forked from cryptoadvance/specter-diy
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathbuild_firmware.sh
More file actions
executable file
·209 lines (181 loc) · 6.53 KB
/
build_firmware.sh
File metadata and controls
executable file
·209 lines (181 loc) · 6.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
#!/usr/bin/env bash
set -e
INFO="\e[1;36m"
ENDCOLOR="\e[0m"
usage() {
echo "Usage: $0 [all|release|main|bootloader|assemble|nobootloader|sign|hash|ownership] ..."
exit 1
}
# If no args, default to "all"
if [ $# -eq 0 ]; then
ACTIONS=("all")
else
ACTIONS=("$@")
fi
run_main() {
echo -e "${INFO}
══════════════════════ Building main firmware ═════════════════════════════
${ENDCOLOR}"
make clean
make disco USE_DBOOT=1
}
run_bootloader() {
echo -e "${INFO}
═════════════════════ Building secure bootloader ══════════════════════════
${ENDCOLOR}"
cd bootloader
make clean
make stm32f469disco READ_PROTECTION=1 WRITE_PROTECTION=1
cd -
}
run_assemble() {
echo -e "${INFO}
══════════════════════ Assembling final binaries ══════════════════════════
${ENDCOLOR}"
# --- Dependency checks ---
REQUIRED_FILES=(
"./bin/specter-diy.hex"
"./bootloader/build/stm32f469disco/startup/release/startup.hex"
"./bootloader/build/stm32f469disco/bootloader/release/bootloader.hex"
)
MISSING=0
for f in "${REQUIRED_FILES[@]}"; do
if [ ! -f "$f" ]; then
echo -e "\e[1;31mERROR:\e[0m Required file missing: $f"
MISSING=1
fi
done
if [ "$MISSING" -eq 1 ]; then
echo -e "\nOne or more required components were not built."
echo -e "Please run: \e[1m./build_firmware.sh main bootloader\e[0m\n"
exit 1
fi
# ---------------------------
mkdir -p release
python3 ./bootloader/tools/make-initial-firmware.py \
-s ./bootloader/build/stm32f469disco/startup/release/startup.hex \
-b ./bootloader/build/stm32f469disco/bootloader/release/bootloader.hex \
-f ./bin/specter-diy.hex \
-bin ./release/initial_firmware.bin
echo -e "Initial firmware saved to release/initial_firmware.bin"
python3 ./bootloader/tools/upgrade-generator.py gen \
-f ./bin/specter-diy.hex \
-b ./bootloader/build/stm32f469disco/bootloader/release/bootloader.hex \
-p stm32f469disco \
./release/specter_upgrade.bin
cp ./release/specter_upgrade.bin ./release/specter_upgrade_unsigned.bin
echo "Unsigned upgrade file saved to release/specter_upgrade_unsigned.bin"
HASH=$(python3 ./bootloader/tools/upgrade-generator.py message ./release/specter_upgrade.bin)
echo "
╔════════════════════════════════════════════════════════════════════════════════╗
║ Message to sign with vendor keys: ║
║ ║
║ ${HASH} ║
║ ║
╚════════════════════════════════════════════════════════════════════════════════╝
"
}
run_nobootloader() {
echo -e "${INFO}
═════════════════════ Building firmware without bootloader ════════════════
${ENDCOLOR}"
mkdir -p release
make clean
make disco
cp ./bin/specter-diy.bin ./release/disco-nobootloader.bin
cp ./bin/specter-diy.hex ./release/disco-nobootloader.hex
echo -e "Standard firmware without bootloader saved to release/disco-nobootloader.{bin,hex}"
echo -e "The BIN image can be flashed directly to a development board without the secure bootloader."
}
run_sign() {
echo -e "${INFO}
═════════════════════ Adding signature to the binary ══════════════════════
${ENDCOLOR}"
# --- Dependency checks ---
REQUIRED_FILES=(
"./release/specter_upgrade.bin"
)
MISSING=0
for f in "${REQUIRED_FILES[@]}"; do
if [ ! -f "$f" ]; then
echo -e "\e[1;31mERROR:\e[0m Required file missing: $f"
MISSING=1
fi
done
if [ "$MISSING" -eq 1 ]; then
echo -e "\nOne or more required components were not built."
echo -e "Please run: \e[1m./build_firmware.sh assemble\e[0m\n"
exit 1
fi
# ---------------------------
while true; do
echo "Provide a signature to add to the upgrade file, or just hit enter to stop."
read -r SIGNATURE
if [ -z "$SIGNATURE" ]; then
break
fi
python3 ./bootloader/tools/upgrade-generator.py import-sig -s "$SIGNATURE" ./release/specter_upgrade.bin
echo "Signature added: ${SIGNATURE}"
done
}
run_hash() {
echo -e "${INFO}
═════════════════════════ Hashes of the binaries: ═════════════════════════
${ENDCOLOR}"
mkdir -p release
cd release
sha256sum *.bin > sha256.txt
cat sha256.txt
echo "
Hashes saved to release/sha256.txt file.
"
cd -
}
fix_ownership() {
echo -e "${INFO}
═════════════════════════ Fixing file ownership ═══════════════════════════
${ENDCOLOR}"
if [ -n "$HOST_UID" ] && [ -n "$HOST_GID" ]; then
chown -R "$HOST_UID:$HOST_GID" bin 2>/dev/null || true
chown -R "$HOST_UID:$HOST_GID" release 2>/dev/null || true
chown -R "$HOST_UID:$HOST_GID" f469-disco/micropython/mpy-cross 2>/dev/null || true
chown -R "$HOST_UID:$HOST_GID" bootloader 2>/dev/null || true
echo "File ownership changed to local user/group"
else
echo "Skipping fix_ownership: HOST_UID and HOST_GID not set."
fi
}
# Map action_name to function
dispatch() {
case "$1" in
all)
run_main
run_bootloader
run_assemble
run_sign
run_nobootloader
run_hash
fix_ownership
;;
release)
run_main
run_bootloader
run_assemble
run_sign
run_hash
fix_ownership
;;
main) run_main ;;
bootloader) run_bootloader ;;
assemble) run_assemble ;;
nobootloader) run_nobootloader ;;
sign) run_sign ;;
hash) run_hash ;;
ownership) fix_ownership ;;
*) echo "Unknown action: $1"; usage ;;
esac
}
# Execute requested actions in order
for action in "${ACTIONS[@]}"; do
dispatch "$action"
done