Revert "Merge remote-tracking branch 'goog/upstream-master' into merge-citadel-pre-1.0.0"
This reverts commit 3b25f2622249a51a381aeacd4d36d9f8da8f3003.
Reason for revert: Update is breaking PINs
Bug: 80131663
Change-Id: I72565fc1fbab256c12f0a09b91b2d2a121d151f3
(cherry picked from commit c35a2ab3df9eeba9cb19a4e77e03d9cca4606a58)
diff --git a/citadel/updater/updater.cpp b/citadel/updater/updater.cpp
index a4250ef..776401e 100644
--- a/citadel/updater/updater.cpp
+++ b/citadel/updater/updater.cpp
@@ -48,24 +48,11 @@
using nos::CitadeldProxyClient;
#endif
-enum hdr_section {
- SEC_BOGUS = 0,
- SEC_RO_A,
- SEC_RO_B,
- SEC_RW_A,
- SEC_RW_B,
-};
-
/* Global options */
struct options_s {
/* actions to take */
int version;
- int long_version;
- enum hdr_section section;
- int file_version;
- enum hdr_section file_section;
int id;
- int repo_snapshot;
int stats;
int ro;
int rw;
@@ -82,7 +69,6 @@
enum no_short_opts_for_these {
OPT_DEVICE = 1000,
OPT_ID,
- OPT_REPO_SNAPSHOT,
OPT_STATS,
OPT_RO,
OPT_RW,
@@ -94,26 +80,24 @@
OPT_ERASE,
};
-const char *short_opts = ":hvlV:fF:";
+const char *short_opts = ":hv";
const struct option long_opts[] = {
/* name hasarg *flag val */
- {"version", 0, NULL, 'v'},
- {"long_version", 0, NULL, 'l'},
- {"id", 0, NULL, OPT_ID},
- {"repo_snapshot", 0, NULL, OPT_REPO_SNAPSHOT},
- {"stats", 0, NULL, OPT_STATS},
- {"ro", 0, NULL, OPT_RO},
- {"rw", 0, NULL, OPT_RW},
- {"reboot", 0, NULL, OPT_REBOOT},
- {"force_reset", 0, NULL, OPT_FORCE_RESET},
- {"enable_ro", 0, NULL, OPT_ENABLE_RO},
- {"enable_rw", 0, NULL, OPT_ENABLE_RW},
- {"change_pw", 0, NULL, OPT_CHANGE_PW},
- {"erase", 1, NULL, OPT_ERASE},
+ {"version", 0, NULL, 'v'},
+ {"id", 0, NULL, OPT_ID},
+ {"stats", 0, NULL, OPT_STATS},
+ {"ro", 0, NULL, OPT_RO},
+ {"rw", 0, NULL, OPT_RW},
+ {"reboot", 0, NULL, OPT_REBOOT},
+ {"force_reset", 0, NULL, OPT_FORCE_RESET},
+ {"enable_ro", 0, NULL, OPT_ENABLE_RO},
+ {"enable_rw", 0, NULL, OPT_ENABLE_RW},
+ {"change_pw", 0, NULL, OPT_CHANGE_PW},
+ {"erase", 1, NULL, OPT_ERASE},
#ifndef ANDROID
- {"device", 1, NULL, OPT_DEVICE},
+ {"device", 1, NULL, OPT_DEVICE},
#endif
- {"help", 0, NULL, 'h'},
+ {"help", 0, NULL, 'h'},
{NULL, 0, NULL, 0},
};
@@ -142,34 +126,29 @@
"\n"
"Actions:\n"
"\n"
- " -v, --version Display the running version\n"
- " -l, --long_version Display the full version info\n"
- " --id Display the Citadel device ID\n"
- " --stats Display Low Power stats\n"
- " -V SECTION Show Citadel headers for RO_A | RO_B | RW_A | RW_B\n"
- " -f Show image file version info\n"
- " -F SECTION Show file headers for RO_A | RO_B | RW_A | RW_B\n"
- " --repo_snapshot Show the repo sha1sums for the running image\n"
+ " -v, --version Display the Citadel version info\n"
+ " --id Display the Citadel device ID\n"
+ " --stats Display Low Power stats\n"
+ " --rw Update RW firmware from the image file\n"
+ " --ro Update RO firmware from the image file\n"
+ " --reboot Tell Citadel to reboot\n"
+ " --force_reset Pulse Citadel's reset line\n"
"\n"
- " --rw Update RW firmware from the image file\n"
- " --ro Update RO firmware from the image file\n"
- " --enable_ro Mark new RO image as good (requires password)\n"
- " --enable_rw Mark new RW image as good (requires password)\n"
- " --reboot Tell Citadel to reboot\n"
- " --force_reset Pulse Citadel's reset line\n"
+ " --enable_ro Mark new RO image as good\n"
+ " --enable_rw Mark new RW image as good\n"
"\n"
- " --change_pw Change the update password\n"
+ " --change_pw Change update password\n"
"\n\n"
- " --erase=CODE Erase all user secrets and reboot.\n"
- " This skips all other actions.\n"
+ " --erase=CODE Erase all user secrets and reboot.\n"
+ " This skips all other actions.\n"
#ifndef ANDROID
"\n"
"Options:\n"
"\n"
- " --device=SN Connect to the FDTI device with the given\n"
- " serial number (try \"lsusb -v\"). A default\n"
- " can be specified with the CITADEL_DEVICE\n"
- " environment variable.\n"
+ " --device=SN Connect to the FDTI device with the given\n"
+ " serial number (try \"lsusb -v\"). A default\n"
+ " can be specified with the CITADEL_DEVICE\n"
+ " environment variable.\n"
#endif
"\n",
progname);
@@ -389,192 +368,6 @@
return retval;
}
-uint32_t do_long_version(AppClient &app)
-{
- uint32_t retval;
- std::vector<uint8_t> buffer;
- buffer.reserve(1024);
-
- retval = app.Call(NUGGET_PARAM_LONG_VERSION, buffer, &buffer);
-
- if (is_app_success(retval)) {
- printf("%.*s\n", (int)buffer.size(), buffer.data());
- }
-
- return retval;
-}
-
-static enum hdr_section parse_section(const char *str)
-{
- bool is_ro, is_a;
-
- // matching this: /r?[ow]_?[ab]/i
-
- if (tolower(*str) == 'r') {
- str++;
- }
-
- if (tolower(*str) == 'o') {
- is_ro = true;
- } else if (tolower(*str) == 'w') {
- is_ro = false;
- } else {
- Error("Invalid section \"%s\"", str);
- return SEC_BOGUS;
- }
- str++;
-
- if (*str == '_') {
- str++;
- }
-
- if (tolower(*str) == 'a') {
- is_a = true;
- } else if (tolower(*str) == 'b') {
- is_a = false;
- } else {
- Error("Invalid section \"%s\"", str);
- return SEC_BOGUS;
- }
-
- if (is_ro) {
- return is_a ? SEC_RO_A : SEC_RO_B;
- }
-
- return is_a ? SEC_RW_A : SEC_RW_B;
-}
-
-static void show_header(const uint8_t *ptr)
-{
- const struct SignedHeader *hdr;
-
- hdr = reinterpret_cast<const struct SignedHeader*>(ptr);
- hdr->print();
-}
-
-#define CROS_EC_VERSION_COOKIE1 0xce112233
-#define CROS_EC_VERSION_COOKIE2 0xce445566
-
-// The start of the RW sections looks like this
-struct compiled_version_struct {
- // The header comes first
- const struct SignedHeader hdr;
- // The the vector table. Citadel has 239 entries
- uint32_t vectors[239];
- // A magic number to be sure we're looking at the right thing
- uint32_t cookie1;
- // Then the short version string
- char version[32];
- // And another magic number
- uint32_t cookie2;
-};
-
-static void show_ro_string(const char *name, const uint8_t *ptr)
-{
- const struct SignedHeader *hdr;
-
- hdr = reinterpret_cast<const struct SignedHeader*>(ptr);
- printf("%s: %d.%d.%d/%08x %s\n", name,
- hdr->epoch_, hdr->major_, hdr->minor_, be32toh(hdr->img_chk_),
- hdr->magic == MAGIC_VALID ? "ok" : "--");
-}
-
-static void show_rw_string(const char *name, const uint8_t *ptr)
-{
- const struct compiled_version_struct *v;
- v = reinterpret_cast<const struct compiled_version_struct*>(ptr);
-
- if (v->cookie1 == CROS_EC_VERSION_COOKIE1 &&
- v->cookie2 == CROS_EC_VERSION_COOKIE2 &&
- (v->hdr.magic == MAGIC_DEFAULT || v->hdr.magic == MAGIC_VALID)) {
- printf("%s: %d.%d.%d/%s %s\n", name,
- v->hdr.epoch_, v->hdr.major_, v->hdr.minor_, v->version,
- v->hdr.magic == MAGIC_VALID ? "ok" : "--");
- } else {
- printf("<invalid>\n");
- }
-}
-
-uint32_t do_section(AppClient &app __attribute__((unused)))
-{
- uint16_t param;
-
- switch (options.section) {
- case SEC_RO_A:
- param = NUGGET_PARAM_HEADER_RO_A;
- break;
- case SEC_RO_B:
- param = NUGGET_PARAM_HEADER_RO_B;
- break;
- case SEC_RW_A:
- param = NUGGET_PARAM_HEADER_RW_A;
- break;
- case SEC_RW_B:
- param = NUGGET_PARAM_HEADER_RW_B;
- break;
- default:
- return 1;
- }
-
- uint32_t retval;
- std::vector<uint8_t> buffer;
- buffer.reserve(sizeof(SignedHeader));
-
- retval = app.Call(param, buffer, &buffer);
-
- if (is_app_success(retval)) {
- show_header(buffer.data());
- }
-
- return retval;
-}
-
-uint32_t do_file_version(const std::vector<uint8_t> &image)
-{
- show_ro_string("RO_A", image.data() + CHIP_RO_A_MEM_OFF);
- show_ro_string("RO_B", image.data() + CHIP_RO_B_MEM_OFF);
- show_rw_string("RW_A", image.data() + CHIP_RW_A_MEM_OFF);
- show_rw_string("RW_B", image.data() + CHIP_RW_B_MEM_OFF);
- return 0;
-}
-
-uint32_t do_file_section(const std::vector<uint8_t> &image)
-{
- switch (options.file_section) {
- case SEC_RO_A:
- show_header(image.data() + CHIP_RO_A_MEM_OFF);
- break;
- case SEC_RO_B:
- show_header(image.data() + CHIP_RO_B_MEM_OFF);
- break;
- case SEC_RW_A:
- show_header(image.data() + CHIP_RW_A_MEM_OFF);
- break;
- case SEC_RW_B:
- show_header(image.data() + CHIP_RW_B_MEM_OFF);
- break;
- default:
- return 1;
- }
-
- return 0;
-}
-
-uint32_t do_repo_snapshot(AppClient &app)
-{
- uint32_t retval;
- std::vector<uint8_t> buffer;
- buffer.reserve(1200);
-
- retval = app.Call(NUGGET_PARAM_REPO_SNAPSHOT, buffer, &buffer);
-
- if (is_app_success(retval)) {
- printf("%.*s\n", (int)buffer.size(), buffer.data());
- }
-
- return retval;
-}
-
uint32_t do_stats(AppClient &app)
{
struct nugget_app_low_power_stats stats;
@@ -613,9 +406,9 @@
uint32_t do_reboot(AppClient &app)
{
uint32_t retval;
- std::vector<uint8_t> ignored = {1}; // older images need this
+ std::vector<uint8_t> data = {NUGGET_REBOOT_HARD};
- retval = app.Call(NUGGET_PARAM_REBOOT, ignored, nullptr);
+ retval = app.Call(NUGGET_PARAM_REBOOT, data, nullptr);
if (is_app_success(retval)) {
printf("Citadel reboot requested\n");
@@ -740,26 +533,6 @@
return 2;
}
- if (options.long_version &&
- do_long_version(app) != APP_SUCCESS) {
- return 2;
- }
-
- if (options.section &&
- do_section(app) != APP_SUCCESS) {
- return 2;
- }
-
- if (options.file_version &&
- do_file_version(image) != APP_SUCCESS) {
- return 2;
- }
-
- if (options.file_section &&
- do_file_section(image) != APP_SUCCESS) {
- return 2;
- }
-
if (options.id &&
do_id(app) != APP_SUCCESS) {
return 2;
@@ -770,10 +543,6 @@
return 2;
}
- if (options.repo_snapshot &&
- do_repo_snapshot(app) != APP_SUCCESS) {
- return 2;
- }
if (options.rw &&
do_update(app, image,
CHIP_RW_A_MEM_OFF, CHIP_RW_B_MEM_OFF) != APP_SUCCESS) {
@@ -819,7 +588,6 @@
std::vector<uint8_t> image;
int got_action = 0;
char *e = 0;
- int need_file = 0;
this_prog= strrchr(argv[0], '/');
if (this_prog) {
@@ -843,44 +611,20 @@
options.version = 1;
got_action = 1;
break;
- case 'l':
- options.long_version = 1;
- got_action = 1;
- break;
- case 'V':
- options.section = parse_section(optarg);
- got_action = 1;
- break;
- case 'f':
- options.file_version = 1;
- need_file = 1;
- got_action = 1;
- break;
- case 'F':
- options.file_section = parse_section(optarg);
- need_file = 1;
- got_action = 1;
- break;
case OPT_ID:
options.id = 1;
got_action = 1;
break;
- case OPT_REPO_SNAPSHOT:
- options.repo_snapshot = 1;
- got_action = 1;
- break;
case OPT_STATS:
options.stats = 1;
got_action = 1;
break;
case OPT_RO:
options.ro = 1;
- need_file = 1;
got_action = 1;
break;
case OPT_RW:
options.rw = 1;
- need_file = 1;
got_action = 1;
break;
case OPT_REBOOT:
@@ -947,14 +691,14 @@
goto out;
}
- if (need_file) {
+ if (options.ro || options.rw) {
if (optind < argc) {
/* Sets errorcnt on failure */
image = read_image_from_file(argv[optind++]);
if (errorcnt)
goto out;
} else {
- Error("Missing required image file");
+ Error("An image file is required with --ro and --rw");
goto out;
}
}
@@ -964,7 +708,8 @@
if (optind < argc) {
passwd = argv[optind++];
} else {
- Error("Need a new password at least. Use '' to clear it.");
+ Error("Need a new password at least."
+ " Use '' to clear it.");
goto out;
}
/* two args provided, use both old & new passwords */
diff --git a/nugget/include/app_nugget.h b/nugget/include/app_nugget.h
index 669e82c..aa8a798 100644
--- a/nugget/include/app_nugget.h
+++ b/nugget/include/app_nugget.h
@@ -39,7 +39,7 @@
#define NUGGET_PARAM_VERSION 0x0000
/*
- * Return the one-line version string of the running image
+ * Return the current build string
*
* @param args <none>
* @param arg_len 0
@@ -74,12 +74,18 @@
/*
* Reboot Citadel
*
- * @param args <none>
- * @param arg_len 0
+ * @param args uint8_t hard 0 = soft reboot, 1 = hard reboot
+ * @param arg_len sizeof(uint8_t)
* @param reply <none>
* @param reply_len 0
*/
+enum NUGGET_REBOOT_ARG_TYPE {
+ NUGGET_REBOOT_SOFT = 0,
+ NUGGET_REBOOT_HARD = 1,
+};
+
+
/*********
* Firmware updates are written to flash with invalid headers. If an update
* password exists, headers can only be marked valid by providing that
@@ -161,78 +167,6 @@
*/
-#define NUGGET_PARAM_LONG_VERSION 0x0007
-/*
- * Return the multi-line description of all images
- *
- * @param args <none>
- * @param arg_len 0
- * @param reply Null-terminated ASCII string
- * @param reply_len Max length to return
- *
- * @errors APP_ERROR_TOO_MUCH
- */
-
-#define NUGGET_PARAM_HEADER_RO_A 0x0008
-/*
- * Return the signature header for RO_A
- *
- * @param args <none>
- * @param arg_len 0
- * @param reply struct SignedHeader
- * @param reply_len Max length to return
- *
- * @errors APP_ERROR_TOO_MUCH
- */
-
-#define NUGGET_PARAM_HEADER_RO_B 0x0009
-/*
- * Return the signature header for RO_B
- *
- * @param args <none>
- * @param arg_len 0
- * @param reply struct SignedHeader
- * @param reply_len Max length to return
- *
- * @errors APP_ERROR_TOO_MUCH
- */
-
-#define NUGGET_PARAM_HEADER_RW_A 0x000a
-/*
- * Return the signature header for RW_A
- *
- * @param args <none>
- * @param arg_len 0
- * @param reply struct SignedHeader
- * @param reply_len Max length to return
- *
- * @errors APP_ERROR_TOO_MUCH
- */
-
-#define NUGGET_PARAM_HEADER_RW_B 0x000b
-/*
- * Return the signature header for RW_B
- *
- * @param args <none>
- * @param arg_len 0
- * @param reply struct SignedHeader
- * @param reply_len Max length to return
- *
- * @errors APP_ERROR_TOO_MUCH
- */
-
-#define NUGGET_PARAM_REPO_SNAPSHOT 0x000c
-/*
- * Return the multi-line repo snapshot info for the current image
- *
- * @param args <none>
- * @param arg_len 0
- * @param reply Null-terminated ASCII string
- * @param reply_len Max length to return
- *
- * @errors APP_ERROR_TOO_MUCH
- */
-
/****************************************************************************/
/* Test related commands */
diff --git a/nugget/include/signed_header.h b/nugget/include/signed_header.h
index 81be877..9ce33e6 100644
--- a/nugget/include/signed_header.h
+++ b/nugget/include/signed_header.h
@@ -82,7 +82,6 @@
}
void print() const {
- printf("hdr.magic : %08x\n", magic);
printf("hdr.keyid : %08x\n", keyid);
printf("hdr.tag : ");
const uint8_t* p = reinterpret_cast<const uint8_t*>(&tag);
@@ -93,13 +92,8 @@
printf("hdr.epoch : %08x\n", epoch_);
printf("hdr.major : %08x\n", major_);
printf("hdr.minor : %08x\n", minor_);
- printf("hdr.timestamp : %016" PRIx64 ", %s", timestamp_,
+ printf("hdr.timestamp : %016" PRIu64 "x, %s", timestamp_,
asctime(localtime(reinterpret_cast<const time_t*>(×tamp_))));
- printf("hdr.image_size : %08x\n", image_size);
- printf("hdr.ro_base : %08x\n", ro_base);
- printf("hdr.ro_max : %08x\n", ro_max);
- printf("hdr.rx_base : %08x\n", rx_base);
- printf("hdr.rx_max : %08x\n", rx_max);
printf("hdr.img_chk : %08x\n", be32toh(img_chk_));
printf("hdr.fuses_chk : %08x\n", be32toh(fuses_chk_));
printf("hdr.info_chk : %08x\n", be32toh(info_chk_));
diff --git a/nugget/proto/nugget/app/keymaster/keymaster.options b/nugget/proto/nugget/app/keymaster/keymaster.options
index 2081eaf..99730ae 100644
--- a/nugget/proto/nugget/app/keymaster/keymaster.options
+++ b/nugget/proto/nugget/app/keymaster/keymaster.options
@@ -2,10 +2,4 @@
nugget.app.keymaster.ImportWrappedKeyRequest.gcm_tag max_size:16
nugget.app.keymaster.ImportWrappedKeyRequest.masking_key max_size:32
nugget.app.keymaster.SetRootOfTrustRequest.digest max_size:32
-nugget.app.keymaster.SetBootStateRequest.public_key max_size:32
-nugget.app.keymaster.ComputeSharedHmacRequest.hmac_sharing_params max_count:3
-nugget.app.keymaster.ComputeSharedHmacResponse.sharing_check max_size:32
-nugget.app.keymaster.DTupHandshakeRequest.nonce_client max_size:32
-nugget.app.keymaster.DTupHandshakeResponse.nonce_citadel max_size:32
-nugget.app.keymaster.DTupHandshakeResponse.signature max_size:32
-nugget.app.keymaster.DTupFetchInputEventResponse.signature max_size:32
+nugget.app.keymaster.SetBootStateRequest.public_key max_size:32
\ No newline at end of file
diff --git a/nugget/proto/nugget/app/keymaster/keymaster.proto b/nugget/proto/nugget/app/keymaster/keymaster.proto
index 092603c..603e041 100644
--- a/nugget/proto/nugget/app/keymaster/keymaster.proto
+++ b/nugget/proto/nugget/app/keymaster/keymaster.proto
@@ -79,18 +79,6 @@
rpc ProvisionDeviceIds (ProvisionDeviceIdsRequest) returns (ProvisionDeviceIdsResponse);
// Only callable at the Device Factory.
rpc ReadTeeBatchCertificate (ReadTeeBatchCertificateRequest) returns (ReadTeeBatchCertificateResponse);
-
- /*
- * More KM4 methods.
- */
- rpc GetHmacSharingParameters (GetHmacSharingParametersRequest) returns (GetHmacSharingParametersResponse);
- rpc ComputeSharedHmac (ComputeSharedHmacRequest) returns (ComputeSharedHmacResponse);
-
- /*
- * DTup input session methods.
- */
- rpc HandshakeDTup (DTupHandshakeRequest) returns (DTupHandshakeResponse);
- rpc FetchDTupInputEvent (DTupFetchInputEventRequest) returns (DTupFetchInputEventResponse);
}
/*
@@ -198,7 +186,6 @@
KeyPurpose purpose = 1;
KeyBlob blob = 2;
KeyParameters params = 3;
- HardwareAuthToken auth_token = 4;
}
message BeginOperationResponse {
ErrorCode error_code = 1;
@@ -211,8 +198,6 @@
OperationHandle handle = 1;
KeyParameters params = 2;
bytes input = 3;
- HardwareAuthToken auth_token = 4;
- VerificationToken verification_token = 5;
}
message UpdateOperationResponse {
ErrorCode error_code = 1;
@@ -227,8 +212,6 @@
KeyParameters params = 2;
bytes input = 3;
bytes signature = 4;
- HardwareAuthToken auth_token = 5;
- VerificationToken verification_token = 6;
};
message FinishOperationResponse {
ErrorCode error_code = 1;
@@ -262,23 +245,6 @@
}
// ImportWrappedKey returns a ImportKeyResponse.
-// GetHmacSharingParametersRequest
-message GetHmacSharingParametersRequest {
-}
-message GetHmacSharingParametersResponse {
- ErrorCode error_code = 1;
- HmacSharingParameters hmac_sharing_params = 2;
-}
-
-// ComputeSharedHmacRequest
-message ComputeSharedHmacRequest {
- repeated HmacSharingParameters hmac_sharing_params = 1;
-}
-message ComputeSharedHmacResponse {
- ErrorCode error_code = 1;
- bytes sharing_check = 2;
-}
-
/*
* Vendor HAL.
*/
@@ -286,7 +252,7 @@
// SetRootOfTrustRequest
// Only callable by the Bootloader.
message SetRootOfTrustRequest {
- bytes digest = 1; // This is a SHA256 digest.
+ bytes digest = 1;
}
message SetRootOfTrustResponse {
// Specified in keymaster_defs.proto:ErrorCode
@@ -297,7 +263,7 @@
// Only callable by the Bootloader.
message SetBootStateRequest {
bool is_unlocked = 1;
- bytes public_key = 2; // This is a SHA256 digest.
+ bytes public_key = 2;
uint32 color = 3;
uint32 system_version = 4;
uint32 system_security_level = 5;
@@ -335,21 +301,3 @@
ECKey ec = 3;
bytes batch_cert = 4;
}
-
-message DTupHandshakeRequest {
- bytes nonce_client = 1;
-}
-
-message DTupHandshakeResponse {
- DTupError error_code = 1;
- bytes nonce_citadel = 2;
- bytes signature = 3;
-}
-
-message DTupFetchInputEventRequest {}
-
-message DTupFetchInputEventResponse {
- DTupError error_code = 1;
- DTupKeyEvent event = 2;
- bytes signature = 3;
-}
diff --git a/nugget/proto/nugget/app/keymaster/keymaster_defs.proto b/nugget/proto/nugget/app/keymaster/keymaster_defs.proto
index 5958838..c3fbbc8 100644
--- a/nugget/proto/nugget/app/keymaster/keymaster_defs.proto
+++ b/nugget/proto/nugget/app/keymaster/keymaster_defs.proto
@@ -263,16 +263,3 @@
PKCS8 = 1; /* for asymmetric key pair import */
RAW = 3; /* for symmetric key import and export*/
}
-
-enum DTupError {
- DTUP_OK = 0;
- DTUP_NO_EVENT = 1;
-}
-
-/* matches Linux event device codes */
-enum DTupKeyEvent {
- DTUP_RESERVED = 0;
- DTUP_VOL_DOWN = 114;
- DTUP_VOL_UP = 115;
- DTUP_PWR = 116;
-}
diff --git a/nugget/proto/nugget/app/keymaster/keymaster_types.options b/nugget/proto/nugget/app/keymaster/keymaster_types.options
index ab60bbf..18678aa 100644
--- a/nugget/proto/nugget/app/keymaster/keymaster_types.options
+++ b/nugget/proto/nugget/app/keymaster/keymaster_types.options
@@ -1,3 +1 @@
-nugget.app.keymaster.KeyParameters.params max_count:20
-nugget.app.keymaster.HmacSharingParameters.seed max_size:32
-nugget.app.keymaster.HmacSharingParameters.nonce max_size:32
+nugget.app.keymaster.KeyParameters.params max_count:20
\ No newline at end of file
diff --git a/nugget/proto/nugget/app/keymaster/keymaster_types.proto b/nugget/proto/nugget/app/keymaster/keymaster_types.proto
index 9c62baf..f5399ee 100644
--- a/nugget/proto/nugget/app/keymaster/keymaster_types.proto
+++ b/nugget/proto/nugget/app/keymaster/keymaster_types.proto
@@ -59,15 +59,6 @@
bytes nonce = 2;
}
-message HardwareAuthToken {
- uint64 challenge = 1;
- uint64 user_id = 2;
- uint64 authenticator_id = 3;
- HardwareAuthenticatorType authenticator_type = 4;
- uint64 timestamp = 5;
- bytes mac = 6;
-}
-
message VerificationToken {
uint64 challenge = 1;
uint64 timestamp = 2;
