#!/usr/bin/env bash set -e -o pipefail cd "$(dirname "${BASH_SOURCE[0]}")" ############## Select the right Alpine architecture ############## if [ -z "$ALPINE_ARCH" ]; then arch="$(uname -m)" case "$arch" in aarch64|arm64) ALPINE_ARCH="aarch64" ;; x86_64) ALPINE_ARCH="x86_64" ;; *) echo "Unsupported arch" exit esac fi if [ -z "$ALPINE_CHECKSUM" ]; then case "$ALPINE_ARCH" in aarch64) ALPINE_CHECKSUM="1be50ae27c8463d005c4de16558d239e11a88ac6b2f8721c47e660fbeead69bf" ;; x86_64) ALPINE_CHECKSUM="ec7ec80a96500f13c189a6125f2dbe8600ef593b87fc4670fe959dc02db727a2" ;; *) exit esac fi DOCKER=${DOCKER:-docker} CONTAINER_NAME=${CONTAINER_NAME:-trezor-firmware-env.nix} ALPINE_CDN=${ALPINE_CDN:-https://dl-cdn.alpinelinux.org/alpine} ALPINE_RELEASE=${ALPINE_RELEASE:-3.15} ALPINE_VERSION=${ALPINE_VERSION:-3.15.0} ALPINE_TARBALL=${ALPINE_FILE:-alpine-minirootfs-$ALPINE_VERSION-$ALPINE_ARCH.tar.gz} NIX_VERSION=${NIX_VERSION:-2.4} CONTAINER_FS_URL=${CONTAINER_FS_URL:-"$ALPINE_CDN/v$ALPINE_RELEASE/releases/$ALPINE_ARCH/$ALPINE_TARBALL"} ############## Options parsing ############## function help_and_die() { echo "Usage: $0 [options] tag" echo "Options:" echo " --skip-bitcoinonly - do not build bitcoin-only firmwares" echo " --skip-normal - do not build regular firmwares" echo " --skip-core - do not build core" echo " --skip-legacy - do not build legacy" echo " --prodtest - build core prodtest" echo " --repository path/to/repo - checkout the repository from the given path/url" echo " --no-init - do not recreate docker environments" echo " --models - comma-separated list of models. default: --models R,T" echo " --help" echo echo "Set PRODUCTION=0 to run non-production builds." exit 0 } OPT_BUILD_CORE=1 OPT_BUILD_LEGACY=1 OPT_BUILD_NORMAL=1 OPT_BUILD_BITCOINONLY=1 OPT_BUILD_PRODTEST=0 INIT=1 MODELS=(R T) REPOSITORY="/local" while true; do case "$1" in -h|--help) help_and_die ;; --skip-bitcoinonly) OPT_BUILD_BITCOINONLY=0 shift ;; --skip-normal) OPT_BUILD_NORMAL=0 shift ;; --skip-core) OPT_BUILD_CORE=0 shift ;; --skip-legacy) OPT_BUILD_LEGACY=0 shift ;; --prodtest) OPT_BUILD_PRODTEST=1 shift ;; --repository) REPOSITORY="$2" shift 2 ;; --no-init) INIT=0 shift ;; --models) # take comma-separated next argument and turn it into an array IFS=',' read -r -a MODELS <<< "$2" shift 2 ;; *) break ;; esac done if [ -z "$1" ]; then help_and_die fi ################## Variant selection ################## variants=() if [ "$OPT_BUILD_NORMAL" -eq 1 ]; then variants+=(0) fi if [ "$OPT_BUILD_BITCOINONLY" -eq 1 ]; then variants+=(1) fi VARIANTS_core=() VARIANTS_legacy=() if [ "$OPT_BUILD_CORE" -eq 1 ]; then VARIANTS_core=("${variants[@]}") fi if [ "$OPT_BUILD_LEGACY" -eq 1 ]; then VARIANTS_legacy=("${variants[@]}") fi TAG="$1" COMMIT_HASH="$(git rev-parse "$TAG")" PRODUCTION=${PRODUCTION:-1} if which wget > /dev/null ; then wget --no-config -nc -P ci/ "$CONTAINER_FS_URL" else if ! [ -f "ci/$ALPINE_TARBALL" ]; then curl -L -o "ci/$ALPINE_TARBALL" "$CONTAINER_FS_URL" fi fi # check alpine checksum if command -v sha256sum &> /dev/null ; then echo "${ALPINE_CHECKSUM} ci/${ALPINE_TARBALL}" | sha256sum -c else echo "${ALPINE_CHECKSUM} ci/${ALPINE_TARBALL}" | shasum -a 256 -c fi tag_clean="${TAG//[^a-zA-Z0-9]/_}" SNAPSHOT_NAME="${CONTAINER_NAME}__${tag_clean}" mkdir -p build/core build/legacy mkdir -p build/core-bitcoinonly build/legacy-bitcoinonly # if not initializing, does the image exist? if [ $INIT -eq 0 ] && ! $DOCKER image inspect $SNAPSHOT_NAME > /dev/null; then echo "Image $SNAPSHOT_NAME does not exist." exit 1 fi GIT_CLEAN_REPO="git clean -dfx -e .venv" SCRIPT_NAME="._setup_script" if [ $INIT -eq 1 ]; then SELECTED_CONTAINER="$CONTAINER_NAME" echo echo ">>> DOCKER BUILD ALPINE_VERSION=$ALPINE_VERSION ALPINE_ARCH=$ALPINE_ARCH NIX_VERSION=$NIX_VERSION -t $CONTAINER_NAME" echo $DOCKER build \ --network=host \ --build-arg ALPINE_VERSION="$ALPINE_VERSION" \ --build-arg ALPINE_ARCH="$ALPINE_ARCH" \ --build-arg NIX_VERSION="$NIX_VERSION" \ -t "$CONTAINER_NAME" \ ci/ cat <<EOF > "$SCRIPT_NAME" #!/bin/bash set -e -o pipefail mkdir -p /reproducible-build cd /reproducible-build git clone "$REPOSITORY" trezor-firmware cd trezor-firmware EOF else # init == 0 SELECTED_CONTAINER="$SNAPSHOT_NAME" cat <<EOF > "$SCRIPT_NAME" #!/bin/bash set -e -o pipefail cd /reproducible-build/trezor-firmware EOF fi # init # append common part to script cat <<EOF >> "$SCRIPT_NAME" $GIT_CLEAN_REPO git fetch origin "$COMMIT_HASH" git checkout "$COMMIT_HASH" git submodule update --init --recursive poetry install cd core/embed/rust cargo fetch echo echo ">>> AT COMMIT \$(git rev-parse HEAD)" echo EOF echo echo ">>> DOCKER REFRESH $SNAPSHOT_NAME" echo $DOCKER run \ --network=host \ -t \ -v "$PWD:/local" \ -v "$PWD/build:/build" \ --name "$SNAPSHOT_NAME" \ "$SELECTED_CONTAINER" \ /nix/var/nix/profiles/default/bin/nix-shell --run "bash /local/$SCRIPT_NAME" \ || ($DOCKER rm "$SNAPSHOT_NAME"; exit 1) rm $SCRIPT_NAME echo echo ">>> DOCKER COMMIT $SNAPSHOT_NAME" echo $DOCKER commit "$SNAPSHOT_NAME" "$SNAPSHOT_NAME" $DOCKER rm "$SNAPSHOT_NAME" # stat under macOS has slightly different cli interface USER=$(stat -c "%u" . 2>/dev/null || stat -f "%u" .) GROUP=$(stat -c "%g" . 2>/dev/null || stat -f "%g" .) DIR=$(pwd) # build core for TREZOR_MODEL in ${MODELS[@]}; do for BITCOIN_ONLY in ${VARIANTS_core[@]}; do DIRSUFFIX=${BITCOIN_ONLY/1/-bitcoinonly} DIRSUFFIX=${DIRSUFFIX/0/} DIRSUFFIX="-${TREZOR_MODEL}${DIRSUFFIX}" SCRIPT_NAME=".build_core_${TREZOR_MODEL}_${BITCOIN_ONLY}.sh" cat <<EOF > "build/$SCRIPT_NAME" # DO NOT MODIFY! # this file was generated by ${BASH_SOURCE[0]} # variant: core build BITCOIN_ONLY=$BITCOIN_ONLY TREZOR_MODEL=$TREZOR_MODEL set -e -o pipefail cd /reproducible-build/trezor-firmware/core $GIT_CLEAN_REPO poetry run make clean vendor build_boardloader build_bootloader build_firmware for item in bootloader firmware; do poetry run ../python/tools/firmware-fingerprint.py \ -o build/\$item/\$item.bin.fingerprint \ build/\$item/\$item.bin done rm -rf /build/* cp -r build/* /build chown -R $USER:$GROUP /build EOF echo echo ">>> DOCKER RUN core BITCOIN_ONLY=$BITCOIN_ONLY TREZOR_MODEL=$TREZOR_MODEL PRODUCTION=$PRODUCTION" echo $DOCKER run \ --network=host \ -it \ --rm \ -v "$DIR:/local" \ -v "$DIR/build/core$DIRSUFFIX":/build:z \ --env BITCOIN_ONLY="$BITCOIN_ONLY" \ --env TREZOR_MODEL="$TREZOR_MODEL" \ --env PRODUCTION="$PRODUCTION" \ --init \ "$SNAPSHOT_NAME" \ /nix/var/nix/profiles/default/bin/nix-shell --run "bash /local/build/$SCRIPT_NAME" done done # build legacy for BITCOIN_ONLY in ${VARIANTS_legacy[@]}; do DIRSUFFIX=${BITCOIN_ONLY/1/-bitcoinonly} DIRSUFFIX=${DIRSUFFIX/0/} SCRIPT_NAME=".build_legacy_$BITCOIN_ONLY.sh" cat <<EOF > "build/$SCRIPT_NAME" # DO NOT MODIFY! # this file was generated by ${BASH_SOURCE[0]} # variant: legacy build BITCOIN_ONLY=$BITCOIN_ONLY set -e -o pipefail cd /reproducible-build/trezor-firmware/legacy $GIT_CLEAN_REPO ln -s /build build poetry run script/cibuild mkdir -p build/bootloader build/firmware build/intermediate_fw cp bootloader/bootloader.bin build/bootloader/bootloader.bin cp intermediate_fw/trezor.bin build/intermediate_fw/inter.bin cp firmware/trezor.bin build/firmware/firmware.bin cp firmware/firmware*.bin build/firmware/ || true # ignore missing file as it will not be present in old tags cp firmware/trezor.elf build/firmware/firmware.elf poetry run ../python/tools/firmware-fingerprint.py \ -o build/firmware/firmware.bin.fingerprint \ build/firmware/firmware.bin chown -R $USER:$GROUP /build EOF echo echo ">>> DOCKER RUN legacy BITCOIN_ONLY=$BITCOIN_ONLY PRODUCTION=$PRODUCTION" echo $DOCKER run \ --network=host \ -it \ --rm \ -v "$DIR:/local" \ -v "$DIR/build/legacy$DIRSUFFIX":/build:z \ --env BITCOIN_ONLY="$BITCOIN_ONLY" \ --env PRODUCTION="$PRODUCTION" \ --init \ "$SNAPSHOT_NAME" \ /nix/var/nix/profiles/default/bin/nix-shell --run "bash /local/build/$SCRIPT_NAME" done if [ "$OPT_BUILD_PRODTEST" -eq "1" ]; then for TREZOR_MODEL in ${MODELS[@]}; do DIRSUFFIX="-${TREZOR_MODEL}-prodtest" SCRIPT_NAME=".build_${TREZOR_MODEL}-prodtest.sh" cat <<EOF > "build/$SCRIPT_NAME" # DO NOT MODIFY! # this file was generated by ${BASH_SOURCE[0]} # variant: core build prodtest set -e -o pipefail cd /reproducible-build/trezor-firmware/core $GIT_CLEAN_REPO poetry run make clean vendor build_prodtest poetry run ../python/tools/firmware-fingerprint.py \ -o build/prodtest/prodtest.bin.fingerprint \ build/prodtest/prodtest.bin rm -rf /build/* cp -r build/* /build chown -R $USER:$GROUP /build EOF echo echo ">>> DOCKER RUN core prodtest TREZOR_MODEL=$TREZOR_MODEL PRODUCTION=$PRODUCTION" echo $DOCKER run \ --network=host \ -it \ --rm \ -v "$DIR:/local" \ -v "$DIR/build/core$DIRSUFFIX":/build:z \ --env TREZOR_MODEL="$TREZOR_MODEL" \ --env PRODUCTION="$PRODUCTION" \ --init \ "$SNAPSHOT_NAME" \ /nix/var/nix/profiles/default/bin/nix-shell --run "bash /local/build/$SCRIPT_NAME" done fi echo echo "Docker image retained as $SNAPSHOT_NAME" echo "To remove it, run:" echo " docker rmi $SNAPSHOT_NAME" # all built, show fingerprints echo echo "Built from commit $COMMIT_HASH" echo echo "Fingerprints:" for VARIANT in core legacy; do for MODEL in "R" "T"; do for DIRSUFFIX in "" "-bitcoinonly" "-prodtest"; do BUILD_DIR=build/${VARIANT}-${MODEL}${DIRSUFFIX} for file in $BUILD_DIR/*/*.fingerprint; do if [ -f "$file" ]; then origfile="${file%.fingerprint}" fingerprint=$(tr -d '\n' < $file) echo "$fingerprint $origfile" fi done done done done