From a3d2ff6f863fb627a43793d131d5f26703bcfe5e Mon Sep 17 00:00:00 2001
From: matejcik <ja@matejcik.cz>
Date: Mon, 18 Dec 2023 15:08:59 +0100
Subject: [PATCH 1/5] tmp: use unsigned prodtest header for reproducible build
 of the prodtest binary

---
 core/SConscript.prodtest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/SConscript.prodtest b/core/SConscript.prodtest
index 7e66eb938d..33d4946f8d 100644
--- a/core/SConscript.prodtest
+++ b/core/SConscript.prodtest
@@ -188,7 +188,7 @@ obj_program.extend(env.Object(source=SOURCE_HAL))
 MODEL_IDENTIFIER = tools.get_model_identifier(TREZOR_MODEL)
 
 if PRODUCTION:
-    VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_prodtest_signed_prod.bin'
+    VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_prodtest_unsigned.bin'
 elif BOOTLOADER_DEVEL:
     VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_dev_DO_NOT_SIGN_signed_dev.bin'
 else:

From 8c7fc459915e1da7ce477cdc722bbe3ea9af84a8 Mon Sep 17 00:00:00 2001
From: matejcik <ja@matejcik.cz>
Date: Wed, 20 Dec 2023 09:46:35 +0100
Subject: [PATCH 2/5] Revert "tmp: use unsigned prodtest header for
 reproducible build of the prodtest binary"

This reverts commit a3d2ff6f863fb627a43793d131d5f26703bcfe5e.
---
 core/SConscript.prodtest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/SConscript.prodtest b/core/SConscript.prodtest
index 33d4946f8d..7e66eb938d 100644
--- a/core/SConscript.prodtest
+++ b/core/SConscript.prodtest
@@ -188,7 +188,7 @@ obj_program.extend(env.Object(source=SOURCE_HAL))
 MODEL_IDENTIFIER = tools.get_model_identifier(TREZOR_MODEL)
 
 if PRODUCTION:
-    VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_prodtest_unsigned.bin'
+    VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_prodtest_signed_prod.bin'
 elif BOOTLOADER_DEVEL:
     VENDORHEADER = f'embed/vendorheader/{MODEL_IDENTIFIER}/vendorheader_dev_DO_NOT_SIGN_signed_dev.bin'
 else:

From 8f197672858b14b1adc9163b680bdb76b4d323eb Mon Sep 17 00:00:00 2001
From: matejcik <ja@matejcik.cz>
Date: Wed, 20 Dec 2023 09:46:52 +0100
Subject: [PATCH 3/5] chore(core): include production-signed prodtest vendor
 header

---
 .../T2B1/vendorheader_prodtest_signed_prod.bin    | Bin 0 -> 512 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 core/embed/vendorheader/T2B1/vendorheader_prodtest_signed_prod.bin

diff --git a/core/embed/vendorheader/T2B1/vendorheader_prodtest_signed_prod.bin b/core/embed/vendorheader/T2B1/vendorheader_prodtest_signed_prod.bin
new file mode 100644
index 0000000000000000000000000000000000000000..028e040c3d6f70515caf66fefcf507ef0662412b
GIT binary patch
literal 512
zcmWFuiV9<3Vt@cfCZ_uTAx2JyP(G02;Wl(=5!)-*XxCUe^RN;3_tMvL63!-Gf*gO}
zl*hl*d>gxZIoHgqC&ZrJ*mv;II_d5E8hqZ~-siNhTvhQ@n4pqms9&(7o2!n3o1=4x
ze^8`Ch-+|&g1?_nBm+Z;zo)wdg9L*S(4OQ32WI&n8#md1P`2>M5nw*%n8d8f;gotf
zWI^H%nKLO8jYm^bEO|Z`?qXm5yYQDd8^VbrnZ>Lcb#En$`s!#+rzuvOS4{o%L-$0+
zw^_ToPVCq;-=dE9%PUj%MXdj)AJUgybnUwJ0d>~<nK`#ii`V&9eTv=Qd4nGS$~|9w

literal 0
HcmV?d00001


From b21d1b1f50dd8344d276037c5287f2cd6d305b57 Mon Sep 17 00:00:00 2001
From: matejcik <ja@matejcik.cz>
Date: Wed, 20 Dec 2023 10:21:22 +0100
Subject: [PATCH 4/5] chore(core/prodtest): bump version after release

---
 core/embed/prodtest/CHANGELOG.md | 12 ++++++++++++
 core/embed/prodtest/version.h    |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/core/embed/prodtest/CHANGELOG.md b/core/embed/prodtest/CHANGELOG.md
index 4b3881b1df..0cb3e02723 100644
--- a/core/embed/prodtest/CHANGELOG.md
+++ b/core/embed/prodtest/CHANGELOG.md
@@ -1,4 +1,16 @@
 
+## 0.2.4 [20th December 2023]
+
+### Added
+
+- [T2B1] `SEC READ` to read out value of SEC counter.
+- [T2B1] Check certificate chain upon `CERTDEV READ`, to block bad Optiga signatures
+  from being written to device.
+
+### Fixed
+
+- [T2B1] Improve Optiga metadata handling.
+
 ## 0.2.3 [06th October 2023]
 
 ### Added
diff --git a/core/embed/prodtest/version.h b/core/embed/prodtest/version.h
index ab8bf250c2..904fdd76f3 100644
--- a/core/embed/prodtest/version.h
+++ b/core/embed/prodtest/version.h
@@ -1,6 +1,6 @@
 #define VERSION_MAJOR 0
 #define VERSION_MINOR 2
-#define VERSION_PATCH 4
+#define VERSION_PATCH 5
 #define VERSION_BUILD 0
 
 #define FIX_VERSION_MAJOR 0

From c018bc0e32ef53e9525b434e21bed837bc758983 Mon Sep 17 00:00:00 2001
From: matejcik <ja@matejcik.cz>
Date: Wed, 20 Dec 2023 10:25:38 +0100
Subject: [PATCH 5/5] ci: include prodtest in changelog checker

---
 ci/check_changelog.sh | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/ci/check_changelog.sh b/ci/check_changelog.sh
index 03618fb73a..b6662e8a23 100755
--- a/ci/check_changelog.sh
+++ b/ci/check_changelog.sh
@@ -4,7 +4,15 @@ set -u
 
 base_branch=main
 fail=0
-subdirs="core core/embed/boardloader core/embed/bootloader core/embed/bootloader_ci legacy/bootloader legacy/firmware legacy/intermediate_fw python"
+subdirs="core
+    core/embed/boardloader
+    core/embed/bootloader
+    core/embed/bootloader_ci
+    core/embed/prodtest
+    legacy/bootloader
+    legacy/firmware
+    legacy/intermediate_fw
+    python"
 
 # $ignored_files is a newline-separated list of patterns for grep
 # therefore there must not be empty lines at start or end