introduce new memory layout

firmware header is now stored with code, not within the storage sectors

Author: prusnak

Makefile.include

@@ -134,8 +134,10 @@ endif
 
 ifeq ($(MEMORY_PROTECT), 0)
 CFLAGS += -DMEMORY_PROTECT=0
+$(info MEMORY_PROTECT=0)
 else
 CFLAGS += -DMEMORY_PROTECT=1
+$(info MEMORY_PROTECT=1)
 endif
 
 ifeq ($(DEBUG_RNG), 1)
@@ -159,7 +161,7 @@ flash: $(NAME).bin
 	$(OPENOCD) -c "init; reset halt; flash write_image erase $(NAME).bin 0x8000000; exit"
 
 upload: sign
-	trezorctl firmware_update -f $(NAME).bin
+	trezorctl firmware_update -f $(NAME).bin -s
 
 sign: $(NAME).bin
 	$(PYTHON) ../bootloader/firmware_sign.py -f $(NAME).bin

bootloader/bootloader.c

@@ -24,6 +24,7 @@
 #include <libopencm3/cm3/scb.h>
 
 #include "bootloader.h"
+#include "signatures.h"
 #include "buttons.h"
 #include "setup.h"
 #include "usb.h"
@@ -33,8 +34,9 @@
 #include "layout.h"
 #include "rng.h"
 #include "timer.h"
+#include "memory.h"
 
-void layoutFirmwareHash(const uint8_t *hash)
+void layoutFirmwareFingerprint(const uint8_t *hash)
 {
 	char str[4][17];
 	for (int i = 0; i < 4; i++) {
@@ -43,68 +45,53 @@ void layoutFirmwareHash(const uint8_t *hash)
 	layoutDialog(&bmp_icon_question, "Abort", "Continue", "Compare fingerprints", str[0], str[1], str[2], str[3], NULL, NULL);
 }
 
-void show_halt(void)
+bool get_button_response(void)
+{
+	do {
+		delay(100000);
+		buttonUpdate();
+	} while (!button.YesUp && !button.NoUp);
+	return button.YesUp;
+}
+
+static void show_halt(void)
 {
-	layoutDialog(&bmp_icon_error, NULL, NULL, NULL, "Unofficial firmware", "aborted.", NULL, "Unplug your TREZOR", "contact our support.", NULL);
+	layoutDialog(&bmp_icon_error, NULL, NULL, NULL, "Unofficial firmware", "aborted.", NULL, "Unplug your TREZOR,", "reinstall firmware.", NULL);
 	shutdown();
 }
 
-void show_unofficial_warning(const uint8_t *hash)
+static void show_unofficial_warning(const uint8_t *hash)
 {
 	layoutDialog(&bmp_icon_warning, "Abort", "I'll take the risk", NULL, "WARNING!", NULL, "Unofficial firmware", "detected.", NULL, NULL);
 
-	do {
-		delay(100000);
-		buttonUpdate();
-	} while (!button.YesUp && !button.NoUp);
-
-	if (button.NoUp) {
-		show_halt(); // no button was pressed -> halt
+	bool but = get_button_response();
+	if (!but) {  // no button was pressed -> halt
+		show_halt();
 	}
 
-	layoutFirmwareHash(hash);
+	layoutFirmwareFingerprint(hash);
 
-	do {
-		delay(100000);
-		buttonUpdate();
-	} while (!button.YesUp && !button.NoUp);
-
-	if (button.NoUp) {
-		show_halt(); // no button was pressed -> halt
+	but = get_button_response();
+	if (!but) {  // no button was pressed -> halt
+		show_halt();
 	}
 
 	// everything is OK, user pressed 2x Continue -> continue program
 }
 
-void __attribute__((noreturn)) load_app(int signed_firmware)
+static void __attribute__((noreturn)) load_app(int signed_firmware)
 {
 	// zero out SRAM
 	memset_reg(_ram_start, _ram_end, 0);
 
 	jump_to_firmware((const vector_table_t *) FLASH_PTR(FLASH_APP_START), signed_firmware);
 }
 
-bool firmware_present(void)
-{
-#ifndef APPVER
-	if (memcmp(FLASH_PTR(FLASH_META_MAGIC), "TRZR", 4)) { // magic does not match
-		return false;
-	}
-	if (*((const uint32_t *)FLASH_PTR(FLASH_META_CODELEN)) < 4096) { // firmware reports smaller size than 4kB
-		return false;
-	}
-	if (*((const uint32_t *)FLASH_PTR(FLASH_META_CODELEN)) > FLASH_TOTAL_SIZE - (FLASH_APP_START - FLASH_ORIGIN)) { // firmware reports bigger size than flash size
-		return false;
-	}
-#endif
-	return true;
-}
-
-void bootloader_loop(void)
+static void bootloader_loop(void)
 {
 	oledClear();
 	oledDrawBitmap(0, 0, &bmp_logo64);
-	if (firmware_present()) {
+	if (firmware_present_new()) {
 		oledDrawStringCenter(90, 10, "TREZOR", FONT_STANDARD);
 		oledDrawStringCenter(90, 30, "Bootloader", FONT_STANDARD);
 		oledDrawStringCenter(90, 50, VERSTR(VERSION_MAJOR) "." VERSTR(VERSION_MINOR) "." VERSTR(VERSION_PATCH), FONT_STANDARD);
@@ -115,7 +102,7 @@ void bootloader_loop(void)
 	}
 	oledRefresh();
 
-	usbLoop(firmware_present());
+	usbLoop();
 }
 
 int main(void)
@@ -136,19 +123,26 @@ int main(void)
 	uint16_t state = gpio_port_read(BTN_PORT);
 	int unpressed = ((state & BTN_PIN_YES) == BTN_PIN_YES || (state & BTN_PIN_NO) == BTN_PIN_NO);
 
-	if (firmware_present() && unpressed) {
+	if (firmware_present_new() && unpressed) {
 
 		oledClear();
 		oledDrawBitmap(40, 0, &bmp_logo64_empty);
 		oledRefresh();
 
-		uint8_t hash[32];
-		int signed_firmware = signatures_ok(hash);
+		const image_header *hdr = (const image_header *)FLASH_PTR(FLASH_FWHEADER_START);
+
+		uint8_t fingerprint[32];
+		int signed_firmware = signatures_new_ok(hdr, fingerprint);
 		if (SIG_OK != signed_firmware) {
-			show_unofficial_warning(hash);
+			show_unofficial_warning(fingerprint);
 			timer_init();
 		}
 
+		if (SIG_OK != check_firmware_hashes(hdr)) {
+			layoutDialog(&bmp_icon_error, NULL, NULL, NULL, "Broken firmware", "detected.", NULL, "Unplug your TREZOR,", "reinstall firmware.", NULL);
+			shutdown();
+		}
+
 		mpu_config_off();
 		load_app(signed_firmware);
 	}

bootloader/bootloader.h

@@ -21,20 +21,20 @@
 #define __BOOTLOADER_H__
 
 #define VERSION_MAJOR 1
-#define VERSION_MINOR 6
-#define VERSION_PATCH 1
+#define VERSION_MINOR 8
+#define VERSION_PATCH 0
 
 #define STR(X) #X
 #define VERSTR(X) STR(X)
 
 #define VERSION_MAJOR_CHAR "\x01"
-#define VERSION_MINOR_CHAR "\x06"
-#define VERSION_PATCH_CHAR "\x01"
+#define VERSION_MINOR_CHAR "\x08"
+#define VERSION_PATCH_CHAR "\x00"
 
+#include <stdint.h>
 #include <stdbool.h>
-#include "memory.h"
 
-void layoutFirmwareHash(const uint8_t *hash);
-bool firmware_present(void);
+void layoutFirmwareFingerprint(const uint8_t *hash);
+bool get_button_response(void);
 
 #endif

bootloader/firmware_align.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 import sys
 import os