Merge pull request #477 from Foundation-Devices/dev-v2.3.0

v2.3.0
Foundation-Devices · Feb 21, 2024 · 4595409 · 4595409
2 parents d0a317f + 6f4c199
commit 4595409
Show file tree

Hide file tree

Showing 123 changed files with 2,695 additions and 3,232 deletions.
diff --git a/.github/workflows/dependabot.yaml b/.github/workflows/dependabot.yaml
@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText:  © 2021 Foundation Devices, Inc. <hello@foundationdevices.com>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# dependabot.yaml - Set update schedule for GitHub Actions
+
+version: 2
+updates:
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every week
+      interval: "weekly"
diff --git a/.github/workflows/validate_and_build.yaml b/.github/workflows/validate_and_build.yaml
@@ -17,20 +17,20 @@ jobs:
           - 5000:5000
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - uses: docker/setup-buildx-action@v1
+    - uses: docker/setup-buildx-action@v3
       with:
         driver-opts: network=host
-    - uses: docker/build-push-action@v2
+    - uses: docker/build-push-action@v5
       with:
         push: true
         context: .
         cache-from: type=gha
         cache-to: type=gha
         tags: localhost:5000/foundation-devices/passport2:latest
-    - uses: extractions/setup-just@aa5d15c144db4585980a44ebfdd2cf337c4f14cb
+    - uses: extractions/setup-just@69d82fb0233557aec017ef13706851d0694e0f1d
     - run: echo "DOCKER_IMAGE=localhost:5000/foundation-devices/passport2:latest" >> $GITHUB_ENV
 
     - name: Lint the codebase
@@ -43,7 +43,11 @@ jobs:
 
     strategy:
       matrix:
-        build: [{screen: "mono", suffix: "-founders-passport"}, {screen: "color", suffix: "-passport"}]
+        build:
+          [
+            { screen: 'mono', suffix: '-founders-passport', hash_suffix: '-founders'},
+            { screen: 'color', suffix: '-passport', hash_suffix: ''},
+          ]
 
     services:
       registry:
@@ -52,20 +56,20 @@ jobs:
           - 5000:5000
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - uses: docker/setup-buildx-action@v1
+    - uses: docker/setup-buildx-action@v3
       with:
         driver-opts: network=host
-    - uses: docker/build-push-action@v2
+    - uses: docker/build-push-action@v5
       with:
         push: true
         context: .
         cache-from: type=gha
         cache-to: type=gha
         tags: localhost:5000/foundation-devices/passport2:latest
-    - uses: extractions/setup-just@aa5d15c144db4585980a44ebfdd2cf337c4f14cb
+    - uses: extractions/setup-just@69d82fb0233557aec017ef13706851d0694e0f1d
     - run: |
         echo "DOCKER_IMAGE=localhost:5000/foundation-devices/passport2:latest" >> $GITHUB_ENV
         echo "SCREEN_MODE=$(echo "${{ matrix.build.screen }}" | tr a-z A-Z)" >> $GITHUB_ENV
@@ -76,22 +80,46 @@ jobs:
         version=$(cat version.txt)
         echo "version=$(cat version.txt)" >> $GITHUB_ENV
 
-        just sign signing_key.pem "${version}" ${{ matrix.build.screen }}
+        just hash signing_key.pem "${version}" build-Passport/v${version}-beta${{ matrix.build.suffix }}.bin ${{ matrix.build.screen}}
       env:
         SIGNING_KEY: ${{ secrets.UserSigningKey }}
 
     - name: Upload firmware (unsigned)
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@v4
       with:
         name: v${{env.version}}-unsigned${{ matrix.build.suffix }}.bin
         path: ports/stm32/build-Passport/firmware-${{ env.SCREEN_MODE }}.bin
 
     - name: Upload firmware (signed)
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@v4
       with:
         name: v${{env.version}}-beta${{ matrix.build.suffix }}.bin
         path: ports/stm32/build-Passport/v${{env.version}}-beta${{ matrix.build.suffix }}.bin
 
+    - name: Upload MD5 Hash
+      uses: actions/upload-artifact@v4
+      with:
+        name: v${{env.version}}${{ matrix.build.hash_suffix }}-md5
+        path: ports/stm32/build-Passport/v${{env.version}}-beta${{ matrix.build.hash_suffix }}-md5
+
+    - name: Upload Build Hash
+      uses: actions/upload-artifact@v4
+      with:
+        name: v${{env.version}}${{ matrix.build.hash_suffix }}-build-hash
+        path: ports/stm32/build-Passport/v${{env.version}}-beta${{ matrix.build.hash_suffix }}-build-hash
+
+    - name: Upload SHA256 Hash
+      uses: actions/upload-artifact@v4
+      with:
+        name: v${{env.version}}${{ matrix.build.hash_suffix }}-sha256
+        path: ports/stm32/build-Passport/v${{env.version}}-beta${{ matrix.build.hash_suffix }}-sha256
+
+    - name: Upload Hashes Markdown
+      uses: actions/upload-artifact@v4
+      with:
+        name: v${{env.version}}${{ matrix.build.hash_suffix }}-hashes.md
+        path: ports/stm32/build-Passport/v${{env.version}}-beta${{ matrix.build.hash_suffix }}-hashes.md
+
   build-bootloader:
     name: Build Bootloader
     runs-on: ubuntu-20.04
@@ -100,7 +128,7 @@ jobs:
     # TODO: PASS1-665.
     strategy:
       matrix:
-        screen: ["color"]
+        screen: ['color']
 
     services:
       registry:
@@ -109,20 +137,20 @@ jobs:
           - 5000:5000
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - uses: docker/setup-buildx-action@v1
+    - uses: docker/setup-buildx-action@v3
       with:
         driver-opts: network=host
-    - uses: docker/build-push-action@v2
+    - uses: docker/build-push-action@v5
       with:
         push: true
         context: .
         cache-from: type=gha
         cache-to: type=gha
         tags: localhost:5000/foundation-devices/passport2:latest
-    - uses: extractions/setup-just@aa5d15c144db4585980a44ebfdd2cf337c4f14cb
+    - uses: extractions/setup-just@69d82fb0233557aec017ef13706851d0694e0f1d
     - run: |
         echo "DOCKER_IMAGE=localhost:5000/foundation-devices/passport2:latest" >> $GITHUB_ENV
         echo "SCREEN_MODE=$(echo ${{ matrix.screen }} | tr a-z A-Z)" >> $GITHUB_ENV
@@ -131,7 +159,7 @@ jobs:
       run: just build-bootloader ${{ matrix.screen }}
 
     - name: Upload bootloader
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@v4
       with:
         name: bootloader-${{ env.SCREEN_MODE }}.bin
         path: ports/stm32/boards/Passport/bootloader/arm/release/bootloader-${{ env.SCREEN_MODE }}.bin
@@ -143,7 +171,7 @@ jobs:
 
     strategy:
       matrix:
-        screen: ["mono", "color"]
+        screen: ['mono', 'color']
 
     services:
       registry:
@@ -152,20 +180,20 @@ jobs:
           - 5000:5000
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - uses: docker/setup-buildx-action@v1
+    - uses: docker/setup-buildx-action@v3
       with:
         driver-opts: network=host
-    - uses: docker/build-push-action@v2
+    - uses: docker/build-push-action@v5
       with:
         push: true
         context: .
         cache-from: type=gha
         cache-to: type=gha
         tags: localhost:5000/foundation-devices/passport2:latest
-    - uses: extractions/setup-just@aa5d15c144db4585980a44ebfdd2cf337c4f14cb
+    - uses: extractions/setup-just@69d82fb0233557aec017ef13706851d0694e0f1d
     - run: echo "DOCKER_IMAGE=localhost:5000/foundation-devices/passport2:latest" >> $GITHUB_ENV
 
     - name: Build
@@ -183,20 +211,20 @@ jobs:
           - 5000:5000
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - uses: docker/setup-buildx-action@v1
+    - uses: docker/setup-buildx-action@v3
       with:
         driver-opts: network=host
-    - uses: docker/build-push-action@v2
+    - uses: docker/build-push-action@v5
       with:
         push: true
         context: .
         cache-from: type=gha
         cache-to: type=gha
         tags: localhost:5000/foundation-devices/passport2:latest
-    - uses: extractions/setup-just@aa5d15c144db4585980a44ebfdd2cf337c4f14cb
+    - uses: extractions/setup-just@69d82fb0233557aec017ef13706851d0694e0f1d
     - run: echo "DOCKER_IMAGE=localhost:5000/foundation-devices/passport2:latest" >> $GITHUB_ENV
 
     - name: Build

diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -88,6 +88,9 @@ To build and sign the firmware with a Developer Pubkey, use one of the following
 
     just sign 2.0.4 color
     just sign 2.0.4 mono
+    just sign 2.0.4bB color
+
+Note that beta numbers can be added, delimited by a lowercase 'b', followed by the beta number as an uppercase hexidecimal character.
 
 If you just want to build without signing, use one of the following commands:
 

diff --git a/Dockerfile b/Dockerfile
@@ -44,7 +44,7 @@ RUN rustup component add clippy && \
 
 # Install binaries using cargo.
 RUN cargo install cbindgen@^0.24 && \
-    cargo install just@^1.13 && \
+    cargo install just@1.23.0 && \
     mv /cargo/bin/cbindgen /usr/local/bin/cbindgen && \
     mv /cargo/bin/just /usr/local/bin/just && \
     chmod 755 /usr/local/bin/cbindgen && \

diff --git a/Justfile b/Justfile
@@ -4,10 +4,13 @@
 # Justfile - Root-level Justfile for Passport
 
 export DOCKER_IMAGE := env_var_or_default('DOCKER_IMAGE', 'foundation-devices/passport2:latest')
+export DOCKER_CMD := env_var_or_default('DOCKER_CMD', 'docker')
+
+DOCKER_RUN := if DOCKER_CMD == 'docker' { 'docker run -u $(id -u):$(id -g)' } else { 'podman run' }
 
 # Build the docker image
 build-docker:
-    docker build -t ${DOCKER_IMAGE} .
+    $DOCKER_CMD build -t ${DOCKER_IMAGE} .
 
 # Build the firmware inside docker.
 build-firmware screen="mono": mpy-cross (run-in-docker ("just ports/stm32/build " + screen))
@@ -44,6 +47,9 @@ build-cosign: (run-in-docker "make -C ports/stm32/boards/Passport/tools/cosign")
 # Sign the built firmware using a private key and the cosign tool
 sign keypath version screen="mono": (build-firmware screen) (build-cosign) (run-in-docker ("just cosign_filepath=build-Passport/firmware-" + uppercase(screen) + ".bin cosign_keypath=" + keypath + " ports/stm32/sign " + version + " " + screen))
 
+# Produce hashes of the firmware
+hash keypath version file screen="mono": (sign keypath version screen) (run-in-docker ("just cosign_filepath=build-Passport/firmware-" + uppercase(screen) + ".bin cosign_keypath=" + keypath + " ports/stm32/hash " + file + " " + screen))
+
 # Clean firmware build
 clean: (run-in-docker "just ports/stm32/clean")
 
@@ -76,8 +82,7 @@ mpy-cross: (run-in-docker "make -C mpy-cross PROG=mpy-cross-docker BUILD=build-d
 
 [private]
 run-in-docker command:
-    docker run --rm -v "$PWD":/workspace \
-        -u $(id -u):$(id -g) \
+    {{DOCKER_RUN}} --rm \
         -v $(pwd):/workspace \
         -w /workspace \
         -e MPY_CROSS="/workspace/mpy-cross/mpy-cross-docker" \

diff --git a/REPRODUCIBILITY.md b/REPRODUCIBILITY.md
@@ -26,7 +26,7 @@ In order to build and verify the reproducibility of Passport firmware, you will
 
 - Get the source code
 - Install the dependencies
-    - [Docker](https://docs.docker.com/desktop/)
+    - [Docker](https://docs.docker.com/desktop/) or [Podman](https://podman.io/).
     - [Just](https://github.com/casey/just#installation)
 - Build the reproducible binaries
 - Verify the binaries match the:
@@ -54,13 +54,29 @@ Several tools are required for building and verifying Passport’s firmware.
 
 ### Install Docker
 
+:warning: Docker requires to add your user to the `docker` group which is root-equivalent and may pose a security risk for you. Consider using Podman if you don't want to add your user to the `docker` group. Building with `sudo` and Docker is not supported.
+
 The installation of Docker is most easily achieved by installing Docker Desktop on your given platform using the official docs linked below. Follow those directions, launch Docker Desktop, and accept the terms before proceeding:
 
 - [Windows](https://docs.docker.com/desktop/install/windows-install/)
 - [MacOS](https://docs.docker.com/desktop/install/mac-install/)
 - [Linux](https://docs.docker.com/desktop/install/linux-install/)
     - If you don’t want to require using `sudo` when running the `just` commands below, follow the [post-installation steps](https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user) to grant your user Docker permissions on Linux
 
+### Install Podman (optional)
+
+This step is optional if you already have Docker installed and your user is on the `docker` group.
+
+Podman does not require root or adding your user to another group, so this option is recommended for non-developer users that want to verify the reproducibility of the firmware only.
+
+- [Windows](https://podman.io/docs/installation#windows)
+- [MacOS](https://podman.io/docs/installation#macos)
+- [Linux](https://podman.io/docs/installation#installing-on-linux)
+
+Also, the following configuration files might need to be created after installation:
+
+- [Configuration files](https://podman.io/docs/installation#policyjson)
+
 ### Install Just
 
 Just is a powerful tool that allows us to provide scripts to perform all the necessary steps of building and verification. In order to use Just, you will need to install it using the following instructions for your given operating system:
@@ -105,6 +121,14 @@ just build-docker
 
 This command will take some time to run as it creates the image, including downloading and installing every tool necessary for the build process. As we use a Docker image here, not only will this ensure the binaries are always the same for a given version, but it also allows you to easily clean up after verifying the firmware and leave your system uncluttered.
 
+If you want to opt to use Docker instead of Podman, then you can prepend set the `DOCKER_CMD` environment variable to `podman`, for example:
+
+```bash
+DOCKER_CMD=podman just build-docker
+```
+
+This applies to other commands shown here as well that would normally require Docker in order to run.
+
 If you’d like to validate exactly how the `build-docker` Justfile command functions, you can find the relevant source code here:
 
 - [passport2/Justfile#L8-L10](https://github.com/Foundation-Devices/passport2/blob/6c6249e2c15f52c59db56b12b5f84213806a6533/Justfile#L8-L10)

diff --git a/extmod/foundation-rust/Cargo.lock b/extmod/foundation-rust/Cargo.lock
diff --git a/extmod/foundation/modtcc-codecs.c b/extmod/foundation/modtcc-codecs.c
@@ -113,6 +113,10 @@ STATIC mp_obj_t modtcc_bech32_encode(size_t n_args, const mp_obj_t *args) {
     const uint32_t segwit_version = mp_obj_int_get_checked(args[1]);
     uint32_t       bech32_version = BECH32_ENCODING_BECH32;
 
+    if (segwit_version > 0) {
+        bech32_version = BECH32_ENCODING_BECH32M;
+    }
+
     if (n_args == 4) {
         bech32_version = mp_obj_int_get_checked(args[3]);
     }