feat(core/bootloader): only allow confirm-less firmware installation for full-trust images

3 weeks ago · 996aeca2c0
parent 89fdaed31e
commit 996aeca2c0
10 changed files with 35 additions and 11 deletions
--- a/core/embed/bootloader/.changelog.d/3709.changed
+++ b/core/embed/bootloader/.changelog.d/3709.changed
@ -0,0 +1 @@
+Require confirmation when installing non-full trust firmware image on empty device
--- a/core/embed/bootloader/bootui.c
+++ b/core/embed/bootloader/bootui.c
@ -211,14 +211,17 @@ uint32_t ui_screen_menu(secbool firmware_present) {
 uint32_t ui_screen_install_confirm(const vendor_header *const vhdr,
                                   const image_header *const hdr,
                                   secbool should_keep_seed,
-                                   secbool is_newvendor, int version_cmp) {
+                                   secbool is_newvendor, secbool is_newinstall,
+                                   int version_cmp) {
  uint8_t fingerprint[32];
  char ver_str[64];
  get_image_fingerprint(hdr, fingerprint);
  format_ver("%d.%d.%d", hdr->version, ver_str, sizeof(ver_str));
  return screen_install_confirm(vhdr->vstr, vhdr->vstr_len, ver_str,
                                fingerprint, should_keep_seed == sectrue,
-                                is_newvendor == sectrue, version_cmp);
+
+                                is_newvendor == sectrue,
+                                is_newinstall == sectrue, version_cmp);
 }

 void ui_screen_install_start() {
--- a/core/embed/bootloader/bootui.h
+++ b/core/embed/bootloader/bootui.h
@ -50,7 +50,8 @@ uint32_t ui_screen_menu(secbool firmware_present);
 uint32_t ui_screen_install_confirm(const vendor_header* const vhdr,
                                   const image_header* const hdr,
                                   secbool shold_keep_seed,
-                                   secbool is_newvendor, int version_cmp);
+                                   secbool is_newvendor, secbool is_newinstall,
+                                   int version_cmp);
 void ui_screen_install_start();
 void ui_screen_install_progress_erase(int pos, int len);
 void ui_screen_install_progress_upload(int pos);
--- a/core/embed/bootloader/messages.c
+++ b/core/embed/bootloader/messages.c
@ -649,13 +649,20 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size,
 #endif

      uint32_t response = INPUT_CANCEL;
-      if (sectrue == is_new || sectrue == is_ilu) {
+      if (((vhdr.vtrust & VTRUST_ALL) == VTRUST_ALL) &&
+          (sectrue == is_new || sectrue == is_ilu)) {
        // new installation or interaction less updated - auto confirm
+        // only allowed for full-trust images
        response = INPUT_CONFIRM;
      } else {
-        int version_cmp = version_compare(hdr.version, current_hdr->version);
-        response = ui_screen_install_confirm(&vhdr, &hdr, should_keep_seed,
-                                             is_newvendor, version_cmp);
+        if (!is_new) {
+          int version_cmp = version_compare(hdr.version, current_hdr->version);
+          response = ui_screen_install_confirm(
+              &vhdr, &hdr, should_keep_seed, is_newvendor, is_new, version_cmp);
+        } else {
+          response = ui_screen_install_confirm(&vhdr, &hdr, true, is_newvendor,
+                                               is_new, 0);
+        }
      }

      if (INPUT_CANCEL == response) {
--- a/core/embed/rust/rust_ui_bootloader.h
+++ b/core/embed/rust/rust_ui_bootloader.h
@ -4,7 +4,7 @@ uint32_t screen_install_confirm(const char* vendor_str, uint8_t vendor_str_len,
                                const char* version_str,
                                const uint8_t* fingerprint,
                                bool should_keep_seed, bool is_newvendor,
-                                int version_cmp);
+                                bool is_newinstall, int version_cmp);
 uint32_t screen_wipe_confirm(void);
 void screen_install_progress(int16_t progress, bool initialize,
                             bool initial_setup);
--- a/core/embed/rust/src/ui/api/bootloader_c.rs
+++ b/core/embed/rust/src/ui/api/bootloader_c.rs
@ -39,6 +39,7 @@ extern "C" fn screen_install_confirm(
    fingerprint: *const cty::uint8_t,
    should_keep_seed: bool,
    is_newvendor: bool,
+    is_newinstall: bool,
    version_cmp: cty::c_int,
 ) -> u32 {
    let text = unwrap!(unsafe { from_c_array(vendor_str, vendor_str_len as usize) });
@ -57,6 +58,7 @@ extern "C" fn screen_install_confirm(
        fingerprint_str,
        should_keep_seed,
        is_newvendor,
+        is_newinstall,
        version_cmp,
    )
 }
--- a/core/embed/rust/src/ui/model_mercury/bootloader/mod.rs
+++ b/core/embed/rust/src/ui/model_mercury/bootloader/mod.rs
@ -149,6 +149,7 @@ impl UIFeaturesBootloader for ModelMercuryFeatures {
        fingerprint: &str,
        should_keep_seed: bool,
        is_newvendor: bool,
+        is_newinstall: bool,
        version_cmp: i32,
    ) -> u32 {
        let mut version_str: BootloaderString = String::new();
@ -157,7 +158,9 @@ impl UIFeaturesBootloader for ModelMercuryFeatures {
        unwrap!(version_str.push_str("\nby "));
        unwrap!(version_str.push_str(vendor));

-        let title_str = if is_newvendor {
+        let title_str = if is_newinstall {
+            "INSTALL FIRMWARE"
+        } else if is_newvendor {
            "CHANGE FW\nVENDOR"
        } else if version_cmp > 0 {
            "UPDATE FIRMWARE"
--- a/core/embed/rust/src/ui/model_tr/bootloader/mod.rs
+++ b/core/embed/rust/src/ui/model_tr/bootloader/mod.rs
@ -152,6 +152,7 @@ impl UIFeaturesBootloader for ModelTRFeatures {
        fingerprint: &str,
        should_keep_seed: bool,
        is_newvendor: bool,
+        is_newinstall: bool,
        version_cmp: i32,
    ) -> u32 {
        let mut version_str: BootloaderString = String::new();
@ -160,7 +161,9 @@ impl UIFeaturesBootloader for ModelTRFeatures {
        unwrap!(version_str.push_str("\nby "));
        unwrap!(version_str.push_str(vendor));

-        let title_str = if is_newvendor {
+        let title_str = if is_newinstall {
+            "INSTALL FIRMWARE"
+        } else if is_newvendor {
            "CHANGE FW VENDOR"
        } else if version_cmp > 0 {
            "UPDATE FIRMWARE"
--- a/core/embed/rust/src/ui/model_tt/bootloader/mod.rs
+++ b/core/embed/rust/src/ui/model_tt/bootloader/mod.rs
@ -147,6 +147,7 @@ impl UIFeaturesBootloader for ModelTTFeatures {
        fingerprint: &str,
        should_keep_seed: bool,
        is_newvendor: bool,
+        is_newinstall: bool,
        version_cmp: i32,
    ) -> u32 {
        let mut version_str: BootloaderString = String::new();
@ -155,7 +156,9 @@ impl UIFeaturesBootloader for ModelTTFeatures {
        unwrap!(version_str.push_str("\nby "));
        unwrap!(version_str.push_str(vendor));

-        let title_str = if is_newvendor {
+        let title_str = if is_newinstall {
+            "INSTALL FIRMWARE"
+        } else if is_newvendor {
            "CHANGE FW\nVENDOR"
        } else if version_cmp > 0 {
            "UPDATE FIRMWARE"
--- a/core/embed/rust/src/ui/ui_features.rs
+++ b/core/embed/rust/src/ui/ui_features.rs
@ -30,6 +30,7 @@ pub trait UIFeaturesBootloader {
        fingerprint: &str,
        should_keep_seed: bool,
        is_newvendor: bool,
+        is_newinstall: bool,
        version_cmp: i32,
    ) -> u32;
				`@ -0,0 +1 @@`
				`Require confirmation when installing non-full trust firmware image on empty device`