Tendermint Validator App - Ledger Nano S
General structure
The general structure of commands and responses is as follows:
Commands
| Field | Type | Content | Note |
|---|
| CLA | byte (1) | Application Identifier | 0x56 |
| INS | byte (1) | Instruction ID | x |
| P1 | byte (1) | Parameter 1 | x |
| P2 | byte (1) | Parameter 2 | x |
| L | byte (1) | Bytes in payload | x |
| PAYLOAD | byte (L) | Payload | x |
Response
| Field | Type | Content | Note |
|---|
| ANSWER | byte (?) | Answer | depends on the command |
| SW1-SW2 | byte (2) | Return code | see list of return codes |
Return codes
| Return code | Description |
|---|
| 0x6400 | Execution Error |
| 0x6982 | Empty buffer |
| 0x6983 | Output buffer too small |
| 0x6986 | Command not allowed |
| 0x6D00 | INS not supported |
| 0x6E00 | CLA not supported |
| 0x6F00 | Unknown |
| 0x9000 | Success |
Command definition
GET_VERSION
Command
| Field | Type | Content | Expected |
|---|
| CLA | byte (1) | Application Identifier | 0x56 |
| INS | byte (1) | Instruction ID | 0x00 |
| P1 | byte (1) | Parameter 1 | ignored |
| P2 | byte (1) | Parameter 2 | ignored |
| L | byte (1) | Bytes in payload | 0 |
Response
| Field | Type | Content | Note |
|---|
| MODE | byte (1) | Test Mode | 0xFF means test mode is enabled |
| MAJOR | byte (1) | Version Major | |
| MINOR | byte (1) | Version Minor | |
| PATCH | byte (1) | Version Patch | |
| SW1-SW2 | byte (2) | Return code | see list of return codes |
PUBLIC_KEY_ED25519
Command
| Field | Type | Content | Expected |
|---|
| CLA | byte (1) | Application Identifier | 0x56 |
| INS | byte (1) | Instruction ID | 0x01 |
| P1 | byte (1) | Parameter 1 | ignored |
| P2 | byte (1) | Parameter 2 | ignored |
| L | byte (1) | Bytes in payload | 0 |
Response
| Field | Type | Content | Note |
|---|
| PK | byte (65) | Public Key | |
| SW1-SW2 | byte (2) | Return code | see list of return codes |
SIGN_ED25519
This command needs to be called several times until the complete message has been uploaded.
The validator app will implement double-sign prevention.
Based on these values, the app will not sign anything that is:
- A lower height
- A lower round
The HSM keeps in RAM:
- Latest height
- Latest round
First signature / initialization
When starting the app, height and round will not be initialized. The first signature request will be used for initialization. The signature request should be rejected immediately and the the UI should switch to initialization mode. Refer the the UI spec.
Command
| Field | Type | Content | Expected |
|---|
| CLA | byte (1) | Application Identifier | 0x56 |
| INS | byte (1) | Instruction ID | 0x03 |
| P1 | byte (1) | Packet Current Index | ignored |
| P2 | byte (1) | Packet Total Count | ignored |
| L | byte (1) | Bytes in payload | 0 |
Response
| Field | Type | Content | Note |
|---|
| SIG | byte (64) | Signature | |
| SW1-SW2 | byte (2) | Return code | see list of return codes |
