From 5b0b145f1268b47ec22c22da69caccaabd6f72a0 Mon Sep 17 00:00:00 2001 From: matejcik Date: Tue, 16 Apr 2024 16:59:04 +0200 Subject: [PATCH] build(core): allow custom vendor header for prodtest to facilitate building prodtest with unsigned VH and then replacing it --- build-docker.sh | 2 ++ core/SConscript.prodtest | 11 ++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/build-docker.sh b/build-docker.sh index dbe019a49..44ea4ea9f 100755 --- a/build-docker.sh +++ b/build-docker.sh @@ -59,6 +59,7 @@ function help_and_die() { echo " --help" echo echo "Set PRODUCTION=0 to run non-production builds." + echo "Set VENDOR_HEADER=vendorheader_prodtest_unsigned.bin to use the specified vendor header for prodtest." exit 0 } @@ -382,6 +383,7 @@ EOF -v "$DIR/build/core$DIRSUFFIX":/build:z \ --env TREZOR_MODEL="$TREZOR_MODEL" \ --env PRODUCTION="$PRODUCTION" \ + --env VENDOR_HEADER="$VENDOR_HEADER" \ --init \ "$SNAPSHOT_NAME" \ /nix/var/nix/profiles/default/bin/nix-shell --run "bash /local/build/$SCRIPT_NAME" diff --git a/core/SConscript.prodtest b/core/SConscript.prodtest index 78d4320b9..e1b7c2f79 100644 --- a/core/SConscript.prodtest +++ b/core/SConscript.prodtest @@ -195,7 +195,16 @@ obj_program.extend(env.Object(source=SOURCE_HAL)) MODEL_IDENTIFIER = tools.get_model_identifier(TREZOR_MODEL) -if PRODUCTION: + +if (vh := ARGUMENTS.get("VENDOR_HEADER", None)) is not None: + VENDORHEADER = vh +elif (vh := os.environ.get("VENDOR_HEADER", None)) is not None: + # TODO looking at envvars in a build script is not very nice. But justifiable in case + # of vendor header which does not affect reproducibility of the build. Nonetheless, + # we should figure out a cleaner way to pass in this argument, without having to teach + # the Makefile about it. + VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/{vh}' +elif PRODUCTION: VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_prodtest_signed_prod.bin' elif BOOTLOADER_DEVEL: VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_dev_DO_NOT_SIGN_signed_dev.bin'