diff --git a/Makefile b/Makefile index 90069bb8..cf2af1d5 100644 --- a/Makefile +++ b/Makefile @@ -150,13 +150,12 @@ gdb_firmware: $(FIRMWARE_BUILD_DIR)/firmware.elf ## start remote gdb session to ## misc commands: -vendorheader: ## construct default vendor header +vendorheader: ## construct and sign the default vendor header ./tools/build_vendorheader e28a8970753332bd72fef413e6b0b2ef1b4aadda7aa2c141f233712a6876b351:d4eec1869fb1b8a4e817516ad5a931557cb56805c3eb16e8f3a803d647df7869:772c8a442b7db06e166cfbc1ccbcbcde6f3eba76a4e98ef3ffc519502237d6ef 2 0.0 10 DEVELOPMENT assets/vendor_devel.toif embed/firmware/vendorheader.bin - ./tools/binctl embed/firmware/vendorheader.bin -s 1:2 4444444444444444444444444444444444444444444444444444444444444444:4545454545454545454545454545454545454545454545454545454545454545 + ./tools/binctl embed/firmware/vendorheader.bin -s 1:2 `./tools/combine_sign vendorheader embed/firmware/vendorheader.bin 4444444444444444444444444444444444444444444444444444444444444444 4545454545454545454545454545454545454545454545454545454545454545` vendorheader_sl: ## construct SatoshiLabs vendor header ./tools/build_vendorheader 47fbdc84d8abef44fe6abde8f87b6ead821b7082ec63b9f7cc33dc53bf6c708d:03fdd9a9c3911652d5effca4540d96ed92d85850a47d256ab0a2d728c0d1a298:2218c25f8ba70c82eba8ed6a321df209c0a7643d014f33bf9317846f62923830 2 0.0 80 SatoshiLabs assets/vendor_satoshilabs.toif embed/firmware/vendorheader_sl.bin - ./tools/binctl embed/firmware/vendorheader_sl.bin -s 1:2 trezor:trezor binctl: ## print info about binary files ./tools/binctl $(BOOTLOADER_BUILD_DIR)/bootloader.bin diff --git a/SConscript.bootloader b/SConscript.bootloader index 1a985bfe..198ae22f 100644 --- a/SConscript.bootloader +++ b/SConscript.bootloader @@ -146,7 +146,9 @@ env.Replace( ASPPFLAGS='$CFLAGS $CCFLAGS', ) env.Replace( - BINCTL='tools/binctl', ) + BINCTL='tools/binctl', + COMBINE_SIGN='tools/combine_sign', +) # # Program objects @@ -170,5 +172,5 @@ program_bin = env.Command( source=program_elf, action=[ '$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET', - '$BINCTL $TARGET -s 1:2 4141414141414141414141414141414141414141414141414141414141414141:4242424242424242424242424242424242424242424242424242424242424242', + '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN bootloader $TARGET 4141414141414141414141414141414141414141414141414141414141414141 4242424242424242424242424242424242424242424242424242424242424242`', ], ) diff --git a/SConscript.firmware b/SConscript.firmware index ed222081..9b112c56 100644 --- a/SConscript.firmware +++ b/SConscript.firmware @@ -353,7 +353,9 @@ env.Replace( MAKEVERSIONHDR='$PYTHON vendor/micropython/py/makeversionhdr.py', MPY_TOOL='$PYTHON vendor/micropython/tools/mpy-tool.py', MPY_CROSS='vendor/micropython/mpy-cross/mpy-cross', - BINCTL='tools/binctl', ) + BINCTL='tools/binctl', + COMBINE_SIGN='tools/combine_sign', +) # # Micropython version @@ -428,5 +430,5 @@ program_bin = env.Command( source=program_elf, action=[ '$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET', - '$BINCTL $TARGET -s 1:2 4747474747474747474747474747474747474747474747474747474747474747:4848484848484848484848484848484848484848484848484848484848484848', + '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`', ], ) diff --git a/tools/combine_sign b/tools/combine_sign new file mode 100755 index 00000000..f2fa12dd --- /dev/null +++ b/tools/combine_sign @@ -0,0 +1,27 @@ +#!/bin/bash + +TOOLDIR=$(dirname $0) + +TYPE=$1 +FILE=$2 +shift +shift +SECKEYS=$* + +COMMITS="" + +for seckey in $SECKEYS; do + commit=$( $TOOLDIR/keyctl commit $TYPE $FILE $seckey ) + COMMITS="$COMMITS $commit" +done + +global_commit=$( $TOOLDIR/keyctl global_commit $COMMITS ) + +SIGS="" + +for seckey in $SECKEYS; do + sig=$( $TOOLDIR/keyctl sign $TYPE $FILE $global_commit $seckey ) + SIGS="$SIGS $sig" +done + +$TOOLDIR/keyctl global_sign $FILE $global_commit $SIGS