: AAD0, Part: N52840, Package: QI, Ram: K256, Flash: K1024
usbc::start() - State=PoweredOn
Your chip is NRF52840 revision 3. Although this USB implementation should be compatible, your chip hasn't been tested.
usbc::start() - subscribing to interrupts.
enable_out_endpoint_(0) - State=Started
enable_in_out_endpoint_(1) - State=Started
attach() - State=Started
enable_pullup() - State=Started
Enabling USB pullups
New state is Attached
usbc::ready not implemented
usbc::suspend not implemented
usbc::resume not implemented
Bus reset
Cancelling USB receive due to timeout
Cancelling USB receive due to timeout
Set Address = 21
Cancelling USB receive due to timeout
Cancelling USB receive due to timeout
...

Actual Behavior

Sometimes, the log output stops after the following. In that case, the control flow seems blocked: the key doesn't process any USB request, no LED blinks.

Initialization complete. Entering main loop
NRF52 HW INFO: Variant: AAD0, Part: N52840, Package: QI, Ram: K256, Flash: K1024
usbc::start() - State=PoweredOn
Your chip is NRF52840 revision 3. Although this USB implementation should be compatible, your chip hasn't been tested.
usbc::start() - subscribing to interrupts.
enable_out_endpoint_(0) - State=Started
enable_in_out_endpoint_(1) - State=Started
attach() - State=Started
enable_pullup() - State=Started
Enabling USB pullups
New state is Attached
usbc::ready not implemented

Note: without --debug, the log output sometimes also stops after usbc::ready not implemented. But in that case the application is still functional afterwards.

Steps to Reproduce the Problem

On an nRF52840-DK.

1. Deploy OpenSK with $ ./deploy.py os --board nrf52840_dk and $ ./deploy.py app --debug --panic-console --opensk.
2. Run $ JLinkExe -device nrf52 -if swd -speed 1000 -autoconnect 1 and $ JLinkRTTClient on a separate terminal.
3. Press the reset button multiple times and observe the console output each time.

Specifications

• Version: https://github.com/gendx/OpenSK/tree/3831872585fa544661b6449d9f6642f6c9e4776e
• Platform: NRF52 HW INFO: Variant: AAD0, Part: N52840, Package: QI, Ram: K256, Flash: K1024, with a Linux host.

Expected Behavior

The deploy.py script should be covered by Travis CI to catch errors.

This will imply several things:

• add a --dry-run parameter to the script to run all the actions except execution of JLinkExe
• split compilation and flash operations (also useful to support more flashing methods such as USB bootloader, OpenOCD, etc.)
• assess if tockloader also has such a dry-run flag
• modify Travis configuration to run deploy script with the different parameters

Actual Behavior

Script is not run.

Steps to Reproduce the Problem

N/A

Specifications

• Version: N/A
• Platform: N/A

Hi

I found that Rust could be built on RiscV (https://github.com/almindor/riscv-rust-quickstart).
Does it mean that OpenSK can also be built and used on RiscV?
Thank you

The OS flashed successfully but when installing the application onto the dongle I get the error below:

dev@ubuntu:/data/OpenSK$ ./deploy.py app --opensk
info: Updating rust toolchain to nightly-2020-02-03
info: syncing channel updates for 'nightly-2020-02-03-x86_64-unknown-linux-gnu'
info: checking for self-updates
info: component 'rust-std' for target 'thumbv7em-none-eabi' is up to date
info: Rust toolchain up-to-date
info: Erasing all installed applications
Finished in 0.878 seconds
info: Building OpenSK application
Finished release [optimized] target(s) in 0.11s
info: Flashing padding application
Finished in 0.518 seconds
info: Installing Tock application ctap2
Finished in 1.328 seconds
Finished in 0.916 seconds
error: It seems that something went wrong. App/example not found on your board.

Running on Ubuntu 16.04

Expected Behavior

At "registration" and/or "authentication", once user push the button of nRF52840-MDK, browser accept "user intent" for authentication. Then requested process will be done in successfuly.

Actual Behavior

Windows10 does not recognize user operation putting the button to present "user intent", and authentication request fails due to time-out. It may seems that OpenSK firmware does't recognize pushing dongle's button.

Steps to Reproduce the Problem

1. Exec ./deploy.py and generate target/*.hex
2. Converting *.hex into "UF2" firmware image by uf2conv
3. Mount the dongle which has UF2 bootloader DFU mode as mass storage
4. Copy the converted firmware image into mass storage
5. Boot the dongle and confirm VID:PID.
6. Set the dongle as google's security key

Specifications

• Version: commit 642ee69
• Platform: Ubuntu 18.04

If so, please tell us the possible way. If not, is there any hope so...

Expected Behavior

When userVerification set to preferred or required: User enters their PIN and the presses a button. User should then be authenticated.

Actual Behavior

User enters their PIN and presses a button. User is then stuck on "Touch your authenticator" Windows Hello screen.

See attached Windows logs for errors: OpenSK UserVerification Error.zip

Steps to Reproduce the Problem

1. Register new key
2. Authenticate using key with userVerification set to preferred or required

Specifications

• Platform: Windows 10 (tested on 10.0.18363.592 and 10.0.19041.21)

Expected Behavior

Cargo audit doesn't find any advisory.

Actual Behavior

RUSTSEC-2019-0031 is found.

Crate:  spin
Title:  spin is no longer actively maintained
Date:   2019-11-21
URL:    https://rustsec.org/advisories/RUSTSEC-2019-0031
Dependency tree: 
spin 0.5.2
├── ring 0.16.11
│   └── crypto 0.1.0
│       └── ctap2 0.1.0
└── linked_list_allocator 0.6.6
    └── libtock 0.1.0
        ├── ctap2 0.1.0
        └── crypto 0.1.0

Next steps

1. I filed an issue for linked_list_allocator: rust-osdev/linked-list-allocator#22.

• The libtock-rs version we're based on uses spin to lock the allocator (here), even though there is only one thread of execution so the lock isn't necessary and I don't expect much issue given that only one thread acquires the lock only once.
• Upstream libtock-rs doesn't lock the allocator anymore (tock/libtock-rs#107), so we can pick that up as a patch in the short term.

2. The ring dependency is only used for unit tests, and the advisory is tracked here: briansmith/ring#921.

As mentioned in tock/tock#1666, binaries built with Rust are not reproducible by default. One main reason is panic messages that embed an absolute path to the file containing them (so building with --panic-console isn't reproducible by default).

We should apply the same techniques as in tock/tock#1666 to make OpenSK builds reproducible.

This would avoid issues like spurious linker errors when using a long build path, as discovered in #67.

The review draft for CTAP 2.1 adds new commands and requires seom changes in the old ones.
https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html
We want to support new features like deleting resident keys.

Our access to a more recent version of CTAP 2.1 allows us to prototype those new features and give feedback on the command design. This issue tracks our progress. Please be aware that these commands are still exprimental and the implementation can change in the future. Do not rely on them!

OpenSK uses tockloader to deploy the kernel and apps, and currently passes flags that cause tockloader to invoke JLinkExe. We should allow users to use OpenOCD instead of JLinkExe, by making the flags passed to tockloader configurable/changable.

Additionally, because distributions often have an outdated version of OpenOCD that cannot deploy to a nrf52840-DK, OpenSK should allow users to use a custom version of OpenOCD. I've already opened tock/tockloader/pull/52 to enable tockloader to invoke a custom version of OpenOCD.