introduce and use memzero instead of explicit_bzero

bootloader/Makefile

@@ -8,6 +8,7 @@ OBJS += ../vendor/trezor-crypto/bignum.small.o
 OBJS += ../vendor/trezor-crypto/ecdsa.small.o
 OBJS += ../vendor/trezor-crypto/secp256k1.small.o
 OBJS += ../vendor/trezor-crypto/sha2.small.o
+OBJS += ../vendor/trezor-crypto/memzero.small.o
 
 CFLAGS += -DUSE_PRECOMPUTED_IV=0
 CFLAGS += -DUSE_PRECOMPUTED_CP=0

bootloader/usb.c

@@ -35,6 +35,7 @@
 #include "sha2.h"
 #include "ecdsa.h"
 #include "secp256k1.h"
+#include "memzero.h"
 
 #define FIRMWARE_MAGIC "TRZR"
 
@@ -402,7 +403,7 @@ static void hid_rx_callback(usbd_device *dev, uint8_t ep)
 			// restore metadata from backup
 			erase_metadata_sectors();
 			restore_metadata(meta_backup);
-			explicit_bzero(meta_backup, sizeof(meta_backup));
+			memzero(meta_backup, sizeof(meta_backup));
 
 			// compare against known hash computed via the following Python3 script:
 			// hashlib.sha256(binascii.unhexlify('0F5A693C' * 8192)).hexdigest()
@@ -599,7 +600,7 @@ static void hid_rx_callback(usbd_device *dev, uint8_t ep)
 		// 2) firmware restore flag isn't set
 		// 3) signatures are not ok
 		if (old_was_unsigned || (flags & 0x01) == 0 || !signatures_ok(NULL)) {
-			explicit_bzero(meta_backup, sizeof(meta_backup));
+			memzero(meta_backup, sizeof(meta_backup));
 		}
 		// copy new firmware header
 		memcpy(meta_backup, (void *)FLASH_META_START, FLASH_META_DESC_LEN);
@@ -607,12 +608,12 @@ static void hid_rx_callback(usbd_device *dev, uint8_t ep)
 		if (hash_check_ok) {
 			memcpy(meta_backup, FIRMWARE_MAGIC, 4);
 		} else {
-			explicit_bzero(meta_backup, 4);
+			memzero(meta_backup, 4);
 		}
 
 		// no need to erase, because we are not changing any already flashed byte.
 		restore_metadata(meta_backup);
-		explicit_bzero(meta_backup, sizeof(meta_backup));
+		memzero(meta_backup, sizeof(meta_backup));
 
 		flash_state = STATE_END;
 		if (hash_check_ok) {

firmware/Makefile

@@ -41,6 +41,7 @@ OBJS += ../vendor/trezor-crypto/curves.o
 OBJS += ../vendor/trezor-crypto/secp256k1.o
 OBJS += ../vendor/trezor-crypto/nist256p1.o
 OBJS += ../vendor/trezor-crypto/rand.o
+OBJS += ../vendor/trezor-crypto/memzero.o
 
 OBJS += ../vendor/trezor-crypto/ed25519-donna/curve25519-donna-32bit.o
 OBJS += ../vendor/trezor-crypto/ed25519-donna/curve25519-donna-helpers.o

firmware/ethereum.c

@@ -33,6 +33,7 @@
 #include "util.h"
 #include "gettext.h"
 #include "ethereum_tokens.h"
+#include "memzero.h"
 
 /* maximum supported chain id.  v must fit in an uint32_t. */
 #define MAX_CHAIN_ID 2147483630
@@ -193,7 +194,7 @@ static void send_signature(void)
 		return;
 	}
 
-	explicit_bzero(privkey, sizeof(privkey));
+	memzero(privkey, sizeof(privkey));
 
 	/* Send back the result */
 	msg_tx_request.has_data_length = false;
@@ -592,7 +593,7 @@ void ethereum_signing_txack(EthereumTxAck *tx)
 void ethereum_signing_abort(void)
 {
 	if (ethereum_signing) {
-		explicit_bzero(privkey, sizeof(privkey));
+		memzero(privkey, sizeof(privkey));
 		layoutHome();
 		ethereum_signing = false;
 	}

firmware/protect.c

@@ -29,6 +29,7 @@
 #include "util.h"
 #include "debug.h"
 #include "gettext.h"
+#include "memzero.h"
 
 #define MAX_WRONG_PINS 15
 
@@ -231,7 +232,7 @@ bool protectChangePin(void)
 		storage_update();
 	}
 
-	explicit_bzero(pin_compare, sizeof(pin_compare));
+	memzero(pin_compare, sizeof(pin_compare));
 
 	return result;
 }

firmware/recovery.c

@@ -33,6 +33,7 @@
 #include "gettext.h"
 #include "types.pb.h"
 #include "recovery-table.h"
+#include "memzero.h"
 
 /* number of words expected in the new seed */
 static uint32_t word_count;
@@ -142,7 +143,7 @@ static void recovery_done(void) {
 		if (!dry_run) {
 			// Update mnemonic on storage.
 			storage_setMnemonic(new_mnemonic);
-			explicit_bzero(new_mnemonic, sizeof(new_mnemonic));
+			memzero(new_mnemonic, sizeof(new_mnemonic));
 			if (!enforce_wordlist) {
 				// not enforcing => mark storage as imported
 				storage_setImported(true);
@@ -152,7 +153,7 @@ static void recovery_done(void) {
 		} else {
 			// Inform the user about new mnemonic correctness (as well as whether it is the same as the current one).
 			bool match = (storage_isInitialized() && storage_containsMnemonic(new_mnemonic));
-			explicit_bzero(new_mnemonic, sizeof(new_mnemonic));
+			memzero(new_mnemonic, sizeof(new_mnemonic));
 			if (match) {
 				layoutDialog(&bmp_icon_ok, NULL, _("Confirm"), NULL,
 					_("The seed is valid"),
@@ -172,7 +173,7 @@ static void recovery_done(void) {
 		}
 	} else {
 		// New mnemonic is invalid.
-		explicit_bzero(new_mnemonic, sizeof(new_mnemonic));
+		memzero(new_mnemonic, sizeof(new_mnemonic));
 		if (!dry_run) {
 			session_clear(true);
 		} else {

firmware/storage.c

@@ -41,6 +41,7 @@
 #include "usb.h"
 #include "gettext.h"
 #include "u2f.h"
+#include "memzero.h"
 
 /* magic constant to check validity of storage block */
 static const uint32_t storage_magic = 0x726f7473;   // 'stor' as uint32_t
@@ -262,9 +263,9 @@ void storage_generate_uuid(void)
 void session_clear(bool clear_pin)
 {
 	sessionSeedCached = false;
-	explicit_bzero(&sessionSeed, sizeof(sessionSeed));
+	memzero(&sessionSeed, sizeof(sessionSeed));
 	sessionPassphraseCached = false;
-	explicit_bzero(&sessionPassphrase, sizeof(sessionPassphrase));
+	memzero(&sessionPassphrase, sizeof(sessionPassphrase));
 	if (clear_pin) {
 		sessionPinCached = false;
 	}
@@ -297,7 +298,7 @@ static void storage_compute_u2froot(const char* mnemonic, StorageHDNode *u2froot
 	u2froot->has_private_key = true;
 	u2froot->private_key.size = sizeof(node.private_key);
 	memcpy(u2froot->private_key.bytes, node.private_key, sizeof(node.private_key));
-	explicit_bzero(&node, sizeof(node));
+	memzero(&node, sizeof(node));
 	session_clear(false); // invalidate seed cache
 }
 
@@ -399,7 +400,7 @@ static void storage_commit_locked(bool update)
 
 void storage_clear_update(void)
 {
-	explicit_bzero(&storageUpdate, sizeof(storageUpdate));
+	memzero(&storageUpdate, sizeof(storageUpdate));
 }
 
 void storage_update(void)

vendor/trezor-crypto

@@ -1 +1 @@
-Subproject commit b7f73ee3ff78e09c266a30dbc31407558d471615
+Subproject commit bb4c3d052561bd31856a03d975ca226571f6a893