arno/trezor-firmware
1
0
Fork 0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-11-22 15:38:11 +00:00
Code Issues Releases Wiki Activity

build: sign all stuff using ed25519 cosi (2 out of 3)

Browse Source
This commit is contained in:
Pavol Rusnak 2017-10-01 17:46:58 +02:00
parent ca649eb8f0
commit 8ddcd74080
No known key found for this signature in database
GPG Key ID: 91F3B339B9A02A3D
11 changed files with 51 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@ -149,8 +149,8 @@ gdb_firmware: $(FIRMWARE_BUILD_DIR)/firmware.elf ## start remote gdb session to
## misc commands: ## misc commands:
vendorheader: ## construct default vendor header vendorheader: ## construct default vendor header
./tools/build_vendorheader 'e28a8970753332bd72fef413e6b0b2ef1b4aadda7aa2c141f233712a6876b351:d4eec1869fb1b8a4e817516ad5a931557cb56805c3eb16e8f3a803d647df7869:772c8a442b7db06e166cfbc1ccbcbcde6f3eba76a4e98ef3ffc519502237d6ef' 1 0.0 SatoshiLabs assets/satoshilabs_120.toif embed/firmware/vendorheader.bin ./tools/build_vendorheader 'e28a8970753332bd72fef413e6b0b2ef1b4aadda7aa2c141f233712a6876b351:d4eec1869fb1b8a4e817516ad5a931557cb56805c3eb16e8f3a803d647df7869:772c8a442b7db06e166cfbc1ccbcbcde6f3eba76a4e98ef3ffc519502237d6ef' 2 0.0 DEVEL assets/vendor_devel.toif embed/firmware/vendorheader.bin
./tools/binctl embed/firmware/vendorheader.bin -s 1 4444444444444444444444444444444444444444444444444444444444444444 ./tools/binctl embed/firmware/vendorheader.bin -s 1:2 4444444444444444444444444444444444444444444444444444444444444444:4545454545454545454545454545454545454545454545454545454545454545
binctl: ## print info about binary files binctl: ## print info about binary files
./tools/binctl $(BOOTLOADER_BUILD_DIR)/bootloader.bin ./tools/binctl $(BOOTLOADER_BUILD_DIR)/bootloader.bin

2
SConscript.bootloader
View File

@ -169,5 +169,5 @@ program_bin = env.Command(
source=program_elf, source=program_elf,
action=[ action=[
'$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET', '$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET',
'$BINCTL $TARGET -s 1 4141414141414141414141414141414141414141414141414141414141414141', '$BINCTL $TARGET -s 1:2 4141414141414141414141414141414141414141414141414141414141414141:4242424242424242424242424242424242424242424242424242424242424242',
], ) ], )

2
SConscript.firmware
View File

@ -434,7 +434,7 @@ program_bin = env.Command(
source=program_elf, source=program_elf,
action=[ action=[
'$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET', '$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET',
'$BINCTL $TARGET -s 1 4747474747474747474747474747474747474747474747474747474747474747', '$BINCTL $TARGET -s 1:2 4747474747474747474747474747474747474747474747474747474747474747:4848484848484848484848484848484848484848484848484848484848484848',
], ) ], )
program0_bin = env.Command( program0_bin = env.Command(

BIN
assets/satoshilabs_120.toif
View File

Binary file not shown.

BIN
assets/vendor_devel.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
assets/vendor_devel.toif Normal file
View File

Binary file not shown.

2
embed/boardloader/main.c
View File

@ -104,7 +104,7 @@ bool copy_sdcard(void)
return true; return true;
} }
const uint8_t BOARDLOADER_KEY_M = 1; const uint8_t BOARDLOADER_KEY_M = 2;
const uint8_t BOARDLOADER_KEY_N = 3; const uint8_t BOARDLOADER_KEY_N = 3;
static const uint8_t * const BOARDLOADER_KEYS[] = { static const uint8_t * const BOARDLOADER_KEYS[] = {
(const uint8_t *)"\xdb\x99\x5f\xe2\x51\x69\xd1\x41\xca\xb9\xbb\xba\x92\xba\xa0\x1f\x9f\x2e\x1e\xce\x7d\xf4\xcb\x2a\xc0\x51\x90\xf3\x7f\xcc\x1f\x9d", (const uint8_t *)"\xdb\x99\x5f\xe2\x51\x69\xd1\x41\xca\xb9\xbb\xba\x92\xba\xa0\x1f\x9f\x2e\x1e\xce\x7d\xf4\xcb\x2a\xc0\x51\x90\xf3\x7f\xcc\x1f\x9d",

2
embed/bootloader/main.c
View File

@ -47,7 +47,7 @@ void display_vendor(const uint8_t *vimg, const char *vstr, uint32_t vstr_len, ui
display_refresh(); display_refresh();
} }
const uint8_t BOOTLOADER_KEY_M = 1; const uint8_t BOOTLOADER_KEY_M = 2;
const uint8_t BOOTLOADER_KEY_N = 3; const uint8_t BOOTLOADER_KEY_N = 3;
static const uint8_t * const BOOTLOADER_KEYS[] = { static const uint8_t * const BOOTLOADER_KEYS[] = {
(const uint8_t *)"\xd7\x59\x79\x3b\xbc\x13\xa2\x81\x9a\x82\x7c\x76\xad\xb6\xfb\xa8\xa4\x9a\xee\x00\x7f\x49\xf2\xd0\x99\x2d\x99\xb8\x25\xad\x2c\x48", (const uint8_t *)"\xd7\x59\x79\x3b\xbc\x13\xa2\x81\x9a\x82\x7c\x76\xad\xb6\xfb\xa8\xa4\x9a\xee\x00\x7f\x49\xf2\xd0\x99\x2d\x99\xb8\x25\xad\x2c\x48",

34
tools/binctl
View File

@ -8,16 +8,36 @@ import binascii
import pyblake2 import pyblake2
import ed25519raw import ed25519raw
import ed25519cosi
def sign_data(seckeys, data): def sign_data(seckeys, data):
digest = pyblake2.blake2s(data).digest()
if len(seckeys) == 1: if len(seckeys) == 1:
sk = seckeys[0] sk = seckeys[0]
pk = ed25519raw.publickey(sk) pk = ed25519raw.publickey(sk)
digest = pyblake2.blake2s(data).digest()
return ed25519raw.signature(digest, sk, pk) return ed25519raw.signature(digest, sk, pk)
else: else:
raise NotImplementedError pubkeys = [ed25519raw.publickey(sk) for sk in seckeys]
ctr = 0
nonces = []
commits = []
for sk in seckeys:
r, R = ed25519cosi.get_nonce(sk, digest, ctr)
nonces.append(r)
commits.append(R)
global_pk = ed25519cosi.combine_keys(pubkeys)
global_R = ed25519cosi.combine_keys(commits)
sigs = []
for sk, r, R in zip(seckeys, nonces, commits):
h = ed25519raw.H(sk)
b = ed25519raw.b
a = 2**(b - 2) + sum(2**i * ed25519raw.bit(h, i) for i in range(3, b - 2))
S = (r + ed25519raw.Hint(global_R + global_pk + digest) * a) % ed25519raw.l
sigs.append(ed25519raw.encodeint(S))
sig = ed25519cosi.combine_sig(global_R, sigs)
ed25519raw.checkvalid(sig, digest, global_pk)
return sig
def format_sigmask(sigmask): def format_sigmask(sigmask):
@ -186,6 +206,14 @@ class VendorHeader(object):
return header return header
def sign(self, sigmask, seckeys): def sign(self, sigmask, seckeys):
# check whether provided arguments match vsig_m/vsig_n
if len(seckeys) != self.vsig_m:
raise Exception('invalid number of signatures (vsig_m expected %d, got %d)' % (self.vsig_m, len(seckeys)))
if sigmask >= (1 << self.vsig_n):
raise Exception('signature index is higher than vsig_n (%d)' % self.vsig_n)
if bin(sigmask).count('1') != self.vsig_m:
raise Exception('invalid number of indexes (vsig_m expected %d, got %d)' % (self.vsig_m, bin(sigmask).count('1')))
# sign
header = self.serialize_header(sig=False) header = self.serialize_header(sig=False)
self.sigmask = sigmask self.sigmask = sigmask
self.sig = sign_data(seckeys, header) self.sig = sign_data(seckeys, header)
@ -224,7 +252,7 @@ def main():
sigmask = 0 sigmask = 0
if ':' in sys.argv[3]: if ':' in sys.argv[3]:
for idx in sys.argv[3].split(':'): for idx in sys.argv[3].split(':'):
sigmask = 1 << (int(idx) - 1) sigmask |= 1 << (int(idx) - 1)
else: else:
sigmask = 1 << (int(sys.argv[3]) - 1) sigmask = 1 << (int(sys.argv[3]) - 1)
if ':' in sys.argv[4]: if ':' in sys.argv[4]:

20
tools/ed25519cosi.py
View File

@ -220,17 +220,17 @@ def test(data):
sks.append(seckey) sks.append(seckey)
pks.append(pubkey) pks.append(pubkey)
ctr = 0 ctr = 0
(r, R) = get_nonce(seckey, digest, ctr) r, R = get_nonce(seckey, digest, ctr)
print('Local nonce: %s' % hex(ed25519raw.encodeint(r))) print('Local nonce: %s' % hex(ed25519raw.encodeint(r)))
print('Local commit: %s' % hex(R)) print('Local commit: %s' % hex(R))
nonces.append(r) nonces.append(r)
commits.append(R) commits.append(R)
globalPk = combine_keys([pks[i] for i in keyset]) global_pk = combine_keys([pks[i] for i in keyset])
globalR = combine_keys([commits[i] for i in keyset]) global_R = combine_keys([commits[i] for i in keyset])
print('-----------------') print('-----------------')
print('Global pubkey: %s' % hex(globalPk)) print('Global pubkey: %s' % hex(global_pk))
print('Global commit: %s' % hex(globalR)) print('Global commit: %s' % hex(global_R))
print('-----------------') print('-----------------')
for i in range(0, N): for i in range(0, N):
@ -240,17 +240,15 @@ def test(data):
R = commits[i] R = commits[i]
h = ed25519raw.H(seckey) h = ed25519raw.H(seckey)
b = ed25519raw.b b = ed25519raw.b
a = 2**(b - 2) + sum(2**i * ed25519raw.bit(h, i) a = 2**(b - 2) + sum(2**i * ed25519raw.bit(h, i) for i in range(3, b - 2))
for i in range(3, b - 2)) S = (r + ed25519raw.Hint(global_R + global_pk + digest) * a) % ed25519raw.l
S = (r + ed25519raw.Hint(globalR + globalPk + digest) * a) % ed25519raw.l
print('Local sig %d: %s' % (i + 1, hex(ed25519raw.encodeint(S)))) print('Local sig %d: %s' % (i + 1, hex(ed25519raw.encodeint(S))))
commits.append(R)
sigs.append(ed25519raw.encodeint(S)) sigs.append(ed25519raw.encodeint(S))
print('-----------------') print('-----------------')
sig = combine_sig(globalR, [sigs[i] for i in keyset]) sig = combine_sig(global_R, [sigs[i] for i in keyset])
print('Global sig: %s' % hex(sig)) print('Global sig: %s' % hex(sig))
ed25519raw.checkvalid(sig, digest, globalPk) ed25519raw.checkvalid(sig, digest, global_pk)
print('Valid Signature!') print('Valid Signature!')

10
tools/ed25519raw.py
View File

@ -14,7 +14,7 @@ def H(m):
def expmod(b, e, m): def expmod(b, e, m):
if e < 0: if e < 0:
raise Exception("negative exponent") raise Exception('negative exponent')
if e == 0: if e == 0:
return 1 return 1
t = expmod(b, e >> 1, m)**2 % m t = expmod(b, e >> 1, m)**2 % m
@ -120,18 +120,18 @@ def decodepoint(s):
x = q - x x = q - x
P = [x, y] P = [x, y]
if not isoncurve(P): if not isoncurve(P):
raise Exception("decoding point that is not on curve") raise Exception('decoding point that is not on curve')
return P return P
def checkvalid(s, m, pk): def checkvalid(s, m, pk):
if len(s) != b >> 2: if len(s) != b >> 2:
raise Exception("signature length is wrong") raise Exception('signature length is wrong')
if len(pk) != b >> 3: if len(pk) != b >> 3:
raise Exception("public-key length is wrong") raise Exception('public-key length is wrong')
R = decodepoint(s[0:b >> 3]) R = decodepoint(s[0:b >> 3])
A = decodepoint(pk) A = decodepoint(pk)
S = decodeint(s[b >> 3:b >> 2]) S = decodeint(s[b >> 3:b >> 2])
h = Hint(encodepoint(R) + pk + m) h = Hint(encodepoint(R) + pk + m)
if scalarmult(B, S) != edwards(R, scalarmult(A, h)): if scalarmult(B, S) != edwards(R, scalarmult(A, h)):
raise Exception("signature does not pass verification") raise Exception('signature does not pass verification')