keystore: encrypt the bip39 seed in RAM

benma · benma · commit edeefe95e2d4 · 2023-05-18T05:26:00.000+02:00
This encrypts the bip39 seed in RAM in the same way as the seed is encrypted, using the secure chip for key stretching. Since decryption (key stretching) takes around 100ms, this has a performance impact on every operation that needs the an xprv or xpub: - computing xpubs - getting private keys to sign something - etc. This has an impact especially in Bitcoin transaction signing, as we need the xpub at every transaction input during the first round of input streaming and for every change output. The xprv is needed twice per input when signing the input (once for the antiklepto nonce commit, then for signing). The performance impact was mitigated previously by 463b1f6, which sped up the first round of input streaming by caching xpubs - only one xpub per script type is needed for the whole transaction for single sig, where we only support three script types (p2wpkh, p2wpkh-p2sh, p2tr). In multisig, it is only one xpub. Here are some performance numbers: If you had a 50 inputs tx signed with antiklepto enabled, my experiment resulted in: - loading tx (stream inputs): ~30s, before xpub caching was activated - loading tx (stream inputs): ~6s, after xpub caching was activated - signing tx: 50*2*100ms: ~10s. I.e. Xpub caching saved more than seed decrypting added. Another place where this has a performance impact: retrieving xpubs. When the user connects the BitBox02 for the first time to the BitBoxApp, the BitBoxApp gets 3 xpubs right away (one per single sig script type) for Bitcoin, 2 xpubs for Litecoin, 1 for Ethereum. Each xpub computation is also performed twice (`see _get_xprv_twice()`) to avoid catch potential bitflips. With 100ms per access this means a delay of ~1.2s, which is noticable. Maybe a progress animation can/should be added there.
diff --git a/src/keystore.c b/src/keystore.c
@@ -43,8 +43,10 @@ static size_t _retained_seed_encrypted_len = 0;
 
 // Change this ONLY via keystore_unlock_bip39().
 static bool _is_unlocked_bip39 = false;
+static uint8_t _unstretched_retained_bip39_seed_encryption_key[32] = {0};
 // Must be defined if _is_unlocked is true. ONLY ACCESS THIS WITH _copy_bip39_seed().
-static uint8_t _retained_bip39_seed[64] = {0};
+static uint8_t _retained_bip39_seed_encrypted[64 + 64] = {0};
+static size_t _retained_bip39_seed_encrypted_len = 0;
 
 /**
  * We allow seeds of 16, 24 or 32 bytes.
@@ -119,13 +121,37 @@ static bool _copy_bip39_seed(uint8_t* bip39_seed_out)
     if (!_is_unlocked_bip39) {
         return false;
     }
+
+    uint8_t retained_bip39_seed_encryption_key[32] = {0};
+    UTIL_CLEANUP_32(retained_bip39_seed_encryption_key);
+    if (_stretch_retained_seed_encryption_key(
+            _unstretched_retained_bip39_seed_encryption_key,
+            "keystore_retained_bip39_seed_access_in",
+            "keystore_retained_bip39_seed_access_out",
+            retained_bip39_seed_encryption_key) != KEYSTORE_OK) {
+        return false;
+    }
+    size_t len = _retained_bip39_seed_encrypted_len - 48;
+    bool password_correct = cipher_aes_hmac_decrypt(
+        _retained_bip39_seed_encrypted,
+        _retained_bip39_seed_encrypted_len,
+        bip39_seed_out,
+        &len,
+        retained_bip39_seed_encryption_key);
+    if (!password_correct) {
+        // Should never happen.
+        return false;
+    }
+    if (len != 64) {
+        // Should never happen.
+        return false;
+    }
     // sanity check
     uint8_t zero[64] = {0};
     util_zero(zero, 64);
-    if (MEMEQ(_retained_bip39_seed, zero, sizeof(_retained_bip39_seed))) {
+    if (MEMEQ(bip39_seed_out, zero, 64)) {
         return false;
     }
-    memcpy(bip39_seed_out, _retained_bip39_seed, sizeof(_retained_bip39_seed));
     return true;
 }
 
@@ -370,7 +396,26 @@ USE_RESULT static keystore_error_t _retain_seed(const uint8_t* seed, size_t seed
 
 USE_RESULT static bool _retain_bip39_seed(const uint8_t* bip39_seed)
 {
-    memcpy(_retained_bip39_seed, bip39_seed, sizeof(_retained_bip39_seed));
+    random_32_bytes(_unstretched_retained_bip39_seed_encryption_key);
+    uint8_t retained_bip39_seed_encryption_key[32] = {0};
+    UTIL_CLEANUP_32(retained_bip39_seed_encryption_key);
+    if (_stretch_retained_seed_encryption_key(
+            _unstretched_retained_bip39_seed_encryption_key,
+            "keystore_retained_bip39_seed_access_in",
+            "keystore_retained_bip39_seed_access_out",
+            retained_bip39_seed_encryption_key) != KEYSTORE_OK) {
+        return false;
+    }
+    size_t len = sizeof(_retained_bip39_seed_encrypted);
+    if (!cipher_aes_hmac_encrypt(
+            bip39_seed,
+            64,
+            _retained_bip39_seed_encrypted,
+            &len,
+            retained_bip39_seed_encryption_key)) {
+        return false;
+    }
+    _retained_bip39_seed_encrypted_len = len;
     return true;
 }
 
@@ -380,7 +425,12 @@ static void _delete_retained_seeds(void)
         _unstretched_retained_seed_encryption_key,
         sizeof(_unstretched_retained_seed_encryption_key));
     util_zero(_retained_seed_encrypted, sizeof(_retained_seed_encrypted));
-    util_zero(_retained_bip39_seed, sizeof(_retained_bip39_seed));
+    _retained_seed_encrypted_len = 0;
+    util_zero(
+        _unstretched_retained_bip39_seed_encryption_key,
+        sizeof(_unstretched_retained_seed_encryption_key));
+    util_zero(_retained_bip39_seed_encrypted, sizeof(_retained_bip39_seed_encrypted));
+    _retained_bip39_seed_encrypted_len = 0;
 }
 
 keystore_error_t keystore_unlock(
@@ -872,7 +922,9 @@ void keystore_mock_unlocked(const uint8_t* seed, size_t seed_len, const uint8_t*
     }
     _is_unlocked_bip39 = bip39_seed != NULL;
     if (bip39_seed != NULL) {
-        memcpy(_retained_bip39_seed, bip39_seed, sizeof(_retained_bip39_seed));
+        if (!_retain_bip39_seed(bip39_seed)) {
+            Abort("couldn't retain bip39 seed");
+        }
     }
 }
 
@@ -881,4 +933,10 @@ const uint8_t* keystore_test_get_retained_seed_encrypted(size_t* len_out)
     *len_out = _retained_seed_encrypted_len;
     return _retained_seed_encrypted;
 }
+
+const uint8_t* keystore_test_get_retained_bip39_seed_encrypted(size_t* len_out)
+{
+    *len_out = _retained_bip39_seed_encrypted_len;
+    return _retained_bip39_seed_encrypted;
+}
 #endif
diff --git a/src/keystore.h b/src/keystore.h
@@ -285,6 +285,7 @@ USE_RESULT bool keystore_secp256k1_schnorr_bip86_sign(
 void keystore_mock_unlocked(const uint8_t* seed, size_t seed_len, const uint8_t* bip39_seed);
 
 const uint8_t* keystore_test_get_retained_seed_encrypted(size_t* len_out);
+const uint8_t* keystore_test_get_retained_bip39_seed_encrypted(size_t* len_out);
 #endif
 
 #endif
diff --git a/test/unit-test/test_keystore.c b/test/unit-test/test_keystore.c
@@ -61,6 +61,10 @@ static uint8_t _unstretched_retained_seed_encryption_key[32] =
     "\xfe\x09\x76\x01\x14\x52\xa7\x22\x12\xe4\xb8\xbd\x57\x2b\x5b\xe3\x01\x41\xa3\x56\xf1\x13\x37"
     "\xd2\x9d\x35\xea\x8f\xf9\x97\xbe\xfc";
 
+static uint8_t _unstretched_retained_bip39_seed_encryption_key[32] =
+    "\x9b\x44\xc7\x04\x88\x93\xfa\xaf\x6e\x2d\x76\x25\xd1\x3d\x8f\x1c\xab\x07\x65\xfd\x61\xf1\x59"
+    "\xd9\x71\x3e\x08\x15\x5d\x06\x71\x7c";
+
 static const uint32_t _keypath[] = {
     44 + BIP32_INITIAL_HARDENED_CHILD,
     0 + BIP32_INITIAL_HARDENED_CHILD,
@@ -78,6 +82,10 @@ static uint8_t _expected_retained_seed_secret[32] =
     "\xb1\x56\xbe\x41\x65\x30\xc6\xfc\x00\x01\x88\x44\x16\x17\x74\xa3\x54\x6a\x53\xac\x6d\xd4\xa0"
     "\x46\x26\x08\x83\x8e\x21\x60\x08\xf7";
 
+const uint8_t _expected_retained_bip39_seed_secret[32] =
+    "\x85\x6d\x9a\x8c\x1e\xa4\x2a\x69\xae\x76\x32\x42\x44\xac\xe6\x74\x39\x7f\xf1\x36\x0a\x4b\xa4"
+    "\xc8\x5f\xfb\xd4\x2c\xee\x8a\x7f\x29";
+
 static uint8_t _expected_secret[32] =
     "\xa8\xf4\xfe\x54\x33\x0e\x1a\xb7\xa0\xe3\xbe\x8a\x8d\x75\xd2\x22\xb2\xae\xc2\xb3\xab\x41\xca"
     "\x2a\x04\x0e\xa0\x08\x60\x6b\xaf\xce";
@@ -137,11 +145,19 @@ static void _expect_retain_seed(void)
     will_return(__wrap_random_32_bytes, _unstretched_retained_seed_encryption_key);
 }
 
+static void _expect_retain_bip39_seed(void)
+{
+    will_return(__wrap_random_32_bytes, _unstretched_retained_bip39_seed_encryption_key);
+}
+
 void _mock_unlocked(const uint8_t* seed, size_t seed_len, const uint8_t* bip39_seed)
 {
     if (seed != NULL) {
         _expect_retain_seed();
     }
+    if (bip39_seed != NULL) {
+        _expect_retain_bip39_seed();
+    }
     keystore_mock_unlocked(seed, seed_len, bip39_seed);
 }
 
@@ -390,6 +406,36 @@ static void _test_keystore_unlock(void** state)
     assert_true(_reset_reset_called);
 }
 
+static void _test_keystore_unlock_bip39(void** state)
+{
+    keystore_lock();
+    assert_false(keystore_unlock_bip39(""));
+
+    _mock_unlocked(_mock_seed, sizeof(_mock_seed), NULL);
+    assert_true(keystore_is_locked());
+
+    _expect_retain_bip39_seed();
+    assert_true(keystore_unlock_bip39("foo"));
+    // Check that the retained bip39 seed was encrypted with the expected encryption key.
+    size_t encrypted_len = 0;
+    const uint8_t* retained_bip39_seed_encrypted =
+        keystore_test_get_retained_bip39_seed_encrypted(&encrypted_len);
+    size_t decrypted_len = encrypted_len - 48;
+    uint8_t out[decrypted_len];
+    assert_true(cipher_aes_hmac_decrypt(
+        retained_bip39_seed_encrypted,
+        encrypted_len,
+        out,
+        &decrypted_len,
+        _expected_retained_bip39_seed_secret));
+    assert_int_equal(decrypted_len, 64);
+    const uint8_t expected_bip39_seed[64] =
+        "\x2b\x3c\x63\xde\x86\xf0\xf2\xb1\x3c\xc6\xa3\x6c\x1b\xa2\x31\x4f\xbc\x1b\x40\xc7\x7a\xb9"
+        "\xcb\x64\xe9\x6b\xa4\xd5\xc6\x2f\xc2\x04\x74\x8c\xa6\x62\x6a\x9f\x03\x5e\x7d\x43\x1b\xce"
+        "\x8c\x92\x10\xec\x0b\xdf\xfc\x2e\x7d\xb8\x73\xde\xe5\x6c\x8a\xc2\x15\x3e\xee\x9a";
+    assert_memory_equal(out, expected_bip39_seed, decrypted_len);
+}
+
 static void _test_keystore_lock(void** state)
 {
     _mock_unlocked(NULL, 0, NULL);
@@ -474,6 +520,7 @@ static void _mock_with_mnemonic(const char* mnemonic, const char* passphrase)
     assert_true(keystore_bip39_mnemonic_to_seed(mnemonic, seed, &seed_len));
 
     _mock_unlocked(seed, seed_len, NULL);
+    _expect_retain_bip39_seed();
     assert_true(keystore_unlock_bip39(passphrase));
 }
 
@@ -691,6 +738,7 @@ int main(void)
         cmocka_unit_test(_test_keystore_encrypt_and_store_seed),
         cmocka_unit_test(_test_keystore_create_and_unlock_twice),
         cmocka_unit_test(_test_keystore_unlock),
+        cmocka_unit_test(_test_keystore_unlock_bip39),
         cmocka_unit_test(_test_keystore_lock),
         cmocka_unit_test(_test_keystore_get_bip39_mnemonic),
         cmocka_unit_test(_test_keystore_create_and_store_seed),
