diff --git a/core/embed/bootloader/.changelog.d/3709.changed b/core/embed/bootloader/.changelog.d/3709.changed new file mode 100644 index 0000000000..1fdc1564d5 --- /dev/null +++ b/core/embed/bootloader/.changelog.d/3709.changed @@ -0,0 +1 @@ +Require confirmation when installing non-full trust firmware image on empty device diff --git a/core/embed/bootloader/bootui.c b/core/embed/bootloader/bootui.c index b1d446aec4..4c9a32ebf5 100644 --- a/core/embed/bootloader/bootui.c +++ b/core/embed/bootloader/bootui.c @@ -249,14 +249,17 @@ uint32_t ui_screen_menu(secbool firmware_present) { uint32_t ui_screen_install_confirm(const vendor_header *const vhdr, const image_header *const hdr, secbool should_keep_seed, - secbool is_newvendor, int version_cmp) { + secbool is_newvendor, secbool is_newinstall, + int version_cmp) { uint8_t fingerprint[32]; char ver_str[64]; get_image_fingerprint(hdr, fingerprint); format_ver("%d.%d.%d", hdr->version, ver_str, sizeof(ver_str)); return screen_install_confirm(vhdr->vstr, vhdr->vstr_len, ver_str, fingerprint, should_keep_seed == sectrue, - is_newvendor == sectrue, version_cmp); + + is_newvendor == sectrue, + is_newinstall == sectrue, version_cmp); } void ui_screen_install_start() { diff --git a/core/embed/bootloader/bootui.h b/core/embed/bootloader/bootui.h index e7415b9504..4b29f01532 100644 --- a/core/embed/bootloader/bootui.h +++ b/core/embed/bootloader/bootui.h @@ -62,7 +62,8 @@ uint32_t ui_screen_menu(secbool firmware_present); uint32_t ui_screen_install_confirm(const vendor_header* const vhdr, const image_header* const hdr, secbool shold_keep_seed, - secbool is_newvendor, int version_cmp); + secbool is_newvendor, secbool is_newinstall, + int version_cmp); void ui_screen_install_start(); void ui_screen_install_progress_erase(int pos, int len); void ui_screen_install_progress_upload(int pos); diff --git a/core/embed/bootloader/messages.c b/core/embed/bootloader/messages.c index 9e9f92af23..58fdce13b5 100644 --- a/core/embed/bootloader/messages.c +++ b/core/embed/bootloader/messages.c @@ -673,13 +673,20 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size, #endif uint32_t response = INPUT_CANCEL; - if (sectrue == is_new || sectrue == is_ilu) { + if (((vhdr.vtrust & VTRUST_NO_WARNING) == VTRUST_NO_WARNING) && + (sectrue == is_new || sectrue == is_ilu)) { // new installation or interaction less updated - auto confirm + // only allowed for full-trust images response = INPUT_CONFIRM; } else { - int version_cmp = version_compare(hdr.version, current_hdr->version); - response = ui_screen_install_confirm(&vhdr, &hdr, should_keep_seed, - is_newvendor, version_cmp); + if (sectrue != is_new) { + int version_cmp = version_compare(hdr.version, current_hdr->version); + response = ui_screen_install_confirm( + &vhdr, &hdr, should_keep_seed, is_newvendor, is_new, version_cmp); + } else { + response = ui_screen_install_confirm(&vhdr, &hdr, sectrue, + is_newvendor, is_new, 0); + } } if (INPUT_CANCEL == response) { diff --git a/core/embed/rust/rust_ui_bootloader.h b/core/embed/rust/rust_ui_bootloader.h index 8f0149585c..cdddb96a51 100644 --- a/core/embed/rust/rust_ui_bootloader.h +++ b/core/embed/rust/rust_ui_bootloader.h @@ -4,7 +4,7 @@ uint32_t screen_install_confirm(const char* vendor_str, uint8_t vendor_str_len, const char* version_str, const uint8_t* fingerprint, bool should_keep_seed, bool is_newvendor, - int version_cmp); + bool is_newinstall, int version_cmp); uint32_t screen_wipe_confirm(void); void screen_install_progress(int16_t progress, bool initialize, bool initial_setup); diff --git a/core/embed/rust/src/ui/api/bootloader_c.rs b/core/embed/rust/src/ui/api/bootloader_c.rs index a6d6b44393..30bb2524b5 100644 --- a/core/embed/rust/src/ui/api/bootloader_c.rs +++ b/core/embed/rust/src/ui/api/bootloader_c.rs @@ -40,6 +40,7 @@ extern "C" fn screen_install_confirm( fingerprint: *const cty::uint8_t, should_keep_seed: bool, is_newvendor: bool, + is_newinstall: bool, version_cmp: cty::c_int, ) -> u32 { let text = unwrap!(unsafe { from_c_array(vendor_str, vendor_str_len as usize) }); @@ -58,6 +59,7 @@ extern "C" fn screen_install_confirm( fingerprint_str, should_keep_seed, is_newvendor, + is_newinstall, version_cmp, ) } diff --git a/core/embed/rust/src/ui/model_mercury/bootloader/mod.rs b/core/embed/rust/src/ui/model_mercury/bootloader/mod.rs index 14d0c897d3..5f849615a0 100644 --- a/core/embed/rust/src/ui/model_mercury/bootloader/mod.rs +++ b/core/embed/rust/src/ui/model_mercury/bootloader/mod.rs @@ -233,6 +233,7 @@ impl UIFeaturesBootloader for ModelMercuryFeatures { fingerprint: &str, should_keep_seed: bool, is_newvendor: bool, + is_newinstall: bool, version_cmp: i32, ) -> u32 { let mut version_str: BootloaderString = String::new(); @@ -241,7 +242,9 @@ impl UIFeaturesBootloader for ModelMercuryFeatures { unwrap!(version_str.push_str("\nby ")); unwrap!(version_str.push_str(vendor)); - let title_str = if is_newvendor { + let title_str = if is_newinstall { + "INSTALL FIRMWARE" + } else if is_newvendor { "CHANGE FW\nVENDOR" } else if version_cmp > 0 { "UPDATE FIRMWARE" diff --git a/core/embed/rust/src/ui/model_tr/bootloader/mod.rs b/core/embed/rust/src/ui/model_tr/bootloader/mod.rs index fc5fa225fa..57e6bb96f8 100644 --- a/core/embed/rust/src/ui/model_tr/bootloader/mod.rs +++ b/core/embed/rust/src/ui/model_tr/bootloader/mod.rs @@ -209,6 +209,7 @@ impl UIFeaturesBootloader for ModelTRFeatures { fingerprint: &str, should_keep_seed: bool, is_newvendor: bool, + is_newinstall: bool, version_cmp: i32, ) -> u32 { let mut version_str: BootloaderString = String::new(); @@ -217,7 +218,9 @@ impl UIFeaturesBootloader for ModelTRFeatures { unwrap!(version_str.push_str("\nby ")); unwrap!(version_str.push_str(vendor)); - let title_str = if is_newvendor { + let title_str = if is_newinstall { + "INSTALL FIRMWARE" + } else if is_newvendor { "CHANGE FW VENDOR" } else if version_cmp > 0 { "UPDATE FIRMWARE" diff --git a/core/embed/rust/src/ui/model_tt/bootloader/mod.rs b/core/embed/rust/src/ui/model_tt/bootloader/mod.rs index 35a7d499dc..484fd5a7c0 100644 --- a/core/embed/rust/src/ui/model_tt/bootloader/mod.rs +++ b/core/embed/rust/src/ui/model_tt/bootloader/mod.rs @@ -224,6 +224,7 @@ impl UIFeaturesBootloader for ModelTTFeatures { fingerprint: &str, should_keep_seed: bool, is_newvendor: bool, + is_newinstall: bool, version_cmp: i32, ) -> u32 { let mut version_str: BootloaderString = String::new(); @@ -232,7 +233,9 @@ impl UIFeaturesBootloader for ModelTTFeatures { unwrap!(version_str.push_str("\nby ")); unwrap!(version_str.push_str(vendor)); - let title_str = if is_newvendor { + let title_str = if is_newinstall { + "INSTALL FIRMWARE" + } else if is_newvendor { "CHANGE FW\nVENDOR" } else if version_cmp > 0 { "UPDATE FIRMWARE" diff --git a/core/embed/rust/src/ui/ui_features.rs b/core/embed/rust/src/ui/ui_features.rs index 41e507ff54..a7f6c68f1c 100644 --- a/core/embed/rust/src/ui/ui_features.rs +++ b/core/embed/rust/src/ui/ui_features.rs @@ -51,6 +51,7 @@ pub trait UIFeaturesBootloader { fingerprint: &str, should_keep_seed: bool, is_newvendor: bool, + is_newinstall: bool, version_cmp: i32, ) -> u32;