boot: use cosi to compute aggregated key and use it

7 years ago · 87b7d0649b
parent 71ea884ad8
commit 87b7d0649b
5 changed files with 58 additions and 37 deletions
--- a/7
+++ b/7
@ -25,7 +25,12 @@ res: ## update resources
 	./tools/res_collect

 vendorheader: ## construct default vendor header
-	./tools/build_vendorheader '0000000000000000000000000000000000000000000000000000000000000000:0000000000000000000000000000000000000000000000000000000000000000:0000000000000000000000000000000000000000000000000000000000000000' 2 1.1 SatoshiLabs assets/satoshilabs_120.toif micropython/firmware/vendorheader.bin
+	./tools/build_vendorheader 'db995fe25169d141cab9bbba92baa01f9f2e1ece7df4cb2ac05190f37fcc1f9d:2152f8d19b791d24453242e15f2eab6cb7cffa7b6a5ed30097960e069881db12:22fc297792f0b6ffc0bfcfdb7edb0c0aa14e025a365ec0e342e86e3829cb74b6' 1 0.0 SatoshiLabs assets/satoshilabs_120.toif micropython/firmware/vendorheader.bin
+
+binctl:
+	./tools/binctl micropython/loader/build/loader.bin
+	./tools/binctl micropython/firmware/vendorheader.bin
+	./tools/binctl micropython/firmware/build/firmware.bin

 ## emulator commands:

--- a/assets/keys.txt
+++ b/assets/keys.txt
@ -0,0 +1,14 @@
+seckey1: 4141414141414141414141414141414141414141414141414141414141414141
+pubkey1: db995fe25169d141cab9bbba92baa01f9f2e1ece7df4cb2ac05190f37fcc1f9d
+
+seckey2: 4242424242424242424242424242424242424242424242424242424242424242
+pubkey2: 2152f8d19b791d24453242e15f2eab6cb7cffa7b6a5ed30097960e069881db12
+
+seckey3: 4343434343434343434343434343434343434343434343434343434343434343
+pubkey3: 22fc297792f0b6ffc0bfcfdb7edb0c0aa14e025a365ec0e342e86e3829cb74b6
+
+seckey4: 4444444444444444444444444444444444444444444444444444444444444444
+pubkey4: d759793bbc13a2819a827c76adb6fba8a49aee007f49f2d0992d99b825ad2c48
+
+seckey5: 4545454545454545454545454545454545454545454545454545454545454545
+pubkey5: 6355691c178a8ff91007a7478afb955ef7352c63e7b25703984cf78b26e21a56
--- a/micropython/trezorhal/image.c
+++ b/micropython/trezorhal/image.c
@ -39,43 +39,48 @@ bool image_parse_header(const uint8_t *data, image_header *header)
 }

 static const uint8_t * const SATOSHILABS_PUBKEYS[] = {
-    (const uint8_t *)"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
-    (const uint8_t *)"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
-    (const uint8_t *)"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
-    (const uint8_t *)"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
-    (const uint8_t *)"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+    (const uint8_t *)"\xdb\x99\x5f\xe2\x51\x69\xd1\x41\xca\xb9\xbb\xba\x92\xba\xa0\x1f\x9f\x2e\x1e\xce\x7d\xf4\xcb\x2a\xc0\x51\x90\xf3\x7f\xcc\x1f\x9d",
+    (const uint8_t *)"\x21\x52\xf8\xd1\x9b\x79\x1d\x24\x45\x32\x42\xe1\x5f\x2e\xab\x6c\xb7\xcf\xfa\x7b\x6a\x5e\xd3\x00\x97\x96\x0e\x06\x98\x81\xdb\x12",
+    (const uint8_t *)"\x22\xfc\x29\x77\x92\xf0\xb6\xff\xc0\xbf\xcf\xdb\x7e\xdb\x0c\x0a\xa1\x4e\x02\x5a\x36\x5e\xc0\xe3\x42\xe8\x6e\x38\x29\xcb\x74\xb6",
+    (const uint8_t *)"\xd7\x59\x79\x3b\xbc\x13\xa2\x81\x9a\x82\x7c\x76\xad\xb6\xfb\xa8\xa4\x9a\xee\x00\x7f\x49\xf2\xd0\x99\x2d\x99\xb8\x25\xad\x2c\x48",
+    (const uint8_t *)"\x63\x55\x69\x1c\x17\x8a\x8f\xf9\x10\x07\xa7\x47\x8a\xfb\x95\x5e\xf7\x35\x2c\x63\xe7\xb2\x57\x03\x98\x4c\xf7\x8b\x26\xe2\x1a\x56",
 };

-static const uint8_t *compute_pubkey(const vendor_header *vhdr, uint8_t sigmask)
+static bool compute_pubkey(const vendor_header *vhdr, uint8_t sigmask, ed25519_public_key res)
 {
    uint8_t vsig_m;
    uint8_t vsig_n;
    const uint8_t * const *vpub;

    if (vhdr) {
-        vsig_m = vhdr->vsig_n;
+        vsig_m = vhdr->vsig_m;
        vsig_n = vhdr->vsig_n;
        vpub = vhdr->vpub;
    } else {
-        vsig_m = 3;
+        vsig_m = 1;
        vsig_n = 5;
        vpub = SATOSHILABS_PUBKEYS;
    }

-    if (!vsig_m || !vsig_n) return NULL;
-    if (vsig_m > vsig_n) return NULL;
+    if (!vsig_m || !vsig_n) return false;
+    if (vsig_m > vsig_n) return false;

    // discard bits higher than vsig_n
    sigmask &= ((1 << vsig_n) - 1);

    // remove if number of set bits in sigmask is not equal to vsig_m
-    if (__builtin_popcount(sigmask) != vsig_m) return NULL;
-
-    // TODO: add keys from vpub according to sigmask
-    (void)vpub;
-    (void)sigmask;
+    if (__builtin_popcount(sigmask) != vsig_m) return false;
+
+    ed25519_public_key keys[vsig_m];
+    int j = 0;
+    for (int i = 0; i < vsig_n; i++) {
+        if ((1 << i) & sigmask) {
+            memcpy(keys[j], vpub[i], 32);
+            j++;
+        }
+    }

-    return NULL;
+    return 0 == ed25519_cosi_combine_publickeys(res, keys, vsig_m);
 }

 bool image_check_signature(const uint8_t *data, const vendor_header *vhdr)
@ -95,13 +100,10 @@ bool image_check_signature(const uint8_t *data, const vendor_header *vhdr)
    blake2s_Update(&ctx, data + HEADER_SIZE, hdr.codelen);
    blake2s_Final(&ctx, hash, BLAKE2S_DIGEST_LENGTH);

-    const uint8_t *pub = compute_pubkey(vhdr, hdr.sigmask);
+    ed25519_public_key pub;
+    if (!compute_pubkey(vhdr, hdr.sigmask, pub)) return false;

-    // TODO: remove debug skip of unsigned
-    if (!pub) return true;
-    // end
-
-    return pub && (0 == ed25519_sign_open(hash, BLAKE2S_DIGEST_LENGTH, *(const ed25519_public_key *)pub, *(const ed25519_signature *)hdr.sig));
+    return 0 == ed25519_sign_open(hash, BLAKE2S_DIGEST_LENGTH, pub, *(const ed25519_signature *)hdr.sig);
 }

 bool vendor_parse_header(const uint8_t *data, vendor_header *header)
@ -164,11 +166,8 @@ bool vendor_check_signature(const uint8_t *data)
    }
    blake2s_Final(&ctx, hash, BLAKE2S_DIGEST_LENGTH);

-    const uint8_t *pub = compute_pubkey(NULL, hdr.sigmask);
-
-    // TODO: remove debug skip of unsigned
-    if (!pub) return true;
-    // end
+    ed25519_public_key pub;
+    if (!compute_pubkey(NULL, hdr.sigmask, pub)) return false;

-    return pub && (0 == ed25519_sign_open(hash, BLAKE2S_DIGEST_LENGTH, *(const ed25519_public_key *)pub, *(const ed25519_signature *)hdr.sig));
+    return 0 == ed25519_sign_open(hash, BLAKE2S_DIGEST_LENGTH, pub, *(const ed25519_signature *)hdr.sig);
 }
--- a/tools/binctl
+++ b/tools/binctl
@ -7,11 +7,13 @@ import pyblake2


 def get_sig(data):
-    print('Enter privkey: ', end='')
+    print('Enter index   : ', end='')
+    idx = int(input())
+    print('Enter privkey : ', end='')
    seckey = binascii.unhexlify(input())
    signkey = ed25519.SigningKey(seckey)
    digest = pyblake2.blake2s(data).digest()
-    sigmask = 0x01 # (1 _ _ _ _)
+    sigmask = 1 << (idx - 1)
    sig = signkey.sign(digest)
    return sigmask, sig

@ -147,10 +149,10 @@ class VendorHeader:
        print('  * scheme  : %d out of %d' % (self.vsig_m, self.vsig_n))
        for i in range(self.vsig_n):
            print('  * vpub #%d :' % (i + 1), binascii.hexlify(self.vpub[i]).decode('ascii'))
-        print('  * vstr     :', self.vstr.decode('ascii'))
-        print('  * vimg     : (%d bytes)', len(self.vimg))
-        print('  * sigmask  :', self.sigmask)
-        print('  * sig      :', binascii.hexlify(self.sig).decode('ascii'))
+        print('  * vstr    :', self.vstr.decode('ascii'))
+        print('  * vimg    : (%d bytes)' % len(self.vimg))
+        print('  * sigmask :', self.sigmask)
+        print('  * sig     :', binascii.hexlify(self.sig).decode('ascii'))

    def serialize_header(self, sig=True):
        header = struct.pack('<4sIIBBBB', \
@ -160,7 +162,8 @@ class VendorHeader:
        for i in range(self.vsig_n):
            header += self.vpub[i]
        header += struct.pack('<B', self.vstr_len) + self.vstr
-        header += struct.pack('<H', self.vimg_len) + self.vimg
+        header += (-len(header) & 3) * b'\x00' # vstr_pad
+        header += self.vimg
        if sig:
            header += struct.pack('<B64s', self.sigmask, self.sig)
        else:
--- a/vendor/trezor-crypto
+++ b/vendor/trezor-crypto
@ -1 +1 @@
-Subproject commit c200ce121ac268d7b201dddc89b42758ccfc40bf
+Subproject commit 3d04064384b3f4e8331bdcfc96d2c7e5fc04a269