1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-12-22 06:18:07 +00:00

feat(legacy): make sure that known_bootloader check contains the hash of our bundled bootloader

This commit is contained in:
Pavol Rusnak 2021-04-22 20:19:23 +02:00 committed by matejcik
parent cb882df100
commit 397a2ab18e
2 changed files with 21 additions and 5 deletions

View File

@ -75,8 +75,8 @@ static int known_bootloader(int r, const uint8_t *hash) {
// note to those verifying these values: bootloader versions above this
// comment are aligned/padded to 32KiB with trailing 0xFF bytes and versions
// below are padded with 0x00.
// for more info, refer to "make -C
// bootloader align" and
//
// for more info, refer to "make -C bootloader align" and
// "firmware/bl_data.py".
if (0 ==
memcmp(hash,

View File

@ -9,11 +9,27 @@ if len(data) > 32768:
data += b"\x00" * (32768 - len(data))
h = sha256(sha256(data).digest()).digest()
bh = sha256(sha256(data).digest()).digest()
bl_hash = ", ".join("0x%02x" % x for x in bytearray(h))
bl_hash = ", ".join("0x%02x" % x for x in bytearray(bh))
bl_data = ", ".join("0x%02x" % x for x in bytearray(data))
with open("bl_data.h", "wt") as f:
f.write("static const uint8_t bl_hash[32] = {%s};\n" % bl_hash)
f.write("static const uint8_t bl_data[32768] = {%s};\n" % bl_data)
# make sure the last item listed in known_bootloader function
# is our bootloader
with open("bl_check.c", "rt") as f:
hashes = []
for l in f.readlines():
if not len(l) >= 78 or not l.startswith(' "\\x'):
continue
l = l[14:78]
h = ""
for i in range(0, len(l), 4):
h += l[i + 2 : i + 4]
hashes.append(h)
check = hashes[-2] + hashes[-1]
if check != bh.hex():
raise Exception("bootloader hash not listed in bl_check.c")