tools: update keyctl to work with already signed binaries

6 years ago · 706ddda1a7
parent c934109d65
commit 706ddda1a7
6 changed files with 23 additions and 10 deletions
--- a/SConscript.bootloader
+++ b/SConscript.bootloader
@ -182,6 +182,5 @@ program_bin = env.Command(
    action=[
        '$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET',
        '$BINCTL $TARGET -h',
-        'dd if=$TARGET of=build/bootloader/header.tosign bs=1 count=1024',
-        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN bootloader build/bootloader/header.tosign 4141414141414141414141414141414141414141414141414141414141414141 4242424242424242424242424242424242424242424242424242424242424242`',
+        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN bootloader $TARGET 4141414141414141414141414141414141414141414141414141414141414141 4242424242424242424242424242424242424242424242424242424242424242`',
    ], )
--- a/SConscript.firmware
+++ b/SConscript.firmware
@ -418,6 +418,5 @@ program_bin = env.Command(
    action=[
        '$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
        '$BINCTL $TARGET -h',
-        'dd if=$TARGET of=build/firmware/header.tosign bs=1 count=1024 skip=`wc -c < embed/firmware/vendorheader.bin | tr -d " "`',
-        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware build/firmware/header.tosign 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
+        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
    ], )
--- a/SConscript.prodtest
+++ b/SConscript.prodtest
@ -154,6 +154,5 @@ program_bin = env.Command(
    action=[
        '$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
        '$BINCTL $TARGET -h',
-        'dd if=$TARGET of=build/prodtest/header.tosign bs=1 count=1024 skip=`wc -c < embed/firmware/vendorheader.bin | tr -d " "`',
-        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware build/prodtest/header.tosign 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
+        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
    ], )
--- a/SConscript.reflash
+++ b/SConscript.reflash
@ -154,6 +154,5 @@ program_bin = env.Command(
    action=[
        '$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
        '$BINCTL $TARGET -h',
-        'dd if=$TARGET of=build/reflash/header.tosign bs=1 count=1024 skip=`wc -c < embed/firmware/vendorheader.bin | tr -d " "`',
-        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware build/reflash/header.tosign 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
+        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
    ], )
--- a/tools/combine_sign
+++ b/tools/combine_sign
@ -24,4 +24,4 @@ for seckey in $SECKEYS; do
    SIGS="$SIGS $sig"
 done

-$TOOLDIR/keyctl global_sign $FILE $global_commit $SIGS
+$TOOLDIR/keyctl global_sign $TYPE $FILE $global_commit $SIGS
--- a/tools/keyctl
+++ b/tools/keyctl
@ -3,6 +3,7 @@
 import binascii
 import click
 import pyblake2
+import struct

 from trezorlib import ed25519raw, ed25519cosi

@ -24,6 +25,18 @@ def get_trezor():
        raise Exception('No TREZOR found')


+def header_to_sign(index, data):
+    z = bytes(65 * [0x00])
+    if index == 0:    # bootloader
+        return data[:0x03BF] + z
+    elif index == 1:  # vendorheader
+        return data[:-65] + z
+    elif index == 2:  # firmware
+        vlen = struct.unpack('<I', data[4:8])
+        vlen = vlen[0]
+        return data[vlen:vlen + 0x03BF] + z
+
+
@click.group()
 def cli():
    pass
@ -46,6 +59,7 @@ def getkey(index):
 def commit(index, filename, seckey):
    index = indexmap[index]
    data = open(filename, 'rb').read()
+    data = header_to_sign(index, data)
    digest = pyblake2.blake2s(data).digest()
    ctr = 0
    if seckey:
@ -85,6 +99,7 @@ def global_commit(commits):
 def sign(index, filename, global_commit, seckey):
    index = indexmap[index]
    data = open(filename, 'rb').read()
+    data = header_to_sign(index, data)
    digest = pyblake2.blake2s(data).digest()
    global_pk, global_R = [binascii.unhexlify(x) for x in global_commit.split('+')]
    ctr = 0
@ -106,11 +121,13 @@ def sign(index, filename, global_commit, seckey):


@cli.command(help='')
+@click.argument('index', type=click.Choice(indexmap.keys()))
@click.argument('filename')
@click.argument('global_commit')
@click.argument('signatures', nargs=-1)
-def global_sign(filename, global_commit, signatures):
+def global_sign(index, filename, global_commit, signatures):
    data = open(filename, 'rb').read()
+    data = header_to_sign(index, data)
    digest = pyblake2.blake2s(data).digest()
    global_pk, global_R = [binascii.unhexlify(x) for x in global_commit.split('+')]
    signatures = [binascii.unhexlify(x) for x in signatures]