shimun/solo
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

move attestion key to not be part of firmware

Browse Source
This commit is contained in:
Conor Patrick 2018-12-10 20:37:12 -05:00
parent 94140a0aa9
commit a96ff8eb63
3 changed files with 38 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
targets/stm32l442/merge_hex.py
View File

@ -4,21 +4,38 @@
from intelhex import IntelHex from intelhex import IntelHex
import sys import sys
from binascii import unhexlify
if len(sys.argv) < 3: if len(sys.argv) < 3:
print('usage: %s <file1.hex> <file2.hex> [...] <output.hex>') print('usage: %s <file1.hex> <file2.hex> [...] [-s <secret_attestation_key>] <output.hex>')
sys.exit(1) sys.exit(1)
def flash_addr(num): def flash_addr(num):
return 0x08000000 + num * 2048 return 0x08000000 + num * 2048
args = sys.argv[:]
# generic / hacker attestation key
secret_attestation_key = "cd67aa310d091ed16e7e9892aa070e1994fcd714ae7c408fb946b72e5fe75d30"
# user supplied, optional
for i,x in enumerate(args):
if x == '-s':
secret_attestation_key = args[i+1]
break
if secret_attestation_key is not None:
args = args[:i] + args[i+2:]
# TODO put definitions somewhere else
PAGES = 128 PAGES = 128
APPLICATION_END_PAGE = PAGES - 19 APPLICATION_END_PAGE = PAGES - 19
AUTH_WORD_ADDR = (flash_addr(APPLICATION_END_PAGE)-8) AUTH_WORD_ADDR = (flash_addr(APPLICATION_END_PAGE)-8)
ATTEST_ADDR = (flash_addr(PAGES - 15))
first = IntelHex(sys.argv[1]) first = IntelHex(args[1])
for i in range(2, len(sys.argv)-1): for i in range(2, len(args)-1):
first.merge(IntelHex( sys.argv[i] ), overlap = 'replace') first.merge(IntelHex( args[i] ), overlap = 'replace')
first[AUTH_WORD_ADDR] = 0 first[AUTH_WORD_ADDR] = 0
first[AUTH_WORD_ADDR+1] = 0 first[AUTH_WORD_ADDR+1] = 0
@ -30,4 +47,11 @@ first[AUTH_WORD_ADDR+5] = 0xff
first[AUTH_WORD_ADDR+6] = 0xff first[AUTH_WORD_ADDR+6] = 0xff
first[AUTH_WORD_ADDR+7] = 0xff first[AUTH_WORD_ADDR+7] = 0xff
first.tofile(sys.argv[len(sys.argv)-1], format='hex') if secret_attestation_key is not None:
key = unhexlify(secret_attestation_key)
print('using key ',key)
for i,x in enumerate(key):
print(hex(ATTEST_ADDR + i))
first[ATTEST_ADDR + i] = x
first.tofile(args[len(args)-1], format='hex')

5
targets/stm32l442/src/crypto.c
View File

@ -20,6 +20,7 @@
#include "device.h" #include "device.h"
#include APP_CONFIG #include APP_CONFIG
#include "log.h" #include "log.h"
#include "memory_layout.h"
typedef enum typedef enum
@ -164,7 +165,9 @@ void crypto_ecc256_init()
void crypto_ecc256_load_attestation_key() void crypto_ecc256_load_attestation_key()
{ {
_signing_key = attestation_key; static uint8_t _key [32];
memmove(_key, (uint8_t*)ATTESTATION_KEY_ADDR, 32);
_signing_key = _key;
_key_len = 32; _key_len = 32;
} }

6
targets/stm32l442/src/memory_layout.h
View File

@ -17,7 +17,7 @@
// Storage of FIDO2 resident keys // Storage of FIDO2 resident keys
#define RK_NUM_PAGES 10 #define RK_NUM_PAGES 10
#define RK_START_PAGE (PAGES - 14) #define RK_START_PAGE (PAGES - 14)
#define RK_END_PAGE (PAGES - 14 + RK_NUM_PAGES) #define RK_END_PAGE (PAGES - 14 + RK_NUM_PAGES) // not included
// Start of application code // Start of application code
#ifndef APPLICATION_START_PAGE #ifndef APPLICATION_START_PAGE
@ -25,6 +25,10 @@
#endif #endif
#define APPLICATION_START_ADDR (0x08000000 + ((APPLICATION_START_PAGE)*PAGE_SIZE)) #define APPLICATION_START_ADDR (0x08000000 + ((APPLICATION_START_PAGE)*PAGE_SIZE))
// where attestation key is located
#define ATTESTATION_KEY_PAGE (PAGES - 15)
#define ATTESTATION_KEY_ADDR (0x08000000 + ATTESTATION_KEY_PAGE*PAGE_SIZE)
// End of application code. Leave some extra room for future data storage. // End of application code. Leave some extra room for future data storage.
// NOT included in application // NOT included in application
#define APPLICATION_END_PAGE ((PAGES - 19)) #define APPLICATION_END_PAGE ((PAGES - 19))