boot: use cosi to compute aggregated key and use it

Makefile

@@ -25,7 +25,12 @@ res: ## update resources
 	./tools/res_collect
 
 vendorheader: ## construct default vendor header
-	./tools/build_vendorheader '0000000000000000000000000000000000000000000000000000000000000000:0000000000000000000000000000000000000000000000000000000000000000:0000000000000000000000000000000000000000000000000000000000000000' 2 1.1 SatoshiLabs assets/satoshilabs_120.toif micropython/firmware/vendorheader.bin
+	./tools/build_vendorheader 'db995fe25169d141cab9bbba92baa01f9f2e1ece7df4cb2ac05190f37fcc1f9d:2152f8d19b791d24453242e15f2eab6cb7cffa7b6a5ed30097960e069881db12:22fc297792f0b6ffc0bfcfdb7edb0c0aa14e025a365ec0e342e86e3829cb74b6' 1 0.0 SatoshiLabs assets/satoshilabs_120.toif micropython/firmware/vendorheader.bin
+
+binctl:
+	./tools/binctl micropython/loader/build/loader.bin
+	./tools/binctl micropython/firmware/vendorheader.bin
+	./tools/binctl micropython/firmware/build/firmware.bin
 
 ## emulator commands:
 

assets/keys.txt

@@ -0,0 +1,14 @@
+seckey1: 4141414141414141414141414141414141414141414141414141414141414141
+pubkey1: db995fe25169d141cab9bbba92baa01f9f2e1ece7df4cb2ac05190f37fcc1f9d
+
+seckey2: 4242424242424242424242424242424242424242424242424242424242424242
+pubkey2: 2152f8d19b791d24453242e15f2eab6cb7cffa7b6a5ed30097960e069881db12
+
+seckey3: 4343434343434343434343434343434343434343434343434343434343434343
+pubkey3: 22fc297792f0b6ffc0bfcfdb7edb0c0aa14e025a365ec0e342e86e3829cb74b6
+
+seckey4: 4444444444444444444444444444444444444444444444444444444444444444
+pubkey4: d759793bbc13a2819a827c76adb6fba8a49aee007f49f2d0992d99b825ad2c48
+
+seckey5: 4545454545454545454545454545454545454545454545454545454545454545
+pubkey5: 6355691c178a8ff91007a7478afb955ef7352c63e7b25703984cf78b26e21a56

micropython/trezorhal/image.c

@@ -39,43 +39,48 @@ bool image_parse_header(const uint8_t *data, image_header *header)
 }
 
 static const uint8_t * const SATOSHILABS_PUBKEYS[] = {
-    (const uint8_t *)"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+    (const uint8_t *)"\xdb\x99\x5f\xe2\x51\x69\xd1\x41\xca\xb9\xbb\xba\x92\xba\xa0\x1f\x9f\x2e\x1e\xce\x7d\xf4\xcb\x2a\xc0\x51\x90\xf3\x7f\xcc\x1f\x9d",
-    (const uint8_t *)"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+    (const uint8_t *)"\x21\x52\xf8\xd1\x9b\x79\x1d\x24\x45\x32\x42\xe1\x5f\x2e\xab\x6c\xb7\xcf\xfa\x7b\x6a\x5e\xd3\x00\x97\x96\x0e\x06\x98\x81\xdb\x12",
-    (const uint8_t *)"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+    (const uint8_t *)"\x22\xfc\x29\x77\x92\xf0\xb6\xff\xc0\xbf\xcf\xdb\x7e\xdb\x0c\x0a\xa1\x4e\x02\x5a\x36\x5e\xc0\xe3\x42\xe8\x6e\x38\x29\xcb\x74\xb6",
-    (const uint8_t *)"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+    (const uint8_t *)"\xd7\x59\x79\x3b\xbc\x13\xa2\x81\x9a\x82\x7c\x76\xad\xb6\xfb\xa8\xa4\x9a\xee\x00\x7f\x49\xf2\xd0\x99\x2d\x99\xb8\x25\xad\x2c\x48",
-    (const uint8_t *)"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+    (const uint8_t *)"\x63\x55\x69\x1c\x17\x8a\x8f\xf9\x10\x07\xa7\x47\x8a\xfb\x95\x5e\xf7\x35\x2c\x63\xe7\xb2\x57\x03\x98\x4c\xf7\x8b\x26\xe2\x1a\x56",
 };
 
-static const uint8_t *compute_pubkey(const vendor_header *vhdr, uint8_t sigmask)
+static bool compute_pubkey(const vendor_header *vhdr, uint8_t sigmask, ed25519_public_key res)
 {
     uint8_t vsig_m;
     uint8_t vsig_n;
     const uint8_t * const *vpub;
 
     if (vhdr) {
-        vsig_m = vhdr->vsig_n;
+        vsig_m = vhdr->vsig_m;
         vsig_n = vhdr->vsig_n;
         vpub = vhdr->vpub;
     } else {
-        vsig_m = 3;
+        vsig_m = 1;
         vsig_n = 5;
         vpub = SATOSHILABS_PUBKEYS;
     }
 
-    if (!vsig_m || !vsig_n) return NULL;
+    if (!vsig_m || !vsig_n) return false;
-    if (vsig_m > vsig_n) return NULL;
+    if (vsig_m > vsig_n) return false;
 
     // discard bits higher than vsig_n
     sigmask &= ((1 << vsig_n) - 1);
 
     // remove if number of set bits in sigmask is not equal to vsig_m
-    if (__builtin_popcount(sigmask) != vsig_m) return NULL;
+    if (__builtin_popcount(sigmask) != vsig_m) return false;
 
-    // TODO: add keys from vpub according to sigmask
+    ed25519_public_key keys[vsig_m];
-    (void)vpub;
+    int j = 0;
-    (void)sigmask;
+    for (int i = 0; i < vsig_n; i++) {
+        if ((1 << i) & sigmask) {
+            memcpy(keys[j], vpub[i], 32);
+            j++;
+        }
+    }
 
-    return NULL;
+    return 0 == ed25519_cosi_combine_publickeys(res, keys, vsig_m);
 }
 
 bool image_check_signature(const uint8_t *data, const vendor_header *vhdr)
@@ -95,13 +100,10 @@ bool image_check_signature(const uint8_t *data, const vendor_header *vhdr)
     blake2s_Update(&ctx, data + HEADER_SIZE, hdr.codelen);
     blake2s_Final(&ctx, hash, BLAKE2S_DIGEST_LENGTH);
 
-    const uint8_t *pub = compute_pubkey(vhdr, hdr.sigmask);
+    ed25519_public_key pub;
+    if (!compute_pubkey(vhdr, hdr.sigmask, pub)) return false;
 
-    // TODO: remove debug skip of unsigned
+    return 0 == ed25519_sign_open(hash, BLAKE2S_DIGEST_LENGTH, pub, *(const ed25519_signature *)hdr.sig);
-    if (!pub) return true;
-    // end
-
-    return pub && (0 == ed25519_sign_open(hash, BLAKE2S_DIGEST_LENGTH, *(const ed25519_public_key *)pub, *(const ed25519_signature *)hdr.sig));
 }
 
 bool vendor_parse_header(const uint8_t *data, vendor_header *header)
@@ -164,11 +166,8 @@ bool vendor_check_signature(const uint8_t *data)
     }
     blake2s_Final(&ctx, hash, BLAKE2S_DIGEST_LENGTH);
 
-    const uint8_t *pub = compute_pubkey(NULL, hdr.sigmask);
+    ed25519_public_key pub;
+    if (!compute_pubkey(NULL, hdr.sigmask, pub)) return false;
 
-    // TODO: remove debug skip of unsigned
+    return 0 == ed25519_sign_open(hash, BLAKE2S_DIGEST_LENGTH, pub, *(const ed25519_signature *)hdr.sig);
-    if (!pub) return true;
-    // end
-
-    return pub && (0 == ed25519_sign_open(hash, BLAKE2S_DIGEST_LENGTH, *(const ed25519_public_key *)pub, *(const ed25519_signature *)hdr.sig));
 }

tools/binctl

@@ -7,11 +7,13 @@ import pyblake2
 
 
 def get_sig(data):
-    print('Enter privkey: ', end='')
+    print('Enter index   : ', end='')
+    idx = int(input())
+    print('Enter privkey : ', end='')
     seckey = binascii.unhexlify(input())
     signkey = ed25519.SigningKey(seckey)
     digest = pyblake2.blake2s(data).digest()
-    sigmask = 0x01 # (1 _ _ _ _)
+    sigmask = 1 << (idx - 1)
     sig = signkey.sign(digest)
     return sigmask, sig
 
@@ -147,10 +149,10 @@ class VendorHeader:
         print('  * scheme  : %d out of %d' % (self.vsig_m, self.vsig_n))
         for i in range(self.vsig_n):
             print('  * vpub #%d :' % (i + 1), binascii.hexlify(self.vpub[i]).decode('ascii'))
-        print('  * vstr     :', self.vstr.decode('ascii'))
+        print('  * vstr    :', self.vstr.decode('ascii'))
-        print('  * vimg     : (%d bytes)', len(self.vimg))
+        print('  * vimg    : (%d bytes)' % len(self.vimg))
-        print('  * sigmask  :', self.sigmask)
+        print('  * sigmask :', self.sigmask)
-        print('  * sig      :', binascii.hexlify(self.sig).decode('ascii'))
+        print('  * sig     :', binascii.hexlify(self.sig).decode('ascii'))
 
     def serialize_header(self, sig=True):
         header = struct.pack('<4sIIBBBB', \
@@ -160,7 +162,8 @@ class VendorHeader:
         for i in range(self.vsig_n):
             header += self.vpub[i]
         header += struct.pack('<B', self.vstr_len) + self.vstr
-        header += struct.pack('<H', self.vimg_len) + self.vimg
+        header += (-len(header) & 3) * b'\x00' # vstr_pad
+        header += self.vimg
         if sig:
             header += struct.pack('<B64s', self.sigmask, self.sig)
         else:

vendor/trezor-crypto

@@ -1 +1 @@
-Subproject commit c200ce121ac268d7b201dddc89b42758ccfc40bf
+Subproject commit 3d04064384b3f4e8331bdcfc96d2c7e5fc04a269