Add a get_application_key method

[sosthene-nitrokey]

This method is meant to encrypt data stored on the external flash so that it can't be accessed just but plugging into it.
Multiple keys can be obtained with an info parameter.

This adds one step after the get_app_key step described in #10 to add a per-application salt and an info parameter: HMAC(application_key, application_salt || len(info) || info).
With the application_key being the result of get_app_key and the salt being a per-application salt, that is deleted with delete_all_pins, so that the keys change.

[sosthene-nitrokey]

Close #20

[szszszsz]

What's the ETA on this?

[sosthene-nitrokey]

Only needs review

[robin-nitrokey]

I think it is counter-intuitive that delete_all_pins also affects the pin-less application key. We should either rename the syscall or change it to only reset the PINs and introduce a separate syscall to clear all data.

[sosthene-nitrokey]

Ok, I'll make delete_all_pins only delete pins, and add two syscall:

• reset_application_keys (delete app keys)
• reset_auth_data (delete everything)

[sosthene-nitrokey]

Hurh, trussed's filestore doesn't have a remove_dir_all_where

[sosthene-nitrokey]

And now I'm finding bugs in the littlefs bindings and trussed

[sosthene-nitrokey]

See trussed-dev/littlefs2#36 (review), which is required to properly implement remove_dir_all_where in the filestore which is required for this.

But this also mean we will have to have a new release of littlefs2 and merge trussed-dev/trussed#96 to benefit from it

[robin-nitrokey]

We’re still using a patched littlefs2 in nitrokey-3-firmware so we should be able to cherry-pick the fix for our fork:

https://github.com/Nitrokey/littlefs2
https://github.com/Nitrokey/nitrokey-3-firmware/blob/edfeef921c951ec00e97513f0d4e74e9c70f8406/Cargo.toml#L16

[szszszsz]

@sosthene-nitrokey @robin-nitrokey
Can you prepare version handles to use in Cargo.toml to develop against in the meantime?
Is only the littlefs update needed?

• Correct remove_dir_all_where recursion handling / Fix #35 littlefs2#36

[szszszsz]

Just tested and now it works, without changing anything additionally, specifically littlefs dep.
See below for my use case:

• Nitrokey/trussed-secrets-app@e9f0401