replace signature scheme

10 months ago · 73abffddb1
parent 90677e5482
commit 73abffddb1
7 changed files with 1125 additions and 18 deletions
--- a/core/SConscript.ble_bootloader
+++ b/core/SConscript.ble_bootloader
@ -49,6 +49,9 @@ CPPDEFINES_MOD += [
    ('uECC_SQUARE_FUNC', '0'),
    ('uECC_SUPPORT_COMPRESSED_POINT', '0'),
    ('uECC_VLI_NATIVE_LITTLE_ENDIAN', '1'),
+
+
+    'ED25519_NO_PRECOMP',
 ]


@ -112,7 +115,11 @@ CPPPATH_MOD += [
    'embed/sdk/nrf52/components/libraries/mutex',
    'embed/sdk/nrf52/components/libraries/ringbuf',

+
    'embed/trezorhal/boards',
+    'embed/lib',
+
+    'vendor/trezor-crypto',
 ]
 SOURCE_MOD += [
 ]
@ -176,7 +183,6 @@ SOURCE_NRFHAL = [
  'embed/sdk/nrf52/components/libraries/bootloader/dfu/nrf_dfu_settings.c',
  'embed/sdk/nrf52/components/libraries/bootloader/dfu/nrf_dfu_transport.c',
  'embed/sdk/nrf52/components/libraries/bootloader/dfu/nrf_dfu_utils.c',
-  'embed/sdk/nrf52/components/libraries/bootloader/dfu/nrf_dfu_validation.c',
  'embed/sdk/nrf52/components/libraries/bootloader/dfu/nrf_dfu_ver_validation.c',
  'embed/sdk/nrf52/components/libraries/bootloader/serial_dfu/nrf_dfu_serial.c',
  'embed/sdk/nrf52/components/libraries/crypto/backend/micro_ecc/micro_ecc_backend_ecc.c',
@ -192,6 +198,16 @@ SOURCE_BLE_BOOTLOADER = [
    # originally embed/sdk/nrf52/components/libraries/bootloader/serial_dfu/nrf_dfu_serial_uart.c',
    'embed/ble_bootloader/nrf_dfu_serial_uart.c',
    'embed/ble_bootloader/nrf_bootloader.c',
+    'embed/ble_bootloader/nrf_dfu_validation.c',
+    'vendor/trezor-crypto/blake2s.c',
+    'vendor/trezor-crypto/ed25519-donna/curve25519-donna-32bit.c',
+    'vendor/trezor-crypto/ed25519-donna/curve25519-donna-helpers.c',
+    'vendor/trezor-crypto/ed25519-donna/ed25519.c',
+    'vendor/trezor-crypto/ed25519-donna/ed25519-donna-32bit-tables.c',
+    'vendor/trezor-crypto/ed25519-donna/ed25519-donna-impl-base.c',
+    'vendor/trezor-crypto/ed25519-donna/modm-donna-32bit.c',
+    'vendor/trezor-crypto/memzero.c',
+    'vendor/trezor-crypto/sha2.c',
 ]

 if DEBUG:
@ -251,7 +267,8 @@ env.Replace(
    COPT=env.get('ENV').get('OPTIMIZE', '-Og'),
    CCFLAGS='$COPT '
    '-g3 '
-    '-std=c99 -Wall -Werror -Wdouble-promotion -Wpointer-arith -Wno-missing-braces -Wno-unused-function '
+    '-nostdlib '
+    '-std=gnu99 -Wall -Werror -Wdouble-promotion -Wpointer-arith -Wno-missing-braces -Wno-unused-function '
    '-fdata-sections -ffunction-sections '
    '-fno-strict-aliasing '
    '-fno-builtin '
--- a/core/SConscript.ble_firmware
+++ b/core/SConscript.ble_firmware
@ -461,14 +461,14 @@ program_pkg = env.Command(
    target='ble_firmware.zip',
    source=program_hex,
    action=[
-        f'nrfutil pkg generate --hw-version 52 --sd-req=0x100 --application $SOURCE --app-boot-validation VALIDATE_ECDSA_P256_SHA256 --key-file ./embed/ble_bootloader/priv.pem $TARGET --application-version-string {tools.get_version("embed/ble_firmware/version.h")}'
+        f'python ../../pc-nrfutil/nordicsemi/  pkg generate --hw-version 52 --sd-req=0x100 --application $SOURCE --app-boot-validation VALIDATE_ECDSA_P256_SHA256 --key-file ./embed/ble_bootloader/priv.pem $TARGET --application-version-string {tools.get_version("embed/ble_firmware/version.h")}'
    ],
 )

 settings = env.Command(
    target='settings.hex',
    source=program_hex,
-    action=f'nrfutil settings generate --family NRF52 --application $SOURCE --app-boot-validation VALIDATE_ECDSA_P256_SHA256 --application-version-string {tools.get_version("embed/ble_firmware/version.h")} --bootloader-version {tools.get_version_int("embed/ble_bootloader/version.h")} --bl-settings-version 2  --sd-boot-validation VALIDATE_ECDSA_P256_SHA256 --softdevice ./embed/sdk/nrf52/components/softdevice/s140/hex/s140_nrf52_7.2.0_softdevice.hex --key-file ./embed/ble_bootloader/priv.pem $TARGET',
+    action=f'python ../../pc-nrfutil/nordicsemi/  settings generate --family NRF52 --application $SOURCE --app-boot-validation VALIDATE_ECDSA_P256_SHA256 --application-version-string {tools.get_version("embed/ble_firmware/version.h")} --bootloader-version {tools.get_version_int("embed/ble_bootloader/version.h")} --bl-settings-version 2  --sd-boot-validation VALIDATE_ECDSA_P256_SHA256 --softdevice ./embed/sdk/nrf52/components/softdevice/s140/hex/s140_nrf52_7.2.0_softdevice.hex --key-file ./embed/ble_bootloader/priv.pem $TARGET',
 )

 program_merge = env.Command(
--- a/core/embed/ble_bootloader/dfu_public_key.c
+++ b/core/embed/ble_bootloader/dfu_public_key.c
@ -5,12 +5,16 @@
 #include "compiler_abstraction.h"
 #include "stdint.h"

-/** @brief Public key used to verify DFU images */
-__ALIGN(4)
-const uint8_t pk[64] = {
-    0x7e, 0x2f, 0x54, 0x41, 0xb7, 0x3f, 0x0c, 0xc8, 0xa8, 0x8f, 0x29,
-    0x1a, 0x91, 0x3c, 0x9f, 0x70, 0x7e, 0xc6, 0x6f, 0x69, 0x51, 0x14,
-    0xa6, 0x04, 0xeb, 0x0b, 0x23, 0x61, 0xf0, 0x22, 0xa4, 0xf4, 0xad,
-    0x73, 0x9b, 0xfa, 0x48, 0x2e, 0x1a, 0x90, 0xf6, 0x59, 0x28, 0x4c,
-    0x73, 0x49, 0x64, 0xc5, 0x18, 0xd3, 0xb3, 0xb2, 0x1a, 0x60, 0xf0,
-    0x79, 0xe8, 0x2c, 0x0a, 0x7c, 0x04, 0x84, 0xcd, 0xd6};
+/** @brief Public keys used to verify DFU images */
+
+const uint8_t NRF_BOOTLOADER_KEY_M = 2;
+const uint8_t NRF_BOOTLOADER_KEY_N = 3;
+const uint8_t * const NRF_BOOTLOADER_KEYS[] = {
+#if !PRODUCTION
+        (const uint8_t *)"\xdb\x99\x5f\xe2\x51\x69\xd1\x41\xca\xb9\xbb\xba\x92\xba\xa0\x1f\x9f\x2e\x1e\xce\x7d\xf4\xcb\x2a\xc0\x51\x90\xf3\x7f\xcc\x1f\x9d",
+        (const uint8_t *)"\x21\x52\xf8\xd1\x9b\x79\x1d\x24\x45\x32\x42\xe1\x5f\x2e\xab\x6c\xb7\xcf\xfa\x7b\x6a\x5e\xd3\x00\x97\x96\x0e\x06\x98\x81\xdb\x12",
+        (const uint8_t *)"\x22\xfc\x29\x77\x92\xf0\xb6\xff\xc0\xbf\xcf\xdb\x7e\xdb\x0c\x0a\xa1\x4e\x02\x5a\x36\x5e\xc0\xe3\x42\xe8\x6e\x38\x29\xcb\x74\xb6",
+#else
+        MODEL_NRF_BOOTLOADER_KEYS
+#endif
+};
--- a/core/embed/ble_bootloader/memory.ld
+++ b/core/embed/ble_bootloader/memory.ld
@ -5,7 +5,7 @@ GROUP(-lgcc -lc -lnosys)

 MEMORY
 {
-  FLASH (rx) : ORIGIN = 0x70000, LENGTH = 0xe000
+  FLASH (rx) : ORIGIN = 0x60000, LENGTH = 0x1e000
  RAM (rwx) :  ORIGIN = 0x20002ae8, LENGTH = 0x1d518
  uicr_bootloader_start_address (r) : ORIGIN = 0x10001014, LENGTH = 0x4
  bootloader_settings_page (r) : ORIGIN = 0x0007F000, LENGTH = 0x1000
--- a/core/embed/ble_bootloader/nrf_dfu_validation.c
+++ b/core/embed/ble_bootloader/nrf_dfu_validation.c
--- a/core/embed/ble_firmware/memory.ld
+++ b/core/embed/ble_firmware/memory.ld
@ -5,7 +5,7 @@ GROUP(-lgcc -lc -lnosys)

 MEMORY
 {
-  FLASH (rx) : ORIGIN = 0x27000, LENGTH = 0x49000
+  FLASH (rx) : ORIGIN = 0x27000, LENGTH = 0x39000
  RAM (rwx) :  ORIGIN = 0x20002ae8, LENGTH = 0x1d518
 }

--- a/core/embed/sdk/nrf52/modules/nrfx/mdk/gcc_startup_nrf52833.S
+++ b/core/embed/sdk/nrf52/modules/nrfx/mdk/gcc_startup_nrf52833.S
@ -253,7 +253,6 @@ Reset_Handler:
 *
 * All addresses must be aligned to 4 bytes boundary.
 */
-#ifdef __STARTUP_CLEAR_BSS
    ldr r1, =__bss_start__
    ldr r2, =__bss_end__

@ -268,7 +267,6 @@ Reset_Handler:
    bgt .L_loop3

 .L_loop3_done:
-#endif /* __STARTUP_CLEAR_BSS */

 /* Execute SystemInit function. */
    bl SystemInit
@ -277,7 +275,7 @@ Reset_Handler:
 * If those libraries are not accessible, define __START as your entry point.
 */
 #ifndef __START
-#define __START _start
+#define __START main
 #endif
    bl __START