Skip to content

Moves OpenSK to Wasefire#768

Open
kaczmarczyck wants to merge 3 commits intogoogle:developfrom
kaczmarczyck:submission
Open

Moves OpenSK to Wasefire#768
kaczmarczyck wants to merge 3 commits intogoogle:developfrom
kaczmarczyck:submission

Conversation

@kaczmarczyck
Copy link
Copy Markdown
Collaborator

@kaczmarczyck kaczmarczyck commented Apr 24, 2026

OpenSK is now based on Wasefire as the main supported OS instead of TockOS. See Future Work for the problems we want to solve. We also reduce maintenance cost since platforms are now only kept in Wasefire.

Initial commits

0a2a34a

  • Deletes all Tock related code.
  • Uses uv instead of manual venv setup.
  • Moves Wasefire env into src.
  • Fixes errors and lints.

e167421

  • Adds Wasefire and its existing OpenSK Env
  • Moves to the new Rust toolchain

a6158ef

  • Updates documentation to Wasefire
  • Adepts the Customization to untie batch attestation from CTAP1
  • Prevents privacy issues by removing per device attestation
  • For now, removes batch certificate injection
  • The binary size workflow is disabled until fixed

Planned coming PRs

  • Check and reinstate MacOS support
  • Fix the binary size workflow
  • Rename features in library to match naming convention in Wasefire
  • Add method to inject batch attestation key (functionality of old vendor command Configure)
  • Remove legacy backwards compatibility code (since this is a breaking change anyway)

Future work

Replace #767 with dependency bump
Move rand_core to 0.10.1, and other dependabot alerts. Requires some changes to the crypto implementations in Env.
We are not stuck with an old compiler version anymore. Before, we would have needed to keep up with TockOS versions.

Fix #649
Since we have to redo our batch attestation, I implemented it so that we fake batch attestation until then. This incidentally let's users login to Apple when they use use_batch_attestation to activate the random fake batch key. They expect batch attestation without actually checking it. It does mean that you see error messages on webauthn.io in that case.

Fix #685 and solve #758
We can have an async Env now, which was impossible with TockOS. Sending busy messages is easier in an async Env.

Fingerprint support
Experimental in Wasefire with one sensor, will eventually be tested more

NFC
The experimental code was TockOS based, so this will likely not happen soon. Would need to land in Wasefire first.

@kaczmarczyck
First stage of Tock removal
0a2a34a 
- Deletes all Tock related code.
- Uses uv instead of manual venv setup.
- Moves Wasefire env into src.
- Fixes errors and lints.
@kaczmarczyck
Adding Wasefire and moving to new toolchain
e167421
@kaczmarczyck
Adepts the new OpenSK Env, plus new documentation
a6158ef 
- Adepts the Customization to untie batch attestation from CTAP1
- Prevents privacy issues by removing per device attestation
- For now, removes batch certificate injection
- The binary size workflow is disabled until fixed
@kaczmarczyck kaczmarczyck self-assigned this Apr 24, 2026
@kaczmarczyck kaczmarczyck requested a review from ia0 April 24, 2026 14:58
This was referenced Apr 24, 2026
Closed
Closed
Closed
Closed
Open
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ia0 ia0 Awaiting requested review from ia0

At least 1 approving review is required to merge this pull request.

Assignees

@kaczmarczyck kaczmarczyck

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

async API for Env? Key not supported on ios for Apple Id 2fa

1 participant

@kaczmarczyck