Updates are now signed

2023-09-08 17:48:02 +02:00 · 2023-09-08 17:48:02 +02:00 · 8ac6bbc7d8
commit 8ac6bbc7d8
parent df191603dd
5 changed files with 51 additions and 87 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -563,6 +563,15 @@ dependencies = [
 "serde",
 ]

+[[package]]
+name = "ed25519"
+version = "1.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91cff35c70bba8a626e3185d8cd48cc11b5437e1a5bcd15b9b5fa3c64b6dfee7"
+dependencies = [
+ "signature",
+]
+
 [[package]]
 name = "either"
 version = "1.9.0"
@ -599,6 +608,7 @@ dependencies = [
 "embassy-sync",
 "embedded-storage",
 "embedded-storage-async",
+ "salty",
 "signature",
 ]

@ -784,21 +794,6 @@ dependencies = [
 "heapless 0.7.16",
 ]

-[[package]]
-name = "embassy-usb"
-version = "0.1.0"
-source = "git+https://github.com/embassy-rs/embassy#af7c93abba768057f1d3299c7b4f4aa4501b3e56"
-dependencies = [
- "defmt",
- "embassy-futures",
- "embassy-net-driver-channel",
- "embassy-sync",
- "embassy-usb-driver",
- "heapless 0.7.16",
- "ssmarshal",
- "usbd-hid",
-]
-
 [[package]]
 name = "embassy-usb-driver"
 version = "0.1.0"
@ -931,12 +926,6 @@ dependencies = [
 "log",
 ]

-[[package]]
-name = "encode_unicode"
-version = "0.3.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a357d28ed41a50f9c765dbfe56cbc04a64e53e5fc58ba79fbc34c10ef3df831f"
-
 [[package]]
 name = "equivalent"
 version = "1.0.1"
@ -1761,7 +1750,6 @@ dependencies = [
 "const_format",
 "cortex-m",
 "cortex-m-rt",
- "crc16",
 "cyw43",
 "cyw43-pio",
 "defmt",
@ -1776,12 +1764,10 @@ dependencies = [
 "embassy-rp",
 "embassy-sync",
 "embassy-time",
- "embassy-usb",
 "embedded-io-async",
 "embedded-storage",
 "git-version",
 "heapless 0.7.16",
- "log",
 "nourl",
 "panic-probe",
 "rand",
@ -1866,6 +1852,16 @@ version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1ad4cc8da4ef723ed60bced201181d83791ad433213d8c24efffda1eec85d741"

+[[package]]
+name = "salty"
+version = "0.2.0"
+source = "git+https://github.com/ycrypto/salty.git?rev=a9f17911a5024698406b75c0fac56ab5ccf6a8c7#a9f17911a5024698406b75c0fac56ab5ccf6a8c7"
+dependencies = [
+ "ed25519",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "scopeguard"
 version = "1.2.0"
@ -1989,16 +1985,6 @@ dependencies = [
 "lock_api",
 ]

-[[package]]
-name = "ssmarshal"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f3e6ad23b128192ed337dfa4f1b8099ced0c2bf30d61e551b65fda5916dbb850"
-dependencies = [
- "encode_unicode",
- "serde",
-]
-
 [[package]]
 name = "stable_deref_trait"
 version = "1.2.0"
@ -2144,47 +2130,6 @@ dependencies = [
 "subtle",
 ]

-[[package]]
-name = "usb-device"
-version = "0.2.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1f6cc3adc849b5292b4075fc0d5fdcf2f24866e88e336dd27a8943090a520508"
-
-[[package]]
-name = "usbd-hid"
-version = "0.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "975bd411f4a939986751ea09992a24fa47c4d25c6ed108d04b4c2999a4fd0132"
-dependencies = [
- "serde",
- "ssmarshal",
- "usb-device",
- "usbd-hid-macros",
-]
-
-[[package]]
-name = "usbd-hid-descriptors"
-version = "0.1.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dcbee8c6735e90894fba04770bc41e11fd3c5256018856e15dc4dd1e6c8a3dd1"
-dependencies = [
- "bitfield",
-]
-
-[[package]]
-name = "usbd-hid-macros"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "261079a9ada015fa1acac7cc73c98559f3a92585e15f508034beccf6a2ab75a2"
-dependencies = [
- "byteorder",
- "proc-macro2",
- "quote",
- "serde",
- "syn 1.0.109",
- "usbd-hid-descriptors",
-]
-
 [[package]]
 name = "vcell"
 version = "0.1.3"
--- a/Cargo.toml
+++ b/Cargo.toml
@ -28,14 +28,17 @@ embassy-rp = { version = "0.1", features = [
 	"critical-section-impl",
 ] }
 embassy-boot-rp = { version = "0.1", features = ["nightly", "defmt"] }
-embassy-boot = { version = "0.1", features = ["nightly", "defmt"] }
+embassy-boot = { version = "0.1", features = [
+	"nightly",
+	"defmt",
+	"ed25519-salty",
+] }
 embassy-time = { version = "0.1", features = [
 	"defmt",
 	"unstable-traits",
 	"defmt-timestamp-uptime",
 	"nightly",
 ] }
-embassy-usb = { version = "0.1", features = ["defmt"] }
 embassy-net = { version = "0.1", features = [
 	"tcp",
 	"dhcpv4",
@ -54,11 +57,9 @@ cyw43-pio = { git = "https://github.com/embassy-rs/embassy", features = [
 	"defmt",
 ] }
 panic-probe = { version = "0.3", features = ["print-defmt"] }
-log = "0.4"
 static_cell = { version = "1.1", features = ["nightly"] }
 heapless = { version = "0.7.16", features = ["defmt", "serde"] }
 embedded-io-async = { version = "0.5", features = ["defmt-03"] }
-crc16 = "0.4"
 dsmr5 = "0.3"
 rust-mqtt = { version = "0.1.5", features = [
 	"defmt",
@ -89,7 +90,6 @@ git-version = "0.3.5"
 embassy-executor = { git = "https://github.com/embassy-rs/embassy" }
 embassy-rp = { git = "https://github.com/embassy-rs/embassy" }
 embassy-time = { git = "https://github.com/embassy-rs/embassy" }
-embassy-usb = { git = "https://github.com/embassy-rs/embassy" }
 embassy-net = { git = "https://github.com/embassy-rs/embassy" }
 embassy-sync = { git = "https://github.com/embassy-rs/embassy" }
 embassy-futures = { git = "https://github.com/embassy-rs/embassy" }
--- a/key.pub
+++ b/key.pub
--- a/release.sh
+++ b/release.sh
@ -0,0 +1,9 @@
+#!/bin/bash
+
+mkdir -p target/firmware
+cargo objcopy --release --features=exclude_firmwares -- -O binary target/firmware/firmware
+shasum -a 512 -b target/firmware/firmware | dd ibs=128 count=1 | xxd -p -r > target/firmware/checksum
+signify -S -m target/firmware/checksum -s ~/Projects/crypt/R0/private/keys/firmware/pico_p1.sec -x target/firmware/checksum.sig
+tail -n1 target/firmware/checksum.sig | base64 -d -i | dd ibs=10 skip=1 > target/firmware/signed
+cat target/firmware/signed > target/firmware/firmware+signed
+cat target/firmware/firmware >> target/firmware/firmware+signed
--- a/src/main.rs
+++ b/src/main.rs
@ -53,7 +53,7 @@ use serde::{Deserialize, Serialize};
 use static_cell::make_static;

 use const_format::formatcp;
-use defmt::{debug, error, info, warn, Debug2Format};
+use defmt::{debug, error, info, trace, warn, Debug2Format};

 use {defmt_rtt as _, panic_probe as _};

@ -67,6 +67,7 @@ const TOPIC_BASE: &str = formatcp!("pico/{}", ID);
 const TOPIC_STATUS: &str = formatcp!("{}/status", TOPIC_BASE);
 const TOPIC_UPDATE: &str = formatcp!("{}/update", TOPIC_BASE);
 const VERSION: &str = git_version::git_version!();
+const PUBLIC_SIGNING_KEY: &[u8] = include_bytes!("../key.pub");

 #[derive(Deserialize)]
 struct UpdateMessage<'a> {
@ -467,25 +468,34 @@ async fn attempt_update<T, const MAX_PROPERTIES: usize, R, F>(
        .await
        .unwrap();

+    // The first 64 bytes of the file contain the signature
+    let mut signature = [0; 64];
+    body.read_exact(&mut signature).await.unwrap();
+
+    trace!("Signature: {:?}", signature);
+
    let mut buffer = AlignedBuffer([0; 4096]);
-    let mut offset = 0;
+    let mut size = 0;
    while let Ok(read) = body.read(&mut buffer.0).await {
        if read == 0 {
            break;
        }
        debug!("Writing chunk: {}", read);
-        writer.write(offset, &buffer.0[..read]).unwrap();
-        offset += read as u32;
+        writer.write(size, &buffer.0[..read]).unwrap();
+        size += read as u32;

-        let status = Status::Writing { progress: offset }.vec();
+        let status = Status::Writing { progress: size }.vec();
        client
            .send_message(TOPIC_STATUS, &status, QualityOfService::QoS1, false)
            .await
            .unwrap();
    }
-    debug!("Total size: {}", offset);
+    debug!("Total size: {}", size);

-    updater.mark_updated().unwrap();
+    updater.verify_and_mark_updated(PUBLIC_SIGNING_KEY, &signature, size).unwrap();
+
+    // Update mqtt message should be send using retain
+    // TODO: Clear the message

    let status = Status::UpdateComplete.vec();
    client