PASS1-94: Prevent installing user-signed firmware if no user-key installed (#38)

* PASS1-94: Prevent installing user-signed firmware if no user signing key installed * Fixed case where user pubkey was removed manually * Fixed text to match other areas where text is used * Update text message for developer pubkey * Hard coded user signed field to false Co-authored-by: Ken Carpenter <62639971+FoundationKen@users.noreply.github.com>
3 years ago · 01c0250df9
2 changed files with 22 additions and 6 deletions
--- a/ports/stm32/boards/Passport/modfoundation.c
+++ b/ports/stm32/boards/Passport/modfoundation.c
@ -1276,7 +1276,7 @@ System_validate_firmware_header(mp_obj_t self, mp_obj_t header)
    // New header
    passport_firmware_header_t* new_fwhdr = (passport_firmware_header_t*)header_info.buf;

-    mp_obj_t tuple[3];
+    mp_obj_t tuple[4];

    bool is_valid = verify_header(header_info.buf);

@ -1303,7 +1303,10 @@ System_validate_firmware_header(mp_obj_t self, mp_obj_t header)
            vstr_add_strn(&vstr, (const char*)new_fwhdr->info.fwdate, strlen((const char*)new_fwhdr->info.fwdate));
            tuple[2] = mp_obj_new_str_from_vstr(&mp_type_str, &vstr);

-            return mp_obj_new_tuple(3, tuple);
+            // Is this user-signed firmware?
+            tuple[3] = mp_const_false;
+
+            return mp_obj_new_tuple(4, tuple);
        }
    } else {
        // Invalid header
@ -1317,7 +1320,10 @@ System_validate_firmware_header(mp_obj_t self, mp_obj_t header)
        vstr_add_strn(&vstr, (const char*)msg, strlen(msg));
        tuple[2] = mp_obj_new_str_from_vstr(&mp_type_str, &vstr);

-        return mp_obj_new_tuple(3, tuple);
+        // No header = no user signed firmware
+        tuple[3] = mp_const_false;
+
+        return mp_obj_new_tuple(4, tuple);
    }

    // is_valid
@ -1329,7 +1335,10 @@ System_validate_firmware_header(mp_obj_t self, mp_obj_t header)
    // No error message
    tuple[2] = mp_const_none;

-    return mp_obj_new_tuple(3, tuple);
+    // Is this user-signed firmware?
+    tuple[3] = (new_fwhdr->signature.pubkey1 == FW_USER_KEY) ? mp_const_true : mp_const_false;
+
+    return mp_obj_new_tuple(4, tuple);
 }

 /// def System_set_user_firmware_pubkey(self, pubkey) -> None
--- a/ports/stm32/boards/Passport/modules/actions.py
+++ b/ports/stm32/boards/Passport/modules/actions.py
@ -346,12 +346,19 @@ async def update_firmware(*a):
                return

            # Validate the header
-            is_valid, version, error_msg = system.validate_firmware_header(header)
+            is_valid, version, error_msg, is_user_signed = system.validate_firmware_header(header)
            if not is_valid:
                system.turbo(False)
                await ux_show_story('Firmware header is invalid.\n\n{}'.format(error_msg), title='Error', left_btn='BACK', right_btn='OK', center=True, center_vertically=True)
                return

+            if is_user_signed:
+                pubkey_result, pubkey = read_user_firmware_pubkey()
+                if not pubkey_result or is_all_zero(pubkey):
+                    system.turbo(False)
+                    await ux_show_story('Install a Developer PubKey before loading non-Foundation firmware.\n\n', title='Error', left_btn='BACK', right_btn='OK', center=True, center_vertically=True)
+                    return
+
            system.turbo(False)

            # Give the user a chance to confirm/back out
@ -2057,4 +2064,4 @@ async def remove_user_firmware_pubkey(*a):
                            title='Remove',
                            center=True,
                            center_vertically=True)
-        clear_cached_pubkey()
+        clear_cached_pubkey()