mirror of
https://github.com/trezor/trezor-firmware.git
synced 2025-01-03 20:11:00 +00:00
tools: update keyctl to work with already signed binaries
This commit is contained in:
parent
c934109d65
commit
706ddda1a7
@ -182,6 +182,5 @@ program_bin = env.Command(
|
||||
action=[
|
||||
'$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET',
|
||||
'$BINCTL $TARGET -h',
|
||||
'dd if=$TARGET of=build/bootloader/header.tosign bs=1 count=1024',
|
||||
'$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN bootloader build/bootloader/header.tosign 4141414141414141414141414141414141414141414141414141414141414141 4242424242424242424242424242424242424242424242424242424242424242`',
|
||||
'$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN bootloader $TARGET 4141414141414141414141414141414141414141414141414141414141414141 4242424242424242424242424242424242424242424242424242424242424242`',
|
||||
], )
|
||||
|
@ -418,6 +418,5 @@ program_bin = env.Command(
|
||||
action=[
|
||||
'$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
|
||||
'$BINCTL $TARGET -h',
|
||||
'dd if=$TARGET of=build/firmware/header.tosign bs=1 count=1024 skip=`wc -c < embed/firmware/vendorheader.bin | tr -d " "`',
|
||||
'$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware build/firmware/header.tosign 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
|
||||
'$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
|
||||
], )
|
||||
|
@ -154,6 +154,5 @@ program_bin = env.Command(
|
||||
action=[
|
||||
'$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
|
||||
'$BINCTL $TARGET -h',
|
||||
'dd if=$TARGET of=build/prodtest/header.tosign bs=1 count=1024 skip=`wc -c < embed/firmware/vendorheader.bin | tr -d " "`',
|
||||
'$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware build/prodtest/header.tosign 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
|
||||
'$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
|
||||
], )
|
||||
|
@ -154,6 +154,5 @@ program_bin = env.Command(
|
||||
action=[
|
||||
'$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
|
||||
'$BINCTL $TARGET -h',
|
||||
'dd if=$TARGET of=build/reflash/header.tosign bs=1 count=1024 skip=`wc -c < embed/firmware/vendorheader.bin | tr -d " "`',
|
||||
'$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware build/reflash/header.tosign 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
|
||||
'$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
|
||||
], )
|
||||
|
@ -24,4 +24,4 @@ for seckey in $SECKEYS; do
|
||||
SIGS="$SIGS $sig"
|
||||
done
|
||||
|
||||
$TOOLDIR/keyctl global_sign $FILE $global_commit $SIGS
|
||||
$TOOLDIR/keyctl global_sign $TYPE $FILE $global_commit $SIGS
|
||||
|
19
tools/keyctl
19
tools/keyctl
@ -3,6 +3,7 @@
|
||||
import binascii
|
||||
import click
|
||||
import pyblake2
|
||||
import struct
|
||||
|
||||
from trezorlib import ed25519raw, ed25519cosi
|
||||
|
||||
@ -24,6 +25,18 @@ def get_trezor():
|
||||
raise Exception('No TREZOR found')
|
||||
|
||||
|
||||
def header_to_sign(index, data):
|
||||
z = bytes(65 * [0x00])
|
||||
if index == 0: # bootloader
|
||||
return data[:0x03BF] + z
|
||||
elif index == 1: # vendorheader
|
||||
return data[:-65] + z
|
||||
elif index == 2: # firmware
|
||||
vlen = struct.unpack('<I', data[4:8])
|
||||
vlen = vlen[0]
|
||||
return data[vlen:vlen + 0x03BF] + z
|
||||
|
||||
|
||||
@click.group()
|
||||
def cli():
|
||||
pass
|
||||
@ -46,6 +59,7 @@ def getkey(index):
|
||||
def commit(index, filename, seckey):
|
||||
index = indexmap[index]
|
||||
data = open(filename, 'rb').read()
|
||||
data = header_to_sign(index, data)
|
||||
digest = pyblake2.blake2s(data).digest()
|
||||
ctr = 0
|
||||
if seckey:
|
||||
@ -85,6 +99,7 @@ def global_commit(commits):
|
||||
def sign(index, filename, global_commit, seckey):
|
||||
index = indexmap[index]
|
||||
data = open(filename, 'rb').read()
|
||||
data = header_to_sign(index, data)
|
||||
digest = pyblake2.blake2s(data).digest()
|
||||
global_pk, global_R = [binascii.unhexlify(x) for x in global_commit.split('+')]
|
||||
ctr = 0
|
||||
@ -106,11 +121,13 @@ def sign(index, filename, global_commit, seckey):
|
||||
|
||||
|
||||
@cli.command(help='')
|
||||
@click.argument('index', type=click.Choice(indexmap.keys()))
|
||||
@click.argument('filename')
|
||||
@click.argument('global_commit')
|
||||
@click.argument('signatures', nargs=-1)
|
||||
def global_sign(filename, global_commit, signatures):
|
||||
def global_sign(index, filename, global_commit, signatures):
|
||||
data = open(filename, 'rb').read()
|
||||
data = header_to_sign(index, data)
|
||||
digest = pyblake2.blake2s(data).digest()
|
||||
global_pk, global_R = [binascii.unhexlify(x) for x in global_commit.split('+')]
|
||||
signatures = [binascii.unhexlify(x) for x in signatures]
|
||||
|
Loading…
Reference in New Issue
Block a user