firmware icon indicating copy to clipboard operation
firmware copied to clipboard
verified publisher icon Coldcard

Manual steps to verify reproducible builds

Open i5hi opened this issue 3 years ago • 3 comments

We have been attempting to manually verify reproducibility of Coldcard firmware builds and lay out a process by which anyone can get an exact match on the shasum without any diff in the builds resulting from make repro in comparison to the release candidates found at https://coldcard.com/downloads/.

Following up on the discussions from twitter, as I understand, the diffs exist because of the signatures in the binary and (I think) some bootloader stuff.

stm32/shared.mk contains code under check_repro which seems to do this.

Opening this PR so we can understand what is happening better here than twitter.

i5hi avatar Oct 13 '22 12:10 i5hi

Unable to tag @moonsettler who has been also been attempting this.

Edit: nvm, worked!

i5hi avatar Oct 13 '22 12:10 i5hi

This is the section from stm32/shared.mk that we need to use to get the correct set of manual commands to correctly strip the build artefacts of the signature and some bootrom stuff:

# final step in repro-building: check you got the right bytes
# - but you don't have the production signing key, so that section is removed
check-repro: TRIM_SIG = sed -e 's/^00003f[89abcdef]0 .*/(firmware signature here)/'
check-repro: firmware-signed.bin
ifeq ($(PUBLISHED_BIN),)
	@echo ""
	@echo "Need published binary for: $(VERSION_STRING)"
	@echo ""
	@echo "Copy it into ../releases"
	@echo ""
else
	@echo Comparing against: $(PUBLISHED_BIN)
	test -n "$(PUBLISHED_BIN)" -a -f $(PUBLISHED_BIN)
	$(RM) -f check-fw.bin check-bootrom.bin
	$(SIGNIT) split $(PUBLISHED_BIN) check-fw.bin check-bootrom.bin
	$(SIGNIT) check check-fw.bin
	$(SIGNIT) check firmware-signed.bin
	hexdump -C firmware-signed.bin | $(TRIM_SIG) > repro-got.txt
	hexdump -C check-fw.bin | $(TRIM_SIG) > repro-want.txt
	diff repro-got.txt repro-want.txt
	@echo ""
	@echo "SUCCESS. "
	@echo ""
	@echo "You have built a bit-for-bit identical copy of Coldcard firmware for v$(VERSION_STRING)"
endif

i5hi avatar Oct 13 '22 13:10 i5hi

  • please make a whole new file in ./docs/ since the README is getting too big (then link to it)
  • I suggest working from the above makefile snippet, and just explaining what each line does in detail

doc-hex avatar Oct 13 '22 13:10 doc-hex

@doc-hex can you give me a few notes on the bootrom stuff.

I don't fully understand why its being removed, and how to verify it.

i5hi avatar Nov 09 '22 04:11 i5hi

  • bootrom area on Coldcard is not field-upgradable. Set in factory, unchangable.
  • the signature on our "firmware" covers the part of flash that can be upgraded
  • we store both binaries in the DFU file as a time-saver in the factory where they get both loaded the first time (bootloader and main code)
  • there are other ways to verify what bootrom that you have on your Coldcard (but that has nothing to do with build reproducibility)
  • the red/green light (checksum check handled by secure element) covers both the bootrom and main firmware (but that doesn't have anything to do wth repro build)

doc-hex avatar Nov 09 '22 19:11 doc-hex