From 706ddda1a7039853c4e163dd4bf3d5b74d3427f1 Mon Sep 17 00:00:00 2001
From: Pavol Rusnak <stick@gk2.sk>
Date: Sun, 28 Jan 2018 17:30:46 +0100
Subject: [PATCH] tools: update keyctl to work with already signed binaries

---
 SConscript.bootloader |  3 +--
 SConscript.firmware   |  3 +--
 SConscript.prodtest   |  3 +--
 SConscript.reflash    |  3 +--
 tools/combine_sign    |  2 +-
 tools/keyctl          | 19 ++++++++++++++++++-
 6 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/SConscript.bootloader b/SConscript.bootloader
index e74b715e..a84f9dee 100644
--- a/SConscript.bootloader
+++ b/SConscript.bootloader
@@ -182,6 +182,5 @@ program_bin = env.Command(
     action=[
         '$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET',
         '$BINCTL $TARGET -h',
-        'dd if=$TARGET of=build/bootloader/header.tosign bs=1 count=1024',
-        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN bootloader build/bootloader/header.tosign 4141414141414141414141414141414141414141414141414141414141414141 4242424242424242424242424242424242424242424242424242424242424242`',
+        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN bootloader $TARGET 4141414141414141414141414141414141414141414141414141414141414141 4242424242424242424242424242424242424242424242424242424242424242`',
     ], )
diff --git a/SConscript.firmware b/SConscript.firmware
index f993db5a..039bf986 100644
--- a/SConscript.firmware
+++ b/SConscript.firmware
@@ -418,6 +418,5 @@ program_bin = env.Command(
     action=[
         '$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
         '$BINCTL $TARGET -h',
-        'dd if=$TARGET of=build/firmware/header.tosign bs=1 count=1024 skip=`wc -c < embed/firmware/vendorheader.bin | tr -d " "`',
-        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware build/firmware/header.tosign 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
+        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
     ], )
diff --git a/SConscript.prodtest b/SConscript.prodtest
index d04e6c31..eea4b4e9 100644
--- a/SConscript.prodtest
+++ b/SConscript.prodtest
@@ -154,6 +154,5 @@ program_bin = env.Command(
     action=[
         '$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
         '$BINCTL $TARGET -h',
-        'dd if=$TARGET of=build/prodtest/header.tosign bs=1 count=1024 skip=`wc -c < embed/firmware/vendorheader.bin | tr -d " "`',
-        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware build/prodtest/header.tosign 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
+        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
     ], )
diff --git a/SConscript.reflash b/SConscript.reflash
index b4b0c301..baa81d2a 100644
--- a/SConscript.reflash
+++ b/SConscript.reflash
@@ -154,6 +154,5 @@ program_bin = env.Command(
     action=[
         '$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
         '$BINCTL $TARGET -h',
-        'dd if=$TARGET of=build/reflash/header.tosign bs=1 count=1024 skip=`wc -c < embed/firmware/vendorheader.bin | tr -d " "`',
-        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware build/reflash/header.tosign 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
+        '$BINCTL $TARGET -s 1:2 `$COMBINE_SIGN firmware $TARGET 4747474747474747474747474747474747474747474747474747474747474747 4848484848484848484848484848484848484848484848484848484848484848`',
     ], )
diff --git a/tools/combine_sign b/tools/combine_sign
index f2fa12dd..e71fc717 100755
--- a/tools/combine_sign
+++ b/tools/combine_sign
@@ -24,4 +24,4 @@ for seckey in $SECKEYS; do
     SIGS="$SIGS $sig"
 done
 
-$TOOLDIR/keyctl global_sign $FILE $global_commit $SIGS
+$TOOLDIR/keyctl global_sign $TYPE $FILE $global_commit $SIGS
diff --git a/tools/keyctl b/tools/keyctl
index d7ec4449..cbcaf674 100755
--- a/tools/keyctl
+++ b/tools/keyctl
@@ -3,6 +3,7 @@
 import binascii
 import click
 import pyblake2
+import struct
 
 from trezorlib import ed25519raw, ed25519cosi
 
@@ -24,6 +25,18 @@ def get_trezor():
         raise Exception('No TREZOR found')
 
 
+def header_to_sign(index, data):
+    z = bytes(65 * [0x00])
+    if index == 0:    # bootloader
+        return data[:0x03BF] + z
+    elif index == 1:  # vendorheader
+        return data[:-65] + z
+    elif index == 2:  # firmware
+        vlen = struct.unpack('<I', data[4:8])
+        vlen = vlen[0]
+        return data[vlen:vlen + 0x03BF] + z
+
+
 @click.group()
 def cli():
     pass
@@ -46,6 +59,7 @@ def getkey(index):
 def commit(index, filename, seckey):
     index = indexmap[index]
     data = open(filename, 'rb').read()
+    data = header_to_sign(index, data)
     digest = pyblake2.blake2s(data).digest()
     ctr = 0
     if seckey:
@@ -85,6 +99,7 @@ def global_commit(commits):
 def sign(index, filename, global_commit, seckey):
     index = indexmap[index]
     data = open(filename, 'rb').read()
+    data = header_to_sign(index, data)
     digest = pyblake2.blake2s(data).digest()
     global_pk, global_R = [binascii.unhexlify(x) for x in global_commit.split('+')]
     ctr = 0
@@ -106,11 +121,13 @@ def sign(index, filename, global_commit, seckey):
 
 
 @cli.command(help='')
+@click.argument('index', type=click.Choice(indexmap.keys()))
 @click.argument('filename')
 @click.argument('global_commit')
 @click.argument('signatures', nargs=-1)
-def global_sign(filename, global_commit, signatures):
+def global_sign(index, filename, global_commit, signatures):
     data = open(filename, 'rb').read()
+    data = header_to_sign(index, data)
     digest = pyblake2.blake2s(data).digest()
     global_pk, global_R = [binascii.unhexlify(x) for x in global_commit.split('+')]
     signatures = [binascii.unhexlify(x) for x in signatures]