fixup! refactor(core): update bootloader from coreapp, using syscalls (and smcalls)

Author: TychoVrahe

core/embed/projects/firmware/main.c

@@ -41,10 +41,25 @@
 #include <util/rsod.h>
 #include "rust_ui_common.h"
 
+#include <blake2s.h>
+
 #ifdef USE_SECP256K1_ZKP
 #include "zkp_context.h"
 #endif
 
+#define CONCAT_NAME_HELPER(prefix, name, suffix) prefix##name##suffix
+#define CONCAT_NAME(name, var) CONCAT_NAME_HELPER(BOOTLOADER_, name, var)
+
+#if BOOTLOADER_QA
+// QA bootloaders
+#define BOOTLOADER_00 CONCAT_NAME(MODEL_INTERNAL_NAME_TOKEN, _QA_00)
+#define BOOTLOADER_FF CONCAT_NAME(MODEL_INTERNAL_NAME_TOKEN, _QA_FF)
+#else
+// normal bootloaders
+#define BOOTLOADER_00 CONCAT_NAME(MODEL_INTERNAL_NAME_TOKEN, _00)
+#define BOOTLOADER_FF CONCAT_NAME(MODEL_INTERNAL_NAME_TOKEN, _FF)
+#endif
+
 // symbols from bootloader.bin => bootloader.o
 extern const void _deflated_bootloader_start;
 extern const void _deflated_bootloader_size;
@@ -75,8 +90,12 @@ int main_func(uint32_t cmd, void *arg) {
   const uint8_t *data = (const uint8_t *)&_deflated_bootloader_start;
   const size_t len = (size_t)&_deflated_bootloader_size;
 
+  uint8_t hash_00[] = BOOTLOADER_00;
+  uint8_t hash_FF[] = BOOTLOADER_FF;
+
   // Check if the boardloader is valid and replace it if not
-  bool bl_update_required = bl_check_check();
+  bool bl_update_required =
+      bl_check_check(hash_00, hash_FF, BLAKE2S_DIGEST_LENGTH);
   update_required |= bl_update_required;
 
 #endif

core/embed/sys/smcall/stm32/smcall_dispatch.c

@@ -71,7 +71,10 @@ __attribute((no_stack_protector)) void smcall_handler(uint32_t *args,
     } break;
 
     case SMCALL_BL_CHECK_CHECK: {
-      args[0] = bl_check_check();
+      const uint8_t *hash_00 = (const uint8_t *)args[0];
+      const uint8_t *hash_FF = (const uint8_t *)args[1];
+      size_t hash_len = args[2];
+      args[0] = bl_check_check__verified(hash_00, hash_FF, hash_len);
     } break;
 
     case SMCALL_BL_CHECK_REPLACE: {

core/embed/sys/smcall/stm32/smcall_stubs.c

@@ -39,8 +39,10 @@ void bootargs_get_args(boot_args_t *args) {
 // bl_check.h
 // =============================================================================
 
-bool bl_check_check(void) {
-  return (bool)smcall_invoke0(SMCALL_BL_CHECK_CHECK);
+bool bl_check_check(const uint8_t *hash_00, const uint8_t *hash_FF,
+                    size_t hash_len) {
+  return (bool)smcall_invoke3((uint32_t)hash_00, (uint32_t)hash_FF,
+                              (uint32_t)hash_len, SMCALL_BL_CHECK_CHECK);
 }
 
 void bl_check_replace(const uint8_t *data, size_t len) {

core/embed/sys/smcall/stm32/smcall_verifiers.c

@@ -60,6 +60,23 @@ void bootargs_get_args__verified(boot_args_t *args) {
 
 // ---------------------------------------------------------------------
 
+bool bl_check_check__verified(const uint8_t *hash_00, const uint8_t *hash_FF,
+                              size_t hash_len) {
+  if (!probe_read_access(hash_00, hash_len)) {
+    goto access_violation;
+  }
+
+  if (!probe_read_access(hash_FF, hash_len)) {
+    goto access_violation;
+  }
+
+  return bl_check_check(hash_00, hash_FF, hash_len);
+
+access_violation:
+  apptask_access_violation();
+  return false;
+}
+
 void bl_check_replace__verified(const uint8_t *data, size_t len) {
   if (!probe_read_access(data, len)) {
     goto access_violation;

core/embed/sys/smcall/stm32/smcall_verifiers.h

@@ -33,6 +33,9 @@ void bootargs_get_args__verified(boot_args_t *args);
 
 #include <util/bl_check.h>
 
+bool bl_check_check__verified(const uint8_t *hash_00, const uint8_t *hash_FF,
+                              size_t hash_len);
+
 void bl_check_replace__verified(const uint8_t *data, size_t len);
 
 // ---------------------------------------------------------------------

core/embed/sys/syscall/stm32/syscall_dispatch.c

@@ -171,7 +171,10 @@ __attribute((no_stack_protector)) void syscall_handler(uint32_t *args,
     } break;
 
     case SYSCALL_BL_CHECK_CHECK: {
-      args[0] = bl_check_check();
+      const uint8_t *hash_00 = (const uint8_t *)args[0];
+      const uint8_t *hash_FF = (const uint8_t *)args[1];
+      size_t hash_len = args[2];
+      args[0] = bl_check_check__verified(hash_00, hash_FF, hash_len);
     } break;
 
     case SYSCALL_BL_CHECK_REPLACE: {

core/embed/sys/syscall/stm32/syscall_stubs.c

@@ -88,8 +88,10 @@ void sysevents_poll(const sysevents_t *awaited, sysevents_t *signalled,
 // bl_check.h
 // =============================================================================
 
-bool bl_check_check(void) {
-  return (bool)syscall_invoke0(SYSCALL_BL_CHECK_CHECK);
+bool bl_check_check(const uint8_t *hash_00, const uint8_t *hash_FF,
+                    size_t hash_len) {
+  return (bool)syscall_invoke3((uint32_t)hash_00, (uint32_t)hash_FF,
+                               (uint32_t)hash_len, SYSCALL_BL_CHECK_CHECK);
 }
 
 void bl_check_replace(const uint8_t *data, size_t len) {

core/embed/sys/syscall/stm32/syscall_verifiers.c

@@ -64,6 +64,23 @@ void sysevents_poll__verified(const sysevents_t *awaited,
 
 // ---------------------------------------------------------------------
 
+bool bl_check_check__verified(const uint8_t *hash_00, const uint8_t *hash_FF,
+                              size_t hash_len) {
+  if (!probe_read_access(hash_00, hash_len)) {
+    goto access_violation;
+  }
+
+  if (!probe_read_access(hash_FF, hash_len)) {
+    goto access_violation;
+  }
+
+  return bl_check_check(hash_00, hash_FF, hash_len);
+
+access_violation:
+  apptask_access_violation();
+  return false;
+};
+
 void bl_check_replace__verified(const uint8_t *data, size_t len) {
   if (!probe_read_access(data, len)) {
     goto access_violation;

core/embed/sys/syscall/stm32/syscall_verifiers.h

@@ -46,6 +46,9 @@ void reboot_and_upgrade__verified(const uint8_t hash[32]);
 
 // ---------------------------------------------------------------------
 
+bool bl_check_check__verified(const uint8_t *hash_00, const uint8_t *hash_FF,
+                              size_t hash_len);
+
 #include <util/bl_check.h>
 void bl_check_replace__verified(const uint8_t *data, size_t len);
 

core/embed/util/bl_check/bl_check.c

@@ -30,28 +30,10 @@
 #include "memzero.h"
 #include "uzlib.h"
 
-#define CONCAT_NAME_HELPER(prefix, name, suffix) prefix##name##suffix
-#define CONCAT_NAME(name, var) CONCAT_NAME_HELPER(BOOTLOADER_, name, var)
-
-#if BOOTLOADER_QA
-// QA bootloaders
-#define BOOTLOADER_00 CONCAT_NAME(MODEL_INTERNAL_NAME_TOKEN, _QA_00)
-#define BOOTLOADER_FF CONCAT_NAME(MODEL_INTERNAL_NAME_TOKEN, _QA_FF)
-#else
-// normal bootloaders
-#define BOOTLOADER_00 CONCAT_NAME(MODEL_INTERNAL_NAME_TOKEN, _00)
-#define BOOTLOADER_FF CONCAT_NAME(MODEL_INTERNAL_NAME_TOKEN, _FF)
-#endif
-// clang-format on
-
-static secbool latest_bootloader(const uint8_t *hash, int len) {
-  if (len != 32) return secfalse;
-
-  uint8_t hash_00[] = BOOTLOADER_00;
-  uint8_t hash_FF[] = BOOTLOADER_FF;
-
-  if (0 == memcmp(hash, hash_00, 32)) return sectrue;
-  if (0 == memcmp(hash, hash_FF, 32)) return sectrue;
+static secbool hash_match(const uint8_t *hash, const uint8_t *hash_00,
+                          const uint8_t *hash_FF) {
+  if (0 == memcmp(hash, hash_00, BLAKE2S_DIGEST_LENGTH)) return sectrue;
+  if (0 == memcmp(hash, hash_FF, BLAKE2S_DIGEST_LENGTH)) return sectrue;
   return secfalse;
 }
 
@@ -78,9 +60,14 @@ static void uzlib_prepare(struct uzlib_uncomp *decomp, uint8_t *window,
   uzlib_uncompress_init(decomp, window, window ? UZLIB_WINDOW_SIZE : 0);
 }
 
-bool bl_check_check(void) {
+bool bl_check_check(const uint8_t *hash_00, const uint8_t *hash_FF,
+                    size_t hash_len) {
   mpu_mode_t mode = mpu_reconfig(MPU_MODE_BOOTUPDATE);
 
+  if (hash_len != BLAKE2S_DIGEST_LENGTH) {
+    error_shutdown("Invalid bootloader hash length");
+  }
+
   // compute current bootloader hash
   uint8_t hash[BLAKE2S_DIGEST_LENGTH];
   const uint32_t bl_len = flash_area_get_size(&BOOTLOADER_AREA);
@@ -91,8 +78,8 @@ bool bl_check_check(void) {
   // ensure(known_bootloader(hash, BLAKE2S_DIGEST_LENGTH), "Unknown bootloader
   // detected");
 
-  // do we have the latest bootloader?
-  if (sectrue == latest_bootloader(hash, BLAKE2S_DIGEST_LENGTH)) {
+  // does the bootloader match?
+  if (sectrue == hash_match(hash, hash_00, hash_FF)) {
     mpu_reconfig(mode);
     return false;
   }

core/embed/util/bl_check/inc/util/bl_check.h

@@ -22,15 +22,21 @@
 #include <trezor_types.h>
 
 /**
- * @brief Check bootloader hash against the installed bootloader.
+ * @brief Verify the installed bootloader against expected hashes.
  *
- * Computes the hash of the provided bootloader image and compares it
- * with the hash of the currently installed bootloader.
+ * Calculates the hash of the currently installed bootloader and compares
+ * it against two known-good expected hashes.
  *
- * @return `true` if the hashes do not match (bootloader needs replacement),
- *         `false` otherwise.
+ * @param hash_00 Pointer to the expected hash for 0x00 padded image.
+ * @param hash_FF Pointer to the expected hash for 0xFF padded image.
+ * @param hash_len         Length of each hash, in bytes.
+ *
+ * @return `true` if the installed bootloader's hash does not match either
+ *         of the expected hashes (indicating it should be replaced),
+ *         `false` if it matches one of them.
  */
-bool bl_check_check(void);
+bool bl_check_check(const uint8_t *hash_00, const uint8_t *hash_FF,
+                    size_t hash_len);
 
 /**
  * @brief Replace the currently installed bootloader.
@@ -40,4 +46,4 @@ bool bl_check_check(void);
  * @param data Pointer to the bootloader image data.
  * @param len  Size of the bootloader data in bytes.
  */
-void bl_check_replace(const uint8_t* data, size_t len);
+void bl_check_replace(const uint8_t *data, size_t len);