diff --git a/core/embed/bootloader/.changelog.d/3709.changed b/core/embed/bootloader/.changelog.d/3709.changed new file mode 100644 index 000000000..1fdc1564d --- /dev/null +++ b/core/embed/bootloader/.changelog.d/3709.changed @@ -0,0 +1 @@ +Require confirmation when installing non-full trust firmware image on empty device diff --git a/core/embed/bootloader/bootui.c b/core/embed/bootloader/bootui.c index ae5937073..3555189b9 100644 --- a/core/embed/bootloader/bootui.c +++ b/core/embed/bootloader/bootui.c @@ -211,14 +211,17 @@ uint32_t ui_screen_menu(secbool firmware_present) { uint32_t ui_screen_install_confirm(const vendor_header *const vhdr, const image_header *const hdr, secbool should_keep_seed, - secbool is_newvendor, int version_cmp) { + secbool is_newvendor, secbool is_newinstall, + int version_cmp) { uint8_t fingerprint[32]; char ver_str[64]; get_image_fingerprint(hdr, fingerprint); format_ver("%d.%d.%d", hdr->version, ver_str, sizeof(ver_str)); return screen_install_confirm(vhdr->vstr, vhdr->vstr_len, ver_str, fingerprint, should_keep_seed == sectrue, - is_newvendor == sectrue, version_cmp); + + is_newvendor == sectrue, + is_newinstall == sectrue, version_cmp); } void ui_screen_install_start() { diff --git a/core/embed/bootloader/bootui.h b/core/embed/bootloader/bootui.h index c63a6ffa3..dad75d0e5 100644 --- a/core/embed/bootloader/bootui.h +++ b/core/embed/bootloader/bootui.h @@ -50,7 +50,8 @@ uint32_t ui_screen_menu(secbool firmware_present); uint32_t ui_screen_install_confirm(const vendor_header* const vhdr, const image_header* const hdr, secbool shold_keep_seed, - secbool is_newvendor, int version_cmp); + secbool is_newvendor, secbool is_newinstall, + int version_cmp); void ui_screen_install_start(); void ui_screen_install_progress_erase(int pos, int len); void ui_screen_install_progress_upload(int pos); diff --git a/core/embed/bootloader/messages.c b/core/embed/bootloader/messages.c index 084884d8b..0b152549f 100644 --- a/core/embed/bootloader/messages.c +++ b/core/embed/bootloader/messages.c @@ -649,13 +649,20 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size, #endif uint32_t response = INPUT_CANCEL; - if (sectrue == is_new || sectrue == is_ilu) { + if (((vhdr.vtrust & VTRUST_ALL) == VTRUST_ALL) && + (sectrue == is_new || sectrue == is_ilu)) { // new installation or interaction less updated - auto confirm + // only allowed for full-trust images response = INPUT_CONFIRM; } else { - int version_cmp = version_compare(hdr.version, current_hdr->version); - response = ui_screen_install_confirm(&vhdr, &hdr, should_keep_seed, - is_newvendor, version_cmp); + if (!is_new) { + int version_cmp = version_compare(hdr.version, current_hdr->version); + response = ui_screen_install_confirm( + &vhdr, &hdr, should_keep_seed, is_newvendor, is_new, version_cmp); + } else { + response = ui_screen_install_confirm(&vhdr, &hdr, true, is_newvendor, + is_new, 0); + } } if (INPUT_CANCEL == response) { diff --git a/core/embed/rust/rust_ui_bootloader.h b/core/embed/rust/rust_ui_bootloader.h index 09613cf03..7778e6c59 100644 --- a/core/embed/rust/rust_ui_bootloader.h +++ b/core/embed/rust/rust_ui_bootloader.h @@ -4,7 +4,7 @@ uint32_t screen_install_confirm(const char* vendor_str, uint8_t vendor_str_len, const char* version_str, const uint8_t* fingerprint, bool should_keep_seed, bool is_newvendor, - int version_cmp); + bool is_newinstall, int version_cmp); uint32_t screen_wipe_confirm(void); void screen_install_progress(int16_t progress, bool initialize, bool initial_setup); diff --git a/core/embed/rust/src/ui/api/bootloader_c.rs b/core/embed/rust/src/ui/api/bootloader_c.rs index 9eac86cd2..10f437c5e 100644 --- a/core/embed/rust/src/ui/api/bootloader_c.rs +++ b/core/embed/rust/src/ui/api/bootloader_c.rs @@ -39,6 +39,7 @@ extern "C" fn screen_install_confirm( fingerprint: *const cty::uint8_t, should_keep_seed: bool, is_newvendor: bool, + is_newinstall: bool, version_cmp: cty::c_int, ) -> u32 { let text = unwrap!(unsafe { from_c_array(vendor_str, vendor_str_len as usize) }); @@ -57,6 +58,7 @@ extern "C" fn screen_install_confirm( fingerprint_str, should_keep_seed, is_newvendor, + is_newinstall, version_cmp, ) } diff --git a/core/embed/rust/src/ui/model_mercury/bootloader/mod.rs b/core/embed/rust/src/ui/model_mercury/bootloader/mod.rs index f65f726f5..1ddbe1b08 100644 --- a/core/embed/rust/src/ui/model_mercury/bootloader/mod.rs +++ b/core/embed/rust/src/ui/model_mercury/bootloader/mod.rs @@ -149,6 +149,7 @@ impl UIFeaturesBootloader for ModelMercuryFeatures { fingerprint: &str, should_keep_seed: bool, is_newvendor: bool, + is_newinstall: bool, version_cmp: i32, ) -> u32 { let mut version_str: BootloaderString = String::new(); @@ -157,7 +158,9 @@ impl UIFeaturesBootloader for ModelMercuryFeatures { unwrap!(version_str.push_str("\nby ")); unwrap!(version_str.push_str(vendor)); - let title_str = if is_newvendor { + let title_str = if is_newinstall { + "INSTALL FIRMWARE" + } else if is_newvendor { "CHANGE FW\nVENDOR" } else if version_cmp > 0 { "UPDATE FIRMWARE" diff --git a/core/embed/rust/src/ui/model_tr/bootloader/mod.rs b/core/embed/rust/src/ui/model_tr/bootloader/mod.rs index 93cb79e3c..64cf8e517 100644 --- a/core/embed/rust/src/ui/model_tr/bootloader/mod.rs +++ b/core/embed/rust/src/ui/model_tr/bootloader/mod.rs @@ -152,6 +152,7 @@ impl UIFeaturesBootloader for ModelTRFeatures { fingerprint: &str, should_keep_seed: bool, is_newvendor: bool, + is_newinstall: bool, version_cmp: i32, ) -> u32 { let mut version_str: BootloaderString = String::new(); @@ -160,7 +161,9 @@ impl UIFeaturesBootloader for ModelTRFeatures { unwrap!(version_str.push_str("\nby ")); unwrap!(version_str.push_str(vendor)); - let title_str = if is_newvendor { + let title_str = if is_newinstall { + "INSTALL FIRMWARE" + } else if is_newvendor { "CHANGE FW VENDOR" } else if version_cmp > 0 { "UPDATE FIRMWARE" diff --git a/core/embed/rust/src/ui/model_tt/bootloader/mod.rs b/core/embed/rust/src/ui/model_tt/bootloader/mod.rs index 57b88c8d4..3497acf37 100644 --- a/core/embed/rust/src/ui/model_tt/bootloader/mod.rs +++ b/core/embed/rust/src/ui/model_tt/bootloader/mod.rs @@ -147,6 +147,7 @@ impl UIFeaturesBootloader for ModelTTFeatures { fingerprint: &str, should_keep_seed: bool, is_newvendor: bool, + is_newinstall: bool, version_cmp: i32, ) -> u32 { let mut version_str: BootloaderString = String::new(); @@ -155,7 +156,9 @@ impl UIFeaturesBootloader for ModelTTFeatures { unwrap!(version_str.push_str("\nby ")); unwrap!(version_str.push_str(vendor)); - let title_str = if is_newvendor { + let title_str = if is_newinstall { + "INSTALL FIRMWARE" + } else if is_newvendor { "CHANGE FW\nVENDOR" } else if version_cmp > 0 { "UPDATE FIRMWARE" diff --git a/core/embed/rust/src/ui/ui_features.rs b/core/embed/rust/src/ui/ui_features.rs index 2089d05e6..a733313e4 100644 --- a/core/embed/rust/src/ui/ui_features.rs +++ b/core/embed/rust/src/ui/ui_features.rs @@ -30,6 +30,7 @@ pub trait UIFeaturesBootloader { fingerprint: &str, should_keep_seed: bool, is_newvendor: bool, + is_newinstall: bool, version_cmp: i32, ) -> u32;