feat(core): add vendor headers for devices with dev bootloader

[no changelog]

core/SConscript.firmware

@@ -744,12 +744,12 @@ cmake_gen = env.Command(
 MODEL_IDENTIFIER = tools.get_model_identifier(TREZOR_MODEL)
 BOOTLOADER_SUFFIX = MODEL_IDENTIFIER
 if BOOTLOADER_QA:
-    VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_qa_DO_NOT_SIGN_signed_dev.bin'
+    VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_dev_DO_NOT_SIGN_signed_dev.bin'
     BOOTLOADER_SUFFIX = MODEL_IDENTIFIER + '_qa'
 elif PRODUCTION:
     VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_satoshilabs_signed_prod.bin'
 elif BOOTLOADER_DEVEL:
-    VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_unsafe_signed_dev.bin'
+    VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_dev_DO_NOT_SIGN_signed_dev.bin'
 else:
     VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_unsafe_signed_prod.bin'
 

core/SConscript.prodtest

@@ -167,7 +167,7 @@ MODEL_IDENTIFIER = tools.get_model_identifier(TREZOR_MODEL)
 if PRODUCTION:
     VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_prodtest_signed_prod.bin'
 elif BOOTLOADER_DEVEL:
-    VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_unsafe_signed_dev.bin'
+    VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_dev_DO_NOT_SIGN_signed_dev.bin'
 else:
     VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_unsafe_signed_prod.bin'
 

core/embed/vendorheader/D001/vendor_dev_DO_NOT_SIGN.json

@@ -0,0 +1,20 @@
+{
+    "header_len": 4608,
+    "text": "DEV ONLY, DO NOT USE!",
+    "hw_model": "D001",
+    "expiry": 0,
+    "version": [0, 0],
+    "sig_m": 2,
+    "trust": {
+        "allow_run_with_secret": false,
+        "show_vendor_string": false,
+        "require_user_click": false,
+        "red_background": false,
+        "delay": 0
+    },
+    "pubkeys": [
+        "e28a8970753332bd72fef413e6b0b2ef1b4aadda7aa2c141f233712a6876b351",
+        "d4eec1869fb1b8a4e817516ad5a931557cb56805c3eb16e8f3a803d647df7869",
+        "772c8a442b7db06e166cfbc1ccbcbcde6f3eba76a4e98ef3ffc519502237d6ef"
+    ]
+}

core/embed/vendorheader/D001/vendor_dev_DO_NOT_SIGN.toif

@@ -0,0 +1 @@
+./vendor_unsafe.toif

core/embed/vendorheader/T2B1/vendor_dev_DO_NOT_SIGN.json

@@ -1,6 +1,6 @@
 {
     "header_len": 4608,
-    "text": "QA ONLY, DO NOT USE!",
+    "text": "DEV ONLY, DO NOT USE!",
     "hw_model": "T2B1",
     "expiry": 0,
     "version": [0, 0],

core/embed/vendorheader/T2B1/vendor_dev_DO_NOT_SIGN.toif

@@ -0,0 +1 @@
+./vendor_satoshilabs.toif

core/embed/vendorheader/T2B1/vendor_qa_DO_NOT_SIGN.toif

@@ -1 +0,0 @@
-vendor_satoshilabs.toif

core/embed/vendorheader/T2T1/vendor_dev_DO_NOT_SIGN.json

@@ -1,6 +1,6 @@
 {
     "header_len": 4608,
-    "text": "QA ONLY, DO NOT USE!",
+    "text": "DEV ONLY, DO NOT USE!",
     "hw_model": null,
     "expiry": 0,
     "version": [0, 0],

core/embed/vendorheader/T2T1/vendor_dev_DO_NOT_SIGN.toif

@@ -0,0 +1 @@
+./vendor_satoshilabs.toif

core/embed/vendorheader/T2T1/vendor_qa_DO_NOT_SIGN.toif

@@ -1 +0,0 @@
-vendor_satoshilabs.toif

core/embed/vendorheader/generate.sh

@@ -20,6 +20,7 @@ MODELS=(T2T1 T2B1 D001)
 
 for MODEL in ${MODELS[@]}; do
     cd $MODEL
+    echo "Generating vendor headers for $MODEL"
     # construct all vendor headers
     for fn in *.json; do
         name=$(echo $fn | sed 's/vendor_\(.*\)\.json/\1/')
@@ -29,7 +30,7 @@ for MODEL in ${MODELS[@]}; do
     TMPDIR=$(mktemp -d)
     trap "rm -rf $TMPDIR" EXIT
     # sign dev and QA vendor header
-    for name in unsafe qa_DO_NOT_SIGN; do
+    for name in unsafe dev_DO_NOT_SIGN; do
         SRC_NAME="vendorheader_${name}_unsigned.bin"
         DEST_NAME="vendorheader_${name}_signed_dev.bin"
         if [ ! -f "$SRC_NAME" ]; then