Add T3W1 emulator certificates

[onvej-sl]

No description provided.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fac9bb5a-309f-47b8-ae96-e340b00da3b2

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Replaces shell-based certificate header generation with a new Python CLI core/tools/generate_certificates.py that converts DER files into C headers and supports a --check verification mode. The top-level Makefile adds certs and certs_check and includes them in gen/gen_check. Multiple autogenerated certificate headers were regenerated (renaming *_der_len → *_der_size and formatting changes). Secret cert storage and prodtest emulator cert read/write behavior were adjusted. HSM/root auth key constants were added/updated (JSON, C headers, Python root-keys). Tropic config generation now merges a base YAML fixture.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant Make as Makefile
    participant Gen as core/tools/generate_certificates.py
    participant FS as Filesystem

    Dev->>Make: make certs / make gen
    Make->>Gen: run script (with or without --check)
    Gen->>FS: read DER files (optiga certs + secret cert)
    Gen->>Gen: format DER -> C byte arrays + <name>_size constants
    alt check mode
        Gen->>FS: compare generated content to existing headers
        FS-->>Gen: match / mismatch
        Gen-->>Make: exit non-zero on mismatch
    else write mode
        Gen->>FS: write/update header files
        FS-->>Gen: write success
        Gen-->>Make: success
    end
    Make-->>Dev: report success or failure

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	Pull request description is empty; the template requires sections like initial PR setup, development status, and post-merge status for core developers.	Add a pull request description that includes the required sections: Initial PR setup (assign yourself, add to project), Development status (set draft/final status), and Post-merge status (note testability and QA requirements).
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title clearly describes the main change: adding T3W1 emulator certificates, which aligns with the PR's primary objective.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch onvej-sl/certificates

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[onvej-sl]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[github-actions]

en main(all)

model	device_test	click_test	persistence_test
T2T1	test(all) main(all)	test(all) main(all)	test(all) main(all)
T3B1	test(all) main(all)	test(all) main(all)	test(all) main(all)
T3T1	test(all) main(all)	test(all) main(all)	test(all) main(all)
T3W1	test(all) main(all)	test(all) main(all)	test(all) main(all)

Latest CI run: 25859031075

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@core/embed/sec/secret/unix/certs/prodtest.h`:
- Line 1: The declaration static unsigned char mcu_device_cert[] = {}; uses an
empty braced initializer which is non-portable in C11/C17; change it to use an
explicit size and a valid initializer (e.g. static unsigned char
mcu_device_cert[1] = {0};) or, if you intend no data, make it a pointer
initialized to NULL (static unsigned char *mcu_device_cert = NULL;), updating
any code that assumes array semantics; locate the mcu_device_cert symbol to
apply the fix.

In `@core/embed/sec/secret/unix/secret.c`:
- Around line 212-223: In secret_mcu_device_cert_write, silence unused-parameter
warnings in the non-PRODTEST (`#else`) branch by explicitly casting the parameters
to void (i.e., add (void)cert and (void)cert_size) before returning secfalse;
this preserves the function signature and documents intent without changing
behavior.

In `@core/tools/generate_certificates.py`:
- Around line 11-13: Fix the typo in the generated banner string: update the
COMMENT constant in generate_certificates.py so the third line reads "in the
root directory" (replace "direcotry" with "directory"), ensuring you preserve
the existing f-string interpolation using Path(__file__).relative_to(ROOT) and
the rest of the message verbatim.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 450a3733-395f-4852-b68d-78b6286d1919

📥 Commits

Reviewing files that changed from the base of the PR and between 699b85d and d5183f3.

⛔ Files ignored due to path filters (3)

• tests/tropic_model/root_cert.pem is excluded by !**/*.pem
• tests/tropic_model/root_key.pem is excluded by !**/*.pem
• tests/tropic_model/tropic_key.pem is excluded by !**/*.pem

📒 Files selected for processing (19)

• Makefile
• common/hsm_keys.json
• core/embed/projects/prodtest/cmd/hsm_keys.h
• core/embed/sec/optiga/unix/certs/T2B1.h
• core/embed/sec/optiga/unix/certs/T3B1.h
• core/embed/sec/optiga/unix/certs/T3T1.h
• core/embed/sec/optiga/unix/certs/T3W1.h
• core/embed/sec/optiga/unix/certs/gen.sh
• core/embed/sec/secret/unix/certs/T3W1.der
• core/embed/sec/secret/unix/certs/T3W1.h
• core/embed/sec/secret/unix/certs/gen.sh
• core/embed/sec/secret/unix/certs/prodtest.h
• core/embed/sec/secret/unix/secret.c
• core/tools/generate_certificates.py
• core/tools/generate_tropic_model_config.py
• python/src/trezorlib/_root_keys.py
• tests/tropic_model/README.md
• tests/tropic_model/base_config.yml
• tests/tropic_model/config.yml

💤 Files with no reviewable changes (2)

• core/embed/sec/secret/unix/certs/gen.sh
• core/embed/sec/optiga/unix/certs/gen.sh

[onvej-sl]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Makefile`:
- Around line 202-210: The Makefile targets certs, certs_check, gen, and
gen_check are not declared phony so make may skip running their recipes if files
or dirs with those names exist; add a .PHONY declaration listing these targets
(e.g., .PHONY: certs certs_check gen gen_check) near the top or grouped with
other phony targets so make always executes the recipes for the certs,
certs_check, gen, and gen_check targets.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 56f1d0f3-f394-4eb8-98a8-d4276e1f7385

📥 Commits

Reviewing files that changed from the base of the PR and between d5183f3 and 58cc3c4.

⛔ Files ignored due to path filters (3)

• tests/tropic_model/root_cert.pem is excluded by !**/*.pem
• tests/tropic_model/root_key.pem is excluded by !**/*.pem
• tests/tropic_model/tropic_key.pem is excluded by !**/*.pem

📒 Files selected for processing (20)

• Makefile
• common/hsm_keys.json
• core/embed/projects/prodtest/cmd/hsm_keys.h
• core/embed/projects/prodtest/cmd/prodtest_secrets.c
• core/embed/sec/optiga/unix/certs/T2B1.h
• core/embed/sec/optiga/unix/certs/T3B1.h
• core/embed/sec/optiga/unix/certs/T3T1.h
• core/embed/sec/optiga/unix/certs/T3W1.h
• core/embed/sec/optiga/unix/certs/gen.sh
• core/embed/sec/secret/unix/certs/T3W1.der
• core/embed/sec/secret/unix/certs/T3W1.h
• core/embed/sec/secret/unix/certs/gen.sh
• core/embed/sec/secret/unix/certs/prodtest.h
• core/embed/sec/secret/unix/secret.c
• core/tools/generate_certificates.py
• core/tools/generate_tropic_model_config.py
• python/src/trezorlib/_root_keys.py
• tests/tropic_model/README.md
• tests/tropic_model/base_config.yml
• tests/tropic_model/config.yml

💤 Files with no reviewable changes (2)

• core/embed/sec/secret/unix/certs/gen.sh
• core/embed/sec/optiga/unix/certs/gen.sh

✅ Files skipped from review due to trivial changes (4)

• core/embed/sec/secret/unix/certs/prodtest.h
• tests/tropic_model/base_config.yml
• core/embed/sec/optiga/unix/certs/T3B1.h
• core/embed/sec/secret/unix/certs/T3W1.h

🚧 Files skipped from review as they are similar to previous changes (7)

• core/embed/sec/secret/unix/secret.c
• core/embed/sec/optiga/unix/certs/T3W1.h
• core/tools/generate_certificates.py
• python/src/trezorlib/_root_keys.py
• core/tools/generate_tropic_model_config.py
• tests/tropic_model/config.yml
• core/embed/sec/optiga/unix/certs/T3T1.h

[onvej-sl]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[onvej-sl]

I’m waiting for #6816 to be merged. Then I'll resolve the merge conflicts in generate_tropic_model_config.py.