bugfix: lockdown temporary seed was no-op

(cherry picked from commit d289bfc7c2)
2023-12-19 18:49:21 +01:00 · 2023-12-19 18:49:21 +01:00 · 06869c5304
commit 06869c5304
parent 99230c185f
4 changed files with 34 additions and 17 deletions
--- a/releases/ChangeLog.md
+++ b/releases/ChangeLog.md
@ -1,3 +1,7 @@
+## 5.2.2 - 2023-12-21
+
+- Bugfix: Re-enable `Lock Down Seed` which was disabled by accident
+
 ## 5.2.1 - 2023-12-19

 - New Feature: Temporary Seed import from a COLDCARD encrypted backup.
--- a/shared/actions.py
+++ b/shared/actions.py
@ -566,25 +566,26 @@ async def convert_ephemeral_to_master(*a):
        return

    words = settings.get("words", True)
-    msg = 'Convert currently used '
-    msg += 'BIP-39 passphrase ' if bip39_passphrase else 'temporary seed '
-    msg += 'to main seed. '
+    _type = 'BIP-39 passphrase ' if bip39_passphrase else 'temporary seed '
+    msg = 'Convert currently used %s to master seed. Old master seed' % _type
    if words or bip39_passphrase:
-        msg += 'Main seed words themselves are erased forever, '
+        msg += ' words themselves are erased forever, '
    else:
-        msg += 'Main seed is erased forever, '
+        msg += ' is erased forever, '

-    msg += 'but effectively there is no other change. '
+    msg += ('and its settings blanked. This action is destructive '
+            'and may affect funds, if any, on old master seed. ')

    if bip39_passphrase:
-        msg += ('BIP-39 passphrase is currently in effect, its value '
+        msg += ('BIP-39 passphrase '
                'is captured during this process and will be in effect '
                'going forward, but the passphrase itself is erased '
                'and unrecoverable. ')
    if not words:
        msg += 'The resulting wallet cannot be used with any other passphrase. '

-    msg += 'A reboot is part of this process. PIN code, and funds are not affected.'
+    msg += 'A reboot is part of this process. '
+    msg += ('PIN code, and %s funds are not affected.' % _type)
    if not await ux_confirm(msg):

        return await ux_aborted()
--- a/shared/pincodes.py
+++ b/shared/pincodes.py
@ -366,7 +366,8 @@ class PinAttempt:

    def change(self, **kws):
        # change various values, stored in secure element
-        if self.tmp_value: return
+        if not kws.pop("tmp_lockdown", False):
+            if self.tmp_value: return

        self.roundtrip(3, **kws)

--- a/shared/seed.py
+++ b/shared/seed.py
@ -682,18 +682,29 @@ async def set_bip39_passphrase(pw, bypass_tmp=False, summarize_ux=True):
 async def remember_ephemeral_seed():
    # Compute current xprv and switch to using that as root secret.
    import stash
-    from glob import dis
+    from nvstore import SettingsObject
+    from glob import dis, settings

-    dis.fullscreen('Check...')
-    with stash.SensitiveValues() as sv:
-        nv = sv.encoded_secret()
+    # we are already at temporary seed, with correct
+    # settings in use - no need to call new_main_secret
+    # at the end
+
+    # locking down temporary as new master
+    # old master settings are destroyed
+    dis.fullscreen("Cleanup...")
+    assert pa.tmp_value, "no tmp"
+    assert settings.master_nvram_key, "master nvram k"
+    old_master = SettingsObject(settings.master_nvram_key)
+    old_master.load()
+    old_master.blank()
+    del old_master

    dis.fullscreen('Saving...')
-    pa.change(new_secret=nv)
+    pa.change(new_secret=pa.tmp_value, tmp_lockdown=True)

-    # re-read settings since key is now different
-    # - also captures xfp, xpub at this point
-    pa.new_main_secret(nv)
+    # not needed - will be handled by reboot
+    settings.master_nvram_key = None
+    settings.master_sv_data = {}

    # check and reload secret
    pa.reset()