Skip to content

feat: replace cosi with regular multisig #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 21, 2025
Merged

feat: replace cosi with regular multisig #4

merged 1 commit into from
Jul 21, 2025

Conversation

TychoVrahe
Copy link

CoSi is removed, replaced by regular multisig.

Sigmask is moved to protected area, means it is signed, this signers commit to who the other signer is.

imgtool is modified to support sigmask TLV. Otherwise it crashes when imgtool dumpinfo is ran on the binary.

@TychoVrahe TychoVrahe self-assigned this Jul 16, 2025
@github-project-automation github-project-automation bot moved this to 🔎 Needs review in Firmware Jul 16, 2025
@TychoVrahe TychoVrahe requested review from cepetr and matejcik July 16, 2025 11:25
cepetr
cepetr approved these changes Jul 18, 2025
View reviewed changes
Copy link

@cepetr cepetr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. I built it, but not tested it.

@TychoVrahe TychoVrahe merged commit 7d53d4f into trezor-v2.1.0-ncs3 Jul 21, 2025
1 of 61 checks passed
@github-project-automation github-project-automation bot moved this from 🔎 Needs review to 🤝 Needs QA in Firmware Jul 21, 2025
matejcik
matejcik reviewed Jul 21, 2025
View reviewed changes
boot/bootutil/src/image_validate.c
ed25519_public_key pub;
if (true != compute_pubkey(BOOTLOADER_KEY_M, BOOTLOADER_KEY_N, BOOTLOADER_KEYS, sigmask, pub))
{
int sig0_idx = sigmask & (1 << 0) ? 0 : 1;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sigmask handling is wrong: it assumes that there are exactly two out of the first three bits signed and nothing else.
sigmask is part of the signed data so we really have to honor what the signers are commiting to.

the code as written still works if we verify the assumptions, that is:

  • __builtin_popcount(sigmask) == BOOTLOADER_KEY_M
  • bits above BOOTLOADER_KEY_N are zero, so ... sigmask & ~((1 << BOOTLOADER_KEY_N) - 1) == 0 ? i think

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(of course we shouldn't use BOOTLOADER_KEY_M because we're hardcoding the data structures for exactly two signatures; we should still use BOOTLOADER_KEY_N and _Static_assert(BOOTLOADER_KEY_N >= 2))

@TychoVrahe TychoVrahe mentioned this pull request Jul 21, 2025
Merged
@STew790 STew790 moved this from 🤝 Needs QA to ✅ Approved in Firmware Sep 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matejcik matejcik matejcik left review comments

@cepetr cepetr cepetr approved these changes

Assignees

@TychoVrahe TychoVrahe

Labels
None yet
Projects
Firmware
Status: Approved
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@TychoVrahe @matejcik @cepetr