firmware: bundle latest bootloader, replace it when needed

5 years ago · b24c062a3d
parent 1bc69fa2d6
commit b24c062a3d
10 changed files with 145 additions and 4 deletions
--- a/SConscript.firmware
+++ b/SConscript.firmware
@ -255,6 +255,7 @@ SOURCE_STMHAL = [
 ]

 SOURCE_FIRMWARE = [
+    'embed/firmware/bl_check.c',
    'embed/firmware/startup.s',
    'embed/firmware/header.S',
    'embed/firmware/main.c',
@ -426,6 +427,14 @@ obj_program.extend(
        ' --rename-section .data=.vendorheader,alloc,load,readonly,contents'
        ' $SOURCE $TARGET', ))

+obj_program.extend(
+    env.Command(
+        target='embed/firmware/bootloader.o',
+        source='embed/firmware/bootloader.bin',
+        action='$OBJCOPY -I binary -O elf32-littlearm -B arm'
+        ' --rename-section .data=.bootloader'
+        ' $SOURCE $TARGET', ))
+
 env.Depends(obj_program, qstr_generated)

 program_elf = env.Command(
--- a/embed/bootloader/messages.c
+++ b/embed/bootloader/messages.c
@ -310,7 +310,7 @@ void process_msg_FirmwareErase(uint8_t iface_num, uint32_t msg_size, uint8_t *bu
    MSG_RECV(FirmwareErase);

    firmware_remaining = msg_recv.has_length ? msg_recv.length : 0;
-    if ((firmware_remaining > 0) && ((firmware_remaining % 4) == 0) && (firmware_remaining <= (FIRMWARE_SECTORS_COUNT * IMAGE_CHUNK_SIZE))) {
+    if ((firmware_remaining > 0) && ((firmware_remaining % sizeof(uint32_t)) == 0) && (firmware_remaining <= (FIRMWARE_SECTORS_COUNT * IMAGE_CHUNK_SIZE))) {
        // request new firmware
        chunk_requested = (firmware_remaining > IMAGE_CHUNK_SIZE) ? IMAGE_CHUNK_SIZE : firmware_remaining;
        MSG_SEND_INIT(FirmwareRequest);
--- a/embed/firmware/bl_check.c
+++ b/embed/firmware/bl_check.c
@ -0,0 +1,84 @@
+/*
+ * This file is part of the TREZOR project, https://trezor.io/
+ *
+ * Copyright (c) SatoshiLabs
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stdint.h>
+#include <string.h>
+#include "common.h"
+#include "flash.h"
+#include "blake2s.h"
+
+// symbols from bootloader.bin => bootloader.o
+extern const uint32_t _binary_embed_firmware_bootloader_bin_start;
+extern const uint32_t _binary_embed_firmware_bootloader_bin_size;
+
+/*
+static secbool known_bootloader(const uint8_t *hash, int len) {
+    if (len != 32) return secfalse;
+    // bootloader-2.0.1.bin (padded with 0x00)
+    if (0 == memcmp(hash, "\x91\x37\x46\xd0\x2d\xa7\xc4\xbe\x1d\xae\xef\xb0\x9b\x4e\x31\x88\xed\x38\x23\x5e\x0e\x31\xa7\x8c\x01\xde\x4e\xcc\xc2\xd6\x36\xb3", 32)) return sectrue;
+    // bootloader-2.0.1.bin (padded with 0xff)
+    if (0 == memcmp(hash, "\x2f\xdb\xde\x94\x0a\xd8\x91\x1c\xbd\x07\xb0\xba\x06\x2c\x90\x84\x02\xec\x95\x19\xde\x52\x8d\x4b\xe9\xb9\xed\x30\x71\x91\xb4\xd3", 32)) return sectrue;
+    // bootloader-2.0.2.bin (padded with 0x00)
+    if (0 == memcmp(hash, "\x2e\xf7\x47\xf8\x49\x87\x1e\xc8\xc6\x01\x35\xd6\x32\xe5\x5a\xd1\x56\x18\xf8\x64\x87\xb7\xaa\x7c\x62\x0e\xc3\x0d\x25\x69\x4e\x18", 32)) return sectrue;
+    // bootloader-2.0.2.bin (padded with 0xff)
+    if (0 == memcmp(hash, "\xcc\x6b\x35\xc3\x8f\x29\x5c\xbd\x7d\x31\x69\xaf\xae\xf1\x61\x01\xef\xbe\x9f\x3b\x0a\xfd\xc5\x91\x70\x9b\xf5\xa0\xd5\xa4\xc5\xe0", 32)) return sectrue;
+    return secfalse;
+}
+*/
+
+static secbool latest_bootloader(const uint8_t *hash, int len) {
+    if (len != 32) return secfalse;
+    // bootloader.bin (padded with 0x00)
+    if (0 == memcmp(hash, "\x2e\xf7\x47\xf8\x49\x87\x1e\xc8\xc6\x01\x35\xd6\x32\xe5\x5a\xd1\x56\x18\xf8\x64\x87\xb7\xaa\x7c\x62\x0e\xc3\x0d\x25\x69\x4e\x18", 32)) return sectrue;
+    // bootloader.bin (padded with 0xff)
+    if (0 == memcmp(hash, "\xcc\x6b\x35\xc3\x8f\x29\x5c\xbd\x7d\x31\x69\xaf\xae\xf1\x61\x01\xef\xbe\x9f\x3b\x0a\xfd\xc5\x91\x70\x9b\xf5\xa0\xd5\xa4\xc5\xe0", 32)) return sectrue;
+    return secfalse;
+}
+
+#define BACKLIGHT_NORMAL  150
+
+void check_and_replace_bootloader(void)
+{
+    // compute current bootloader hash
+    uint8_t hash[BLAKE2S_DIGEST_LENGTH];
+    const uint32_t bl_len = 128 * 1024;
+    const void *bl_data = flash_get_address(FLASH_SECTOR_BOOTLOADER, 0, bl_len);
+    blake2s(bl_data, bl_len, hash, BLAKE2S_DIGEST_LENGTH);
+
+    // don't whitelist the valid bootloaders for now
+    // ensure(known_bootloader(hash, BLAKE2S_DIGEST_LENGTH), "Unknown bootloader detected");
+
+    // do we have the latest bootloader?
+    if (sectrue == latest_bootloader(hash, BLAKE2S_DIGEST_LENGTH)) {
+        return;
+    }
+
+    // replace bootloader with the latest one
+    const uint32_t *data = (const uint32_t *)&_binary_embed_firmware_bootloader_bin_start;
+    const uint32_t len = (const uint32_t)&_binary_embed_firmware_bootloader_bin_size;
+    ensure(flash_erase(FLASH_SECTOR_BOOTLOADER), NULL);
+    ensure(flash_unlock_write(), NULL);
+    for (int i = 0; i < len / sizeof(uint32_t); i++) {
+        ensure(flash_write_word(FLASH_SECTOR_BOOTLOADER, i * sizeof(uint32_t), data[i]), NULL);
+    }
+    for (int i = len / sizeof(uint32_t); i < 128 * 1024 / sizeof(uint32_t); i++) {
+        ensure(flash_write_word(FLASH_SECTOR_BOOTLOADER, i * sizeof(uint32_t), 0x00000000), NULL);
+    }
+    ensure(flash_lock_write(), NULL);
+}
--- a/embed/firmware/bl_check.h
+++ b/embed/firmware/bl_check.h
@ -0,0 +1,25 @@
+/*
+ * This file is part of the TREZOR project, https://trezor.io/
+ *
+ * Copyright (c) SatoshiLabs
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __BL_CHECK_H__
+#define __BL_CHECK_H__
+
+void check_and_replace_bootloader(void);
+
+#endif
--- a/embed/firmware/bootloader.bin
+++ b/embed/firmware/bootloader.bin
--- a/embed/firmware/bootloader_hashes.py
+++ b/embed/firmware/bootloader_hashes.py
@ -0,0 +1,20 @@
+#!/usr/bin/env python3
+import glob
+import pyblake2
+
+ALIGNED_SIZE = 128 * 1024
+
+files = glob.glob("bootloader*.bin")
+
+for fn in sorted(files):
+    data = open(fn, "rb").read()
+    if len(data) > ALIGNED_SIZE:
+        raise ValueError(fn, "too big")
+    data_00 = data + b"\x00" * (ALIGNED_SIZE - len(data))
+    data_ff = data + b"\xff" * (ALIGNED_SIZE - len(data))
+    h_00 = pyblake2.blake2s(data=data_00).digest()
+    h_ff = pyblake2.blake2s(data=data_ff).digest()
+    h_00 = "".join(["\\x%02x" % i for i in h_00])
+    h_ff = "".join(["\\x%02x" % i for i in h_ff])
+    print("    // %s (padded with 0x00)\n    if (0 == memcmp(hash, \"%s\", 32)) return sectrue;" % (fn, h_00))
+    print("    // %s (padded with 0xff)\n    if (0 == memcmp(hash, \"%s\", 32)) return sectrue;" % (fn, h_ff))
--- a/embed/firmware/main.c
+++ b/embed/firmware/main.c
@ -40,6 +40,7 @@
 #include "rng.h"
 #include "sdcard.h"
 #include "touch.h"
+#include "bl_check.h"

 int main(void)
 {
@ -51,6 +52,7 @@ int main(void)
    collect_hw_entropy();

 #if TREZOR_MODEL == T
+    check_and_replace_bootloader();
    // Enable MPU
    mpu_config();
 #endif
--- a/embed/firmware/memory_T.ld
+++ b/embed/firmware/memory_T.ld
@ -53,6 +53,8 @@ SECTIONS {
    *(.text*);
    . = ALIGN(4);
    *(.rodata*);
+    . = ALIGN(4);
+    *(.bootloader*);
    . = ALIGN(512);
  } >FLASH AT>FLASH

--- a/embed/trezorhal/flash.c
+++ b/embed/trezorhal/flash.c
@ -141,7 +141,7 @@ secbool flash_write_word(uint8_t sector, uint32_t offset, uint32_t data)
    if (address == 0) {
        return secfalse;
    }
-    if (offset % 4 != 0) {
+    if (offset % sizeof(uint32_t)) {  // we write only at 4-byte boundary
        return secfalse;
    }
    if (data != (data & *((const uint32_t *)address))) {
@ -149,7 +149,6 @@ secbool flash_write_word(uint8_t sector, uint32_t offset, uint32_t data)
    }
    if (HAL_OK != HAL_FLASH_Program(FLASH_TYPEPROGRAM_WORD, address, data)) {
        return secfalse;
-
    }
    if (data != *((const uint32_t *)address)) {
        return secfalse;
--- a/embed/unix/flash.c
+++ b/embed/unix/flash.c
@ -158,7 +158,7 @@ secbool flash_write_byte(uint8_t sector, uint32_t offset, uint8_t data)

 secbool flash_write_word(uint8_t sector, uint32_t offset, uint32_t data)
 {
-    if (offset % 4) {  // we write only at 4-byte boundary
+    if (offset % sizeof(uint32_t)) {  // we write only at 4-byte boundary
        return secfalse;
    }
    uint32_t *flash = (uint32_t *)flash_get_address(sector, offset, sizeof(data));