bootloader/loader: use blake2s instead of sha256 for digests

7 years ago · e313234fe3
parent 4c206be585
commit e313234fe3
5 changed files with 15 additions and 12 deletions
--- a/Makefile.bootloader
+++ b/Makefile.bootloader
@ -83,6 +83,7 @@ CFLAGS_MOD += \

 OBJ_MOD += \
 	$(BUILD_FW)/extmod/modtrezorcrypto/trezor-crypto/ed25519-donna/ed25519.o \
+	$(BUILD_FW)/extmod/modtrezorcrypto/trezor-crypto/blake2s.o \
 	$(BUILD_FW)/extmod/modtrezorcrypto/trezor-crypto/sha2.o \

 OBJ = $(OBJ_MOD) $(OBJ_MP) $(OBJ_FW)
--- a/Makefile.loader
+++ b/Makefile.loader
@ -81,6 +81,7 @@ CFLAGS_MOD += \

 OBJ_MOD += \
 	$(BUILD_FW)/extmod/modtrezorcrypto/trezor-crypto/ed25519-donna/ed25519.o \
+	$(BUILD_FW)/extmod/modtrezorcrypto/trezor-crypto/blake2s.o \
 	$(BUILD_FW)/extmod/modtrezorcrypto/trezor-crypto/sha2.o \

 OBJ = $(OBJ_MOD) $(OBJ_MP) $(OBJ_FW)
--- a/docs/bootloader.md
+++ b/docs/bootloader.md
@ -21,7 +21,8 @@ it will start in a firmware update mode, allowing a firmware update via USB.

 ## Common notes

-* Hash function used below is SHA-256 and signature system is Ed25519 (allows combining signatures by multiple keys into one).
+* Hash function used for computing data digest for signatures is BLAKE2s.
+* Signature system is Ed25519 (allows combining signatures by multiple keys into one).
 * All multibyte integer values are little endian.
 * There is a tool called [firmwarectl](../tools/firmwarectl) which checks validity of the loader/firmware images including their headers.

--- a/micropython/bootloader/crypto.c
+++ b/micropython/bootloader/crypto.c
@ -1,6 +1,6 @@
 #include <string.h>

-#include "sha2.h"
+#include "blake2s.h"
 #include "ed25519-donna/ed25519.h"

 #include "crypto.h"
@ -87,17 +87,17 @@ bool check_signature(const uint8_t *start)
        return false;
    }

-    uint8_t hash[SHA256_DIGEST_LENGTH];
-    SHA256_CTX ctx;
-    sha256_Init(&ctx);
-    sha256_Update(&ctx, start, 256 - 65);
+    uint8_t hash[BLAKE2S_DIGEST_LENGTH];
+    BLAKE2S_CTX ctx;
+    blake2s_Init(&ctx, BLAKE2S_DIGEST_LENGTH);
+    blake2s_Update(&ctx, start, 256 - 65);
    for (int i = 0; i < 65; i++) {
-        sha256_Update(&ctx, (const uint8_t *)"\x00", 1);
+        blake2s_Update(&ctx, (const uint8_t *)"\x00", 1);
    }
-    sha256_Update(&ctx, start + 256, codelen);
-    sha256_Final(&ctx, hash);
+    blake2s_Update(&ctx, start + 256, codelen);
+    blake2s_Final(&ctx, hash, BLAKE2S_DIGEST_LENGTH);

    const uint8_t *pub = get_pubkey(sigidx);

-    return pub && (0 == ed25519_sign_open(hash, SHA256_DIGEST_LENGTH, *(const ed25519_public_key *)pub, *(const ed25519_signature *)sig));
+    return pub && (0 == ed25519_sign_open(hash, BLAKE2S_DIGEST_LENGTH, *(const ed25519_public_key *)pub, *(const ed25519_signature *)sig));
 }
--- a/tools/firmwarectl
+++ b/tools/firmwarectl
@ -2,8 +2,8 @@
 import sys
 import struct
 import binascii
-import hashlib
 import ed25519
+import pyblake2


 # loader/firmware headers specification: https://github.com/trezor/trezor-core/blob/master/docs/bootloader.md
@ -27,7 +27,7 @@ def get_sig(data):
    print('Enter privkey: ', end='')
    seckey = binascii.unhexlify(input())
    signkey = ed25519.SigningKey(seckey)
-    digest = hashlib.sha256(data).digest()
+    digest = pyblake2.blake2s(data).digest()
    sigidx = (1, )
    sig = signkey.sign(digest)
    return sigidx, sig