Merge pull request #28 from LedgerHQ/develop

Merge develop in main following version 1.4.0 deployment on P1

.github/workflows/build_and_functional_tests.yml

@@ -22,7 +22,7 @@ jobs:
     name: Build application using the reusable workflow
     uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_build.yml@v1
     with:
-      run_for_devices: '["nanox", "nanosp"]'
+      run_for_devices: '["nanox", "nanosp", "stax"]'
       upload_app_binaries_artifact: compiled_app_binaries
 
   ragger_tests:
@@ -32,6 +32,8 @@ jobs:
         include:
           - model: nanox
 
+          - model: stax
+
           - model: nanosp
             args: "--fast"
 

.github/workflows/guidelines_enforcer.yml

@@ -22,4 +22,4 @@ jobs:
     name: Call Ledger guidelines_enforcer
     uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_guidelines_enforcer.yml@v1
     with:
-      run_for_devices: '["nanox", "nanosp"]'
+      run_for_devices: '["nanox", "nanosp", "stax"]'

.github/workflows/misspellings_checks.yml

@@ -22,7 +22,8 @@ jobs:
       uses: actions/checkout@v3
 
     - name: Check misspellings
-      uses: codespell-project/actions-codespell@v1
+      uses: codespell-project/actions-codespell@v2
       with:
         builtin: clear,rare
         check_filenames: true
+        ignore_words_list: onTop, dummy

Makefile

@@ -21,30 +21,24 @@ endif
 include $(BOLOS_SDK)/Makefile.defines
 
 $(info TARGET_NAME=$(TARGET_NAME))
-ifneq ($(TARGET_NAME),$(filter $(TARGET_NAME),TARGET_NANOX TARGET_NANOS2))
+ifneq ($(TARGET_NAME),$(filter $(TARGET_NAME),TARGET_NANOX TARGET_NANOS2 TARGET_STAX))
 $(error Environment variable TARGET_NAME is not valid or not supported)
 endif
 
 APPNAME = "Security Key"
 
-APP_LOAD_PARAMS  = --curve secp256r1
-APP_LOAD_PARAMS += --path "5722689'"  # int("WRA".encode("ascii").hex(), 16)
-APP_LOAD_PARAMS += --path "5262163'"  # int("PKS".encode("ascii").hex(), 16)
-APP_LOAD_PARAMS += --appFlags 0x040
-APP_LOAD_PARAMS += $(COMMON_LOAD_PARAMS)
+CURVE_APP_LOAD_PARAMS = secp256r1
+PATH_APP_LOAD_PARAMS = "5722689'"  # int("WRA".encode("ascii").hex(), 16)
+PATH_APP_LOAD_PARAMS += "5262163'"  # int("PKS".encode("ascii").hex(), 16)
 
 APPVERSION_M=1
-APPVERSION_N=1
-APPVERSION_P=1
+APPVERSION_N=4
+APPVERSION_P=0
 APPVERSION=$(APPVERSION_M).$(APPVERSION_N).$(APPVERSION_P)
 
-ICONNAME=icons/icon_security_key.gif
-
-################
-# Default rule #
-################
-
-all: default
+ICON_NANOX=icons/icon_security_key.gif
+ICON_NANOSP=icons/icon_security_key.gif
+ICON_STAX=icons/icon_security_key_stax.gif
 
 ################
 # Attestations #
@@ -93,42 +87,9 @@ endif
 # Platform #
 ############
 
-DEFINES += OS_IO_SEPROXYHAL IO_SEPROXYHAL_BUFFER_SIZE_B=128
-DEFINES += HAVE_SPRINTF
-DEFINES += HAVE_IO_USB HAVE_L4_USBLIB IO_USB_MAX_ENDPOINTS=6 IO_HID_EP_LENGTH=64 HAVE_USB_APDU
-DEFINES += HAVE_WEBUSB WEBUSB_URL_SIZE_B=0 WEBUSB_URL=""
-
 DEFINES += HAVE_U2F HAVE_IO_U2F
 DEFINES += HAVE_FIDO2
-DEFINES += USB_SEGMENT_SIZE=64
 DEFINES += CUSTOM_IO_APDU_BUFFER_SIZE=1031 # 1024 + 7
-DEFINES += UNUSED\(x\)=\(void\)x
-DEFINES += APPVERSION=\"$(APPVERSION)\"
-
-# Enforce SDK that supports UX Flow for Nano all targets, Nano S included
-DEFINES += HAVE_UX_FLOW
-DEFINES += HAVE_BAGL
-
-ifeq ($(TARGET_NAME),$(filter $(TARGET_NAME),TARGET_NANOX TARGET_NANOS2))
-DEFINES += HAVE_GLO096
-DEFINES += BAGL_WIDTH=128 BAGL_HEIGHT=64
-DEFINES += HAVE_BAGL_ELLIPSIS # long label truncation feature
-DEFINES += HAVE_BAGL_FONT_OPEN_SANS_REGULAR_11PX
-DEFINES += HAVE_BAGL_FONT_OPEN_SANS_EXTRABOLD_11PX
-DEFINES += HAVE_BAGL_FONT_OPEN_SANS_LIGHT_16PX
-endif
-
-# Enabling debug PRINTF
-DEBUG=0
-ifneq ($(DEBUG),0)
-    ifeq ($(TARGET_NAME),TARGET_NANOX)
-        DEFINES += HAVE_PRINTF PRINTF=mcu_usb_printf
-    else
-        DEFINES += HAVE_PRINTF PRINTF=screen_printf
-    endif
-else
-        DEFINES += PRINTF\(...\)=
-endif
 
 DEFINES += HAVE_UX_STACK_INIT_KEEP_TICKER
 
@@ -165,45 +126,19 @@ DEFINES += HAVE_FIDO2_RPID_FILTER
 
 DEFINES += RK_SIZE=6144
 
+DEFINES += HAVE_DEBUG_THROWS
+
 #DEFINES  += HAVE_CBOR_DEBUG
 
 ##############
 # Compiler #
 ##############
 
-WERROR=0
-ifneq ($(WERROR),0)
-    CFLAGS += -Werror
-endif
-
-CC      := $(CLANGPATH)clang
-CFLAGS  += -O3 -Os
-AS      := $(GCCPATH)arm-none-eabi-gcc
-LD      := $(GCCPATH)arm-none-eabi-gcc
-LDFLAGS += -O3 -Os
-LDLIBS  += -lm -lgcc -lc
-
-# Remove warning on custom snprintf implementation usage
-CFLAGS += -Wno-format-invalid-specifier -Wno-format-extra-args
-
-# Import rules to compile glyphs(/pone)
-include $(BOLOS_SDK)/Makefile.glyphs
-
-# Define directory to build
+# Application source files
 APP_SOURCE_PATH  += src src-cbor
-SDK_SOURCE_PATH  += lib_stusb lib_ux lib_u2f lib_stusb_impl
-
-load: all
-	python3 -m ledgerblue.loadApp $(APP_LOAD_PARAMS)
-
-delete:
-	python3 -m ledgerblue.deleteApp $(COMMON_DELETE_PARAMS)
-
-# Import generic rules from the sdk
-include $(BOLOS_SDK)/Makefile.rules
+SDK_SOURCE_PATH  += lib_u2f
 
-# Add dependency on custom makefile filename
-dep/%.d: %.c Makefile
+VARIANT_PARAM = APP
+VARIANT_VALUES = SecurityKey
 
-listvariants:
-	@echo VARIANTS NONE SecurityKey
+include $(BOLOS_SDK)/Makefile.standard_app

README.md

@@ -50,7 +50,9 @@ See dedicated `README.md` in tests `directory`.
 
 ## Known limitations
 
-On Linux and Mac, Firefox support only U2F but not CTAP2, see [corresponding tracker](https://bugzilla.mozilla.org/show_bug.cgi?id=1530370).
+- On Firefox on Linux, Nano S Plus is missing in snap udev rules.
+- There are some instabilities on Safari on MacOS, it's recommended to use another browser.
+- Android support on FIDO2 for external security key is not available yet. It should be starting with Google Play services v23.35
 
 Due to OS constraints, this Security Key App as some limitations:
 
@@ -62,4 +64,4 @@ Due to OS constraints, this Security Key App as some limitations:
   That is why they are not enabled by default, and should be manually enabled in the settings. See HAVE_RK_SUPPORT_SETTING section on the Makefile for more explanations.
 * Following FIDO2 spec, there should be a way to revoked credentials. A revocation mechanism has been implemented based on a counter that - as discoverable credentials - will be wiped upon app deletion. therefore, in order to avoid weird issue on user side, this counter as been disabled. See HAVE_NO_RESET_GENERATION_INCREMENT section on the Makefile for more explanations.
 
-Please look at the dedicated section at the end of [this blog post](https://blog.ledger.com/security-key/) for more detailed explanations.
+Please look at the dedicated section at the end of [this blog post](https://www.ledger.com/blog/strengthen-the-security-of-your-accounts-with-webauthn) for more detailed explanations.