tools: update keyctl to work with already signed binaries

2025-01-18 11:21:11 +00:00 · 2018-01-28 17:30:46 +01:00 · 2018-01-28 17:30:46 +01:00 · 706ddda1a7
commit 706ddda1a7
parent c934109d65
6 changed files with 23 additions and 10 deletions
--- a/SConscript.bootloader
+++ b/SConscript.bootloader
@ -182,6 +182,5 @@ program_bin = env.Command(
    action=[
        '$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET',
        '$BINCTL $TARGET -h',
-        'dd if=$TARGET of=build/bootloader/header.tosign bs=1 count=1024',
+        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN bootloader $TARGET 4141414141414141414141414141414141414141414141414141414141414141 4242424242424242424242424242424242424242424242424242424242424242`',
        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN bootloader build/bootloader/header.tosign 4141414141414141414141414141414141414141414141414141414141414141 4242424242424242424242424242424242424242424242424242424242424242`',
    ], )
--- a/SConscript.firmware
+++ b/SConscript.firmware
@ -418,6 +418,5 @@ program_bin = env.Command(
    action=[
        '$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
        '$BINCTL $TARGET -h',
-        'dd if=$TARGET of=build/firmware/header.tosign bs=1 count=1024 skip=`wc -c < embed/firmware/vendorheader.bin | tr -d " "`',
+        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware build/firmware/header.tosign 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
    ], )
--- a/SConscript.prodtest
+++ b/SConscript.prodtest
@ -154,6 +154,5 @@ program_bin = env.Command(
    action=[
        '$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
        '$BINCTL $TARGET -h',
-        'dd if=$TARGET of=build/prodtest/header.tosign bs=1 count=1024 skip=`wc -c < embed/firmware/vendorheader.bin | tr -d " "`',
+        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware build/prodtest/header.tosign 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
    ], )
--- a/SConscript.reflash
+++ b/SConscript.reflash
@ -154,6 +154,5 @@ program_bin = env.Command(
    action=[
        '$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
        '$BINCTL $TARGET -h',
-        'dd if=$TARGET of=build/reflash/header.tosign bs=1 count=1024 skip=`wc -c < embed/firmware/vendorheader.bin | tr -d " "`',
+        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware build/reflash/header.tosign 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
    ], )
--- a/tools/combine_sign
+++ b/tools/combine_sign
@ -24,4 +24,4 @@ for seckey in $SECKEYS; do
    SIGS="$SIGS $sig"
 done
-$TOOLDIR/keyctl global_sign $FILE $global_commit $SIGS
+$TOOLDIR/keyctl global_sign $TYPE $FILE $global_commit $SIGS
--- a/tools/keyctl
+++ b/tools/keyctl
@ -3,6 +3,7 @@
 import binascii
 import click
 import pyblake2
 import struct
 from trezorlib import ed25519raw, ed25519cosi
@ -24,6 +25,18 @@ def get_trezor():
        raise Exception('No TREZOR found')
 def header_to_sign(index, data):
    z = bytes(65 * [0x00])
    if index == 0:    # bootloader
        return data[:0x03BF] + z
    elif index == 1:  # vendorheader
        return data[:-65] + z
    elif index == 2:  # firmware
        vlen = struct.unpack('<I', data[4:8])
        vlen = vlen[0]
        return data[vlen:vlen + 0x03BF] + z
@click.group()
 def cli():
    pass
@ -46,6 +59,7 @@ def getkey(index):
 def commit(index, filename, seckey):
    index = indexmap[index]
    data = open(filename, 'rb').read()
    data = header_to_sign(index, data)
    digest = pyblake2.blake2s(data).digest()
    ctr = 0
    if seckey:
@ -85,6 +99,7 @@ def global_commit(commits):
 def sign(index, filename, global_commit, seckey):
    index = indexmap[index]
    data = open(filename, 'rb').read()
    data = header_to_sign(index, data)
    digest = pyblake2.blake2s(data).digest()
    global_pk, global_R = [binascii.unhexlify(x) for x in global_commit.split('+')]
    ctr = 0
@ -106,11 +121,13 @@ def sign(index, filename, global_commit, seckey):
@cli.command(help='')
@click.argument('index', type=click.Choice(indexmap.keys()))
@click.argument('filename')
@click.argument('global_commit')
@click.argument('signatures', nargs=-1)
-def global_sign(filename, global_commit, signatures):
+def global_sign(index, filename, global_commit, signatures):
    data = open(filename, 'rb').read()
    data = header_to_sign(index, data)
    digest = pyblake2.blake2s(data).digest()
    global_pk, global_R = [binascii.unhexlify(x) for x in global_commit.split('+')]
    signatures = [binascii.unhexlify(x) for x in signatures]