feat(core): Randomize SCM_REVISION address in firmware

[no changelog]
trezor · Jan 3, 2025 · ef6ccf5 · ef6ccf5
1 parent 1a62cc8
commit ef6ccf5
Show file tree

Hide file tree

Showing 14 changed files with 81 additions and 5 deletions.
diff --git a/core/Makefile b/core/Makefile
@@ -116,7 +116,8 @@ STORAGE_2_OFFSET := $(shell expr $(STORAGE_2_START) - $(FLASH_START))
 
 OPENOCD = openocd -f interface/$(OPENOCD_INTERFACE).cfg -c "transport select $(OPENOCD_TRANSPORT)" -f $(OPENOCD_TARGET)
 
-CFLAGS += -DSCM_REVISION='\"$(shell git rev-parse HEAD | sed 's:\(..\):\\x\1:g')\"'
+SCM_REVISION = '$(shell git rev-parse HEAD)'
+CFLAGS += -DSCM_REVISION_INIT='{$(shell echo ${SCM_REVISION} | sed 's:\(..\):0x\1,:g')}'
 
 TESTPATH = $(CURDIR)/../tests
 
@@ -145,6 +146,7 @@ SCONS_VARS = \
 	PRODUCTION="$(PRODUCTION)" \
 	PYOPT="$(PYOPT)" \
 	QUIET_MODE="$(QUIET_MODE)" \
+	SCM_REVISION="$(SCM_REVISION)" \
 	STORAGE_INSECURE_TESTING_MODE="$(STORAGE_INSECURE_TESTING_MODE)" \
 	THP="$(THP)" \
 	TREZOR_DISABLE_ANIMATION="$(TREZOR_DISABLE_ANIMATION)" \

diff --git a/core/SConscript.boardloader b/core/SConscript.boardloader
@@ -65,6 +65,7 @@ SOURCE_MOD += [
     'embed/util/flash/flash_utils.c',
     'embed/util/image/image.c',
     'embed/util/rsod/rsod.c',
+    'embed/util/scm_revision/scm_revision.c',
     'embed/rtl/error_handling.c',
     'embed/rtl/mini_printf.c',
 ]
@@ -128,6 +129,7 @@ env.Replace(
         'embed/sys/bsp/inc',
         'embed/util/image/inc',
         'embed/util/rsod/inc',
+        'embed/util/scm_revision/inc',
         'vendor/micropython/lib/cmsis/inc',
     ] + CPPPATH_MOD + PATH_HAL,
     CPPDEFINES=[

diff --git a/core/SConscript.bootloader b/core/SConscript.bootloader
@@ -76,6 +76,7 @@ SOURCE_MOD += [
     'embed/util/flash/flash_utils.c',
     'embed/util/image/image.c',
     'embed/util/rsod/rsod.c',
+    'embed/util/scm_revision/scm_revision.c',
     'embed/rtl/error_handling.c',
     'embed/rtl/mini_printf.c',
     'vendor/micropython/lib/uzlib/adler32.c',
@@ -142,6 +143,7 @@ ALLPATHS = [
         'embed/util/translations/inc',
         'embed/util/image/inc',
         'embed/util/rsod/inc',
+        'embed/util/scm_revision/inc',
         'embed/upymod/modtrezorui',
         'vendor/nanopb',
     ] + CPPPATH_MOD + PATH_HAL

diff --git a/core/SConscript.bootloader_ci b/core/SConscript.bootloader_ci
@@ -70,6 +70,7 @@ SOURCE_MOD += [
     'embed/util/flash/flash_utils.c',
     'embed/util/image/image.c',
     'embed/util/rsod/rsod.c',
+    'embed/util/scm_revision/scm_revision.c',
     'embed/rtl/error_handling.c',
     'embed/rtl/mini_printf.c',
     'vendor/micropython/lib/uzlib/adler32.c',
@@ -145,6 +146,7 @@ env.Replace(
         'embed/sys/bsp/inc',
         'embed/util/image/inc',
         'embed/util/rsod/inc',
+        'embed/util/scm_revision/inc',
         'embed/upymod/modtrezorui',
         'vendor/nanopb',
     ] + CPPPATH_MOD + PATH_HAL,

diff --git a/core/SConscript.bootloader_emu b/core/SConscript.bootloader_emu
@@ -82,6 +82,7 @@ SOURCE_MOD += [
     'embed/util/flash/flash_utils.c',
     'embed/util/image/image.c',
     'embed/util/rsod/rsod.c',
+    'embed/util/scm_revision/scm_revision.c',
     'embed/rtl/error_handling.c',
     'embed/rtl/mini_printf.c',
     'vendor/micropython/lib/uzlib/adler32.c',
@@ -178,6 +179,7 @@ ALLPATHS = ['embed/rust',
            'embed/util/flash/inc',
            'embed/util/image/inc',
            'embed/util/rsod/inc',
+           'embed/util/scm_revision/inc',
            'embed/util/translations/inc',
            'embed/util/unit_properties/inc',
            'vendor/nanopb',

diff --git a/core/SConscript.firmware b/core/SConscript.firmware
@@ -4,6 +4,7 @@
 import os
 import shlex
 import tools, models, ui
+import random
 
 BITCOIN_ONLY = ARGUMENTS.get('BITCOIN_ONLY', '0')
 PRODUCTION = ARGUMENTS.get('PRODUCTION', '0') == '1'
@@ -15,6 +16,7 @@ CMAKELISTS = int(ARGUMENTS.get('CMAKELISTS', 0))
 PYOPT = ARGUMENTS.get('PYOPT', '1')
 DISABLE_OPTIGA = ARGUMENTS.get('DISABLE_OPTIGA', '0') == '1'
 HW_REVISION = ARGUMENTS.get('HW_REVISION', None)
+SCM_REVISION = ARGUMENTS.get('SCM_REVISION', None)
 THP = ARGUMENTS.get('THP', '0') == '1' # Trezor-Host Protocol
 MODEL_IDENTIFIER = models.get_model_identifier(TREZOR_MODEL)
 BENCHMARK = ARGUMENTS.get('BENCHMARK', '0') == '1'
@@ -219,6 +221,7 @@ SOURCE_MOD += [
     'embed/util/image/image.c',
     'embed/util/translations/translations.c',
     'embed/util/rsod/rsod.c',
+    'embed/util/scm_revision/scm_revision.c',
     'embed/rtl/error_handling.c',
     'embed/rtl/mini_printf.c',
     'vendor/micropython/lib/uzlib/adler32.c',
@@ -438,6 +441,7 @@ ALLPATHS = [
         'embed/sys/bsp/inc',
         'embed/util/image/inc',
         'embed/util/rsod/inc',
+        'embed/util/scm_revision/inc',
         'embed/util/translations/inc',
         'embed/upymod/modtrezorui',
         'vendor/micropython',
@@ -722,6 +726,8 @@ obj_program.extend(env.Object(source=SOURCE_HAL))
 if FROZEN:
     obj_program.extend(env.Object(source=source_mpyc))
 
+random.Random(SCM_REVISION).shuffle(obj_program)
+
 env.Replace(
     ALLSOURCES=source_files,
     ALLDEFS=tools.get_defs_for_cmake(env['CPPDEFINES'] + env['CPPDEFINES_IMPLICIT'] + [f"PRODUCTION={int(PRODUCTION)}", f"BOOTLOADER_QA={int(BOOTLOADER_QA)}", f"PYOPT={PYOPT}", f"BITCOIN_ONLY={BITCOIN_ONLY}"]))

diff --git a/core/SConscript.kernel b/core/SConscript.kernel
@@ -250,7 +250,7 @@ if STORAGE_INSECURE_TESTING_MODE:
 
 env = Environment(
     ENV=os.environ,
-    CFLAGS=f"{ARGUMENTS.get('CFLAGS', '')} -DPRODUCTION={int(PRODUCTION)} -DPYOPT={PYOPT} -DBOOTLOADER_QA={int(BOOTLOADER_QA)} -DBITCOIN_ONLY={BITCOIN_ONLY}",
+    CFLAGS=f"{ARGUMENTS.get('CFLAGS', '')} -DPRODUCTION={int(PRODUCTION)} -DPYOPT={PYOPT} -DBOOTLOADER_QA={int(BOOTLOADER_QA)} -DBITCOIN_ONLY={BITCOIN_ONLY} -USCM_REVISION_INIT",
     CPPDEFINES_IMPLICIT=[],
     CPPDEFPREFIX="-D'",
     CPPDEFSUFFIX="'",

diff --git a/core/SConscript.prodtest b/core/SConscript.prodtest
@@ -75,6 +75,7 @@ SOURCE_MOD += [
     'embed/io/display/display_utils.c',
     'embed/util/image/image.c',
     'embed/util/rsod/rsod.c',
+    'embed/util/scm_revision/scm_revision.c',
     'embed/rtl/error_handling.c',
     'embed/rtl/mini_printf.c',
     'vendor/micropython/lib/uzlib/adler32.c',
@@ -145,6 +146,7 @@ env.Replace(
         'embed/sys/bsp/inc',
         'embed/util/image/inc',
         'embed/util/rsod/inc',
+        'embed/util/scm_revision/inc',
         'embed/upymod/modtrezorui',
     ] + CPPPATH_MOD + PATH_HAL,
     CPPDEFINES=[

diff --git a/core/SConscript.reflash b/core/SConscript.reflash
@@ -60,6 +60,7 @@ SOURCE_MOD += [
     'embed/io/display/display_utils.c',
     'embed/util/image/image.c',
     'embed/util/rsod/rsod.c',
+    'embed/util/scm_revision/scm_revision.c',
     'embed/rtl/error_handling.c',
     'embed/rtl/mini_printf.c',
     'vendor/micropython/lib/uzlib/adler32.c',
@@ -124,6 +125,7 @@ env.Replace(
         'embed/sys/bsp/inc',
         'embed/util/image/inc',
         'embed/util/rsod/inc',
+        'embed/util/scm_revision/inc',
         'embed/upymod/modtrezorui',
     ] + CPPPATH_MOD + PATH_HAL,
     CPPDEFINES=[

diff --git a/core/SConscript.unix b/core/SConscript.unix
@@ -219,6 +219,7 @@ SOURCE_MOD += [
     'embed/util/image/image.c',
     'embed/util/translations/translations.c',
     'embed/util/rsod/rsod.c',
+    'embed/util/scm_revision/scm_revision.c',
     'embed/rtl/error_handling.c',
     'embed/rtl/mini_printf.c',
     'vendor/micropython/lib/uzlib/adler32.c',
@@ -496,6 +497,7 @@ ALLPATHS=['.',
          'embed/util/fwutils/inc',
          'embed/util/image/inc',
          'embed/util/rsod/inc',
+         'embed/util/scm_revision/inc',
          'embed/util/translations/inc',
          'embed/util/unit_properties/inc',
          'vendor/micropython',

diff --git a/core/embed/upymod/modtrezorutils/modtrezorutils.c b/core/embed/upymod/modtrezorutils/modtrezorutils.c
@@ -34,6 +34,7 @@
 #include <io/usb.h>
 #include <sys/bootutils.h>
 #include <util/fwutils.h>
+#include <util/scm_revision.h>
 #include <util/unit_properties.h>
 #include "blake2s.h"
 
@@ -347,7 +348,7 @@ STATIC MP_DEFINE_CONST_FUN_OBJ_0(mod_trezorutils_bootloader_locked_obj,
                                  mod_trezorutils_bootloader_locked);
 
 STATIC mp_obj_str_t mod_trezorutils_revision_obj = {
-    {&mp_type_bytes}, 0, sizeof(SCM_REVISION) - 1, (const byte *)SCM_REVISION};
+    {&mp_type_bytes}, 0, sizeof(SCM_REVISION), (const byte *)SCM_REVISION};
 
 STATIC mp_obj_str_t mod_trezorutils_model_name_obj = {
     {&mp_type_str}, 0, sizeof(MODEL_NAME) - 1, (const byte *)MODEL_NAME};

diff --git a/core/embed/util/rsod/rsod.c b/core/embed/util/rsod/rsod.c
@@ -24,6 +24,10 @@
 #include <sys/system.h>
 #include <util/rsod.h>
 
+#ifdef SCM_REVISION_INIT
+#include <util/scm_revision.h>
+#endif
+
 #define RSOD_DEFAULT_TITLE "INTERNAL ERROR";
 #define RSOD_DEFAULT_MESSAGE "UNSPECIFIED";
 #define RSOD_DEFAULT_FOOTER "PLEASE VISIT TREZOR.IO/RSOD";
@@ -89,8 +93,8 @@ void rsod_terminal(const systask_postmortem_t* pminfo) {
     term_printf("file: %s:%d\n", file, line);
   }
 
-#ifdef SCM_REVISION
-  const uint8_t* rev = (const uint8_t*)SCM_REVISION;
+#ifdef SCM_REVISION_INIT
+  const uint8_t* rev = SCM_REVISION;
   term_printf("rev : %02x%02x%02x%02x%02x\n", rev[0], rev[1], rev[2], rev[3],
               rev[4]);
 #endif

diff --git a/core/embed/util/scm_revision/inc/util/scm_revision.h b/core/embed/util/scm_revision/inc/util/scm_revision.h
@@ -0,0 +1,27 @@
+/*
+ * This file is part of the Trezor project, https://trezor.io/
+ *
+ * Copyright (c) SatoshiLabs
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef SCM_REVISION_H
+#define SCM_REVISION_H
+
+#include <trezor_types.h>
+
+extern const uint8_t SCM_REVISION[sizeof((const uint8_t[])SCM_REVISION_INIT)];
+
+#endif
diff --git a/core/embed/util/scm_revision/scm_revision.c b/core/embed/util/scm_revision/scm_revision.c
@@ -0,0 +1,22 @@
+/*
+ * This file is part of the Trezor project, https://trezor.io/
+ *
+ * Copyright (c) SatoshiLabs
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <util/scm_revision.h>
+
+const uint8_t SCM_REVISION[] = SCM_REVISION_INIT;