diff --git a/build-docker.sh b/build-docker.sh
index 06a3bcb61..3d51a1d5e 100755
--- a/build-docker.sh
+++ b/build-docker.sh
@@ -7,7 +7,7 @@ CONTAINER_NAME=${CONTAINER_NAME:-trezor-firmware-env.nix}
 ALPINE_CDN=${ALPINE_CDN:-http://dl-cdn.alpinelinux.org/alpine}
 ALPINE_RELEASE=${ALPINE_RELEASE:-3.12}
 ALPINE_ARCH=${ALPINE_ARCH:-x86_64}
-ALPINE_VERSION=${ALPINE_VERSION:-3.12.0}
+ALPINE_VERSION=${ALPINE_VERSION:-3.12.3}
 CONTAINER_FS_URL=${CONTAINER_FS_URL:-"$ALPINE_CDN/v$ALPINE_RELEASE/releases/$ALPINE_ARCH/alpine-minirootfs-$ALPINE_VERSION-$ALPINE_ARCH.tar.gz"}
 
 TAG=${1:-master}
@@ -16,7 +16,7 @@ PRODUCTION=${PRODUCTION:-1}
 MEMORY_PROTECT=${MEMORY_PROTECT:-1}
 
 wget --no-config -nc -P ci/ "$CONTAINER_FS_URL"
-docker build -t "$CONTAINER_NAME" ci/
+docker build --platform "linux/$ALPINE_ARCH" --build-arg ALPINE_VERSION="$ALPINE_VERSION" --build-arg ALPINE_ARCH="$ALPINE_ARCH" -t "$CONTAINER_NAME" ci/
 
 # stat under macOS has slightly different cli interface
 USER=$(stat -c "%u" . 2>/dev/null || stat -f "%u" .)
@@ -54,7 +54,7 @@ for BITCOIN_ONLY in 0 1; do
     chown -R $USER:$GROUP /build
 EOF
 
-  docker run -it --rm \
+  docker run --platform "linux/$ALPINE_ARCH" -it --rm \
     -v "$DIR:/local" \
     -v "$DIR/build/core$DIRSUFFIX":/build:z \
     --env BITCOIN_ONLY="$BITCOIN_ONLY" \
@@ -94,7 +94,7 @@ for BITCOIN_ONLY in 0 1; do
     chown -R $USER:$GROUP /build
 EOF
 
-  docker run -it --rm \
+  docker run --platform "linux/$ALPINE_ARCH" -it --rm \
     -v "$DIR:/local" \
     -v "$DIR/build/legacy$DIRSUFFIX":/build:z \
     --env BITCOIN_ONLY="$BITCOIN_ONLY" \
diff --git a/ci/Dockerfile b/ci/Dockerfile
index c2eba49e6..471935dfa 100644
--- a/ci/Dockerfile
+++ b/ci/Dockerfile
@@ -1,8 +1,9 @@
 # install the latest Alpine linux from scratch
 
 FROM scratch
-ARG ALPINE_VERSION=3.12.0
-ADD alpine-minirootfs-${ALPINE_VERSION}-x86_64.tar.gz /
+ARG ALPINE_VERSION=3.12.3
+ARG ALPINE_ARCH=x86_64
+ADD alpine-minirootfs-${ALPINE_VERSION}-${ALPINE_ARCH}.tar.gz /
 
 # the following is adapted from https://github.com/NixOS/docker/blob/master/Dockerfile
 
@@ -11,16 +12,16 @@ RUN apk add --no-cache --update openssl \
   && echo hosts: dns files > /etc/nsswitch.conf
 
 # Download Nix and install it into the system.
-ARG NIX_VERSION=2.3.6
-RUN wget https://nixos.org/releases/nix/nix-${NIX_VERSION}/nix-${NIX_VERSION}-x86_64-linux.tar.xz \
-  && tar xf nix-${NIX_VERSION}-x86_64-linux.tar.xz \
+ARG NIX_VERSION=2.3.10
+RUN wget https://nixos.org/releases/nix/nix-${NIX_VERSION}/nix-${NIX_VERSION}-${ALPINE_ARCH}-linux.tar.xz \
+  && tar xf nix-${NIX_VERSION}-${ALPINE_ARCH}-linux.tar.xz \
   && addgroup -g 30000 -S nixbld \
   && for i in $(seq 1 30); do adduser -S -D -h /var/empty -g "Nix build user $i" -u $((30000 + i)) -G nixbld nixbld$i ; done \
   && mkdir -m 0755 /etc/nix \
   && echo 'sandbox = false' > /etc/nix/nix.conf \
-  && mkdir -m 0755 /nix && USER=root sh nix-${NIX_VERSION}-x86_64-linux/install \
+  && mkdir -m 0755 /nix && USER=root sh nix-${NIX_VERSION}-${ALPINE_ARCH}-linux/install \
   && ln -s /nix/var/nix/profiles/default/etc/profile.d/nix.sh /etc/profile.d/ \
-  && rm -r /nix-${NIX_VERSION}-x86_64-linux* \
+  && rm -r /nix-${NIX_VERSION}-${ALPINE_ARCH}-linux* \
   && rm -rf /var/cache/apk/* \
   && /nix/var/nix/profiles/default/bin/nix-collect-garbage --delete-old \
   && /nix/var/nix/profiles/default/bin/nix-store --optimise \
diff --git a/ci/environment.yml b/ci/environment.yml
index 621f81020..78a19a6a5 100644
--- a/ci/environment.yml
+++ b/ci/environment.yml
@@ -5,12 +5,15 @@ environment:
   variables:
     GIT_SUBMODULE_STRATEGY: none  # no need to fetch submodules
     CONTAINER_NAME: "$CI_REGISTRY/satoshilabs/trezor/trezor-firmware/trezor-firmware-env.nix"
+    ALPINE_RELEASE: "3.12"
+    ALPINE_ARCH: "x86_64"
+    ALPINE_VERSION: "3.12.3"
   services:
     - docker:dind
   before_script:
     - docker login $CI_REGISTRY -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD
   script:
-    - wget -nc -P ci/ http://dl-cdn.alpinelinux.org/alpine/v3.12/releases/x86_64/alpine-minirootfs-3.12.0-x86_64.tar.gz
-    - docker build --tag $CONTAINER_NAME:$CI_COMMIT_SHA --tag $CONTAINER_NAME:latest --build-arg FULLDEPS_TESTING=1 ci/
+    - wget -nc -P ci/ http://dl-cdn.alpinelinux.org/alpine/v$ALPINE_RELEASE/releases/$ALPINE_ARCH/alpine-minirootfs-$ALPINE_VERSION-$ALPINE_ARCH.tar.gz
+    - docker build --tag $CONTAINER_NAME:$CI_COMMIT_SHA --tag $CONTAINER_NAME:latest --platform "linux/$ALPINE_ARCH" --build-arg ALPINE_VERSION="$ALPINE_VERSION" --build-arg ALPINE_ARCH="$ALPINE_ARCH" --build-arg FULLDEPS_TESTING=1 ci/
     - docker push $CONTAINER_NAME:$CI_COMMIT_SHA
     - docker push $CONTAINER_NAME:latest
diff --git a/ci/shell.nix b/ci/shell.nix
index b0c3059de..8454a10f2 100644
--- a/ci/shell.nix
+++ b/ci/shell.nix
@@ -1,10 +1,10 @@
 { fullDeps ? false }:
 
-# the last successful build of nixos-20.09 (stable) as of 2020-12-15
+# the last successful build of nixpkgs-unstable as of 2020-12-30
 with import
   (builtins.fetchTarball {
-    url = "https://github.com/NixOS/nixpkgs/archive/647cc06986c1ae4a2bb05298e0cf598723e42970.tar.gz";
-    sha256 = "1n1sd5lbds08vxy8x9l94w0z8bbq39fh2rrr6mnq0rmhf4xb2mj1";
+    url = "https://github.com/NixOS/nixpkgs/archive/bea44d5ebe332260aa34a1bd48250b6364527356.tar.gz";
+    sha256 = "14sfk04iyvyh3jl1s2wayw1y077dwpk2d712nhjk1wwfjkdq03r3";
   })
 { };
 
@@ -51,11 +51,11 @@ stdenv.mkDerivation ({
     pkgconfig
     poetry
     protobuf3_6
-    valgrind
     wget
     zlib
   ] ++ stdenv.lib.optionals (!stdenv.isDarwin) [
     procps
+    valgrind
   ] ++ stdenv.lib.optionals (stdenv.isDarwin) [
     darwin.apple_sdk.frameworks.CoreAudio
     darwin.apple_sdk.frameworks.AudioToolbox
diff --git a/vendor/nanopb b/vendor/nanopb
index 1466e6f95..2b48a3617 160000
--- a/vendor/nanopb
+++ b/vendor/nanopb
@@ -1 +1 @@
-Subproject commit 1466e6f953835b191a7f5acf0c06c941d4cd33d9
+Subproject commit 2b48a361786dfb1f63d229840217a93aae064667