python/debuglink: prevent race with recovery homescreen eating debuglink decisions

python/src/trezorlib/debuglink.py

@@ -181,6 +181,27 @@ class DebugUI:
 
     def button_request(self, code):
         if self.input_flow is None:
+            # XXX
+            # On Trezor T, in some rare cases, two layouts may be queuing for events at
+            # the same time.  A new workflow will first send out a ButtonRequest, wait
+            # for a ButtonAck, and only then display a layout (closing the old one).
+            # That means that if a layout that accepts debuglink decisions is currently
+            # on screen, it has a good chance of accepting the following `press_yes`
+            # before it can be closed by the newly open layout from the new workflow.
+            #
+            # This happens in particular when the recovery homescreen is on, because
+            # it is a homescreen that accepts debuglink decisions.
+            #
+            # To prevent the issue, we insert a `wait_layout`, which on TT will only
+            # return after the screen is refreshed, so we are certain that the new
+            # layout is on. On T1 it is a no-op.
+            #
+            # This could run into trouble if some workflow asks for a ButtonRequest
+            # without refreshing the screen.
+            # This will also freeze on old bridges, where Read and Write are not
+            # separate operations, because it relies on ButtonAck being sent without
+            # waiting for a response.
+            self.debuglink.wait_layout()
             self.debuglink.press_yes()
         elif self.input_flow is self.INPUT_FLOW_DONE:
             raise AssertionError("input flow ended prematurely")