vanadium/common/src/ecall_constants.rs at master · LedgerHQ/vanadium · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
pub const ECALL_FATAL: u32 = 1;
pub const ECALL_XSEND: u32 = 2;
pub const ECALL_XRECV: u32 = 3;
pub const ECALL_EXIT: u32 = 4;
pub const ECALL_PRINT: u32 = 5;

// device handling, events, and UX

pub const ECALL_GET_EVENT: u32 = 10;
pub const ECALL_GET_DEVICE_PROPERTY: u32 = 15;

// Constants used for GET_DEVICE_PROPERTY

// device id (vendor_id: u16, product_id: u16)
pub const DEVICE_PROPERTY_ID: u32 = 0x01;
// (screen_width: u16, screen_height: u16)
pub const DEVICE_PROPERTY_SCREEN_SIZE: u32 = 0x02;
// bitmask of device features (to be defined)
pub const DEVICE_PROPERTY_FEATURES: u32 = 0x03;

// Persistent storage
pub const ECALL_STORAGE_READ: u32 = 20;
pub const ECALL_STORAGE_WRITE: u32 = 21;

// Big numbers
pub const ECALL_MODM: u32 = 110;
pub const ECALL_ADDM: u32 = 111;
pub const ECALL_SUBM: u32 = 112;
pub const ECALL_MULTM: u32 = 113;
pub const ECALL_POWM: u32 = 114;
pub const ECALL_MODINV_PRIME: u32 = 115;

pub const MAX_BIGNUMBER_SIZE: usize = 64;

// HD derivations
pub enum CurveKind {
    Secp256k1 = 0x21,
}

// TODO: IDs for now are matching the ones in the ledger SDK
#[derive(Clone, Copy, PartialEq, Eq, Debug)]
#[repr(C)]
pub enum HashId {
    Ripemd160 = 1,
    Sha256 = 3,
    Sha512 = 5,
    Keccak = 6,
    Sha3 = 7,
}

impl HashId {
    /// Returns the composite ECALL hash_id passed to hash_init / hash_update / hash_final.
    ///
    /// Layout (32 bits):
    ///   - bits 31-24: always 0 (reserved for future extensibility)
    ///   - bits 23-16: algorithm identifier (u8, matches the Ledger SDK hash type constants)
    ///   - bits 15-0:  output size in bytes, supplied by the caller
    ///
    /// Casting through `u8` enforces that the algorithm identifier always fits in a single byte,
    /// keeping the high 8 bits of the hash_id parameter free for future use.
    /// The output size is passed explicitly rather than being derived from `self` so that
    /// one algorithm identifier can support multiple output lengths.
    /// Note that only certain output sizes might be valid for each algorithm.
    pub const fn ecall_id(self, output_size: u16) -> u32 {
        ((self as u8 as u32) << 16) | (output_size as u32)
    }
}

// TODO: signing modes for now are matching the ones in the ledger SDK
#[derive(Clone, Copy, PartialEq, Eq, Debug)]
#[repr(C)]
pub enum EcdsaSignMode {
    RFC6979 = (3 << 9),
}

// TODO: signing modes for now are matching the ones in the ledger SDK
#[derive(Clone, Copy, PartialEq, Eq, Debug)]
#[repr(C)]
pub enum SchnorrSignMode {
    BIP340 = 0,
}

pub const ECALL_DERIVE_HD_NODE: u32 = 130;
pub const ECALL_GET_MASTER_FINGERPRINT: u32 = 131;
pub const ECALL_DERIVE_SLIP21_KEY: u32 = 132;

// Hash functions
pub const ECALL_HASH_INIT: u32 = 150;
pub const ECALL_HASH_UPDATE: u32 = 151;
pub const ECALL_HASH_DIGEST: u32 = 152;

/// Size in bytes of the hash context structs used by the hash ecalls.
///
/// These are the sizes of the opaque context buffers passed to `hash_init`,
/// `hash_update`, and `hash_final`. Each context must be at least this large.
/// The sizes are at least 16 bytes larger than what the Ledger OS uses, in
/// order to have some leeway for different targets where the struct might
/// be larger.
pub const CTX_SHA256_SIZE: usize = 128;
pub const CTX_SHA512_SIZE: usize = 224;
pub const CTX_RIPEMD160_SIZE: usize = 120;
// Keccak and SHA-3 share the same internal Keccak-f[1600] state (cx_sha3_t on Ledger, ~200 bytes
// of rate buffer + 25×u64 state). 448 bytes gives comfortable headroom above the 424-byte
// cx_sha3_t and the RustCrypto sha3 context structs.
pub const CTX_SHA3_SIZE: usize = 448;

// Operations for public keys over elliptic curves
pub const ECALL_ECFP_ADD_POINT: u32 = 160;
pub const ECALL_ECFP_SCALAR_MULT: u32 = 161;

// Random number generation
pub const ECALL_GET_RANDOM_BYTES: u32 = 170;

// Signatures
pub const ECALL_ECDSA_SIGN: u32 = 180;
pub const ECALL_ECDSA_VERIFY: u32 = 181;
pub const ECALL_SCHNORR_SIGN: u32 = 182;
pub const ECALL_SCHNORR_VERIFY: u32 = 183;

/// =======================================
/// Device-specific ECALLs
/// =======================================
/// The range 192..255 is reserved for vendor-specific ECALLs
/// Different implementation of Vanadium can assign different meaning to these ECALLs.
/// The following ECALLs are defined for Ledger devices.

pub const ECALL_SHOW_PAGE: u32 = 192; // Flex / Stax / Apex_P
pub const ECALL_SHOW_STEP: u32 = 193; // Nano X / Nano S+