feat(core/bootloader): only allow confirm-less firmware installation …

…for full-trust images

core/embed/bootloader/bootui.c

@@ -211,14 +211,17 @@ uint32_t ui_screen_menu(secbool firmware_present) {
 uint32_t ui_screen_install_confirm(const vendor_header *const vhdr,
                                    const image_header *const hdr,
                                    secbool should_keep_seed,
-                                   secbool is_newvendor, int version_cmp) {
+                                   secbool is_newvendor, secbool is_newinstall,
+                                   int version_cmp) {
   uint8_t fingerprint[32];
   char ver_str[64];
   get_image_fingerprint(hdr, fingerprint);
   format_ver("%d.%d.%d", hdr->version, ver_str, sizeof(ver_str));
   return screen_install_confirm(vhdr->vstr, vhdr->vstr_len, ver_str,
                                 fingerprint, should_keep_seed == sectrue,
-                                is_newvendor == sectrue, version_cmp);
+
+                                is_newvendor == sectrue,
+                                is_newinstall == sectrue, version_cmp);
 }
 
 void ui_screen_install_start() {

core/embed/bootloader/bootui.h

@@ -50,7 +50,8 @@ uint32_t ui_screen_menu(secbool firmware_present);
 uint32_t ui_screen_install_confirm(const vendor_header* const vhdr,
                                    const image_header* const hdr,
                                    secbool shold_keep_seed,
-                                   secbool is_newvendor, int version_cmp);
+                                   secbool is_newvendor, secbool is_newinstall,
+                                   int version_cmp);
 void ui_screen_install_start();
 void ui_screen_install_progress_erase(int pos, int len);
 void ui_screen_install_progress_upload(int pos);

core/embed/bootloader/messages.c

@@ -648,13 +648,20 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size,
 #endif
 
       uint32_t response = INPUT_CANCEL;
-      if (sectrue == is_new || sectrue == is_ilu) {
+      if (((vhdr.vtrust & VTRUST_ALL) == VTRUST_ALL) &&
+          (sectrue == is_new || sectrue == is_ilu)) {
         // new installation or interaction less updated - auto confirm
+        // only allowed for full-trust images
         response = INPUT_CONFIRM;
       } else {
-        int version_cmp = version_compare(hdr.version, current_hdr->version);
-        response = ui_screen_install_confirm(&vhdr, &hdr, should_keep_seed,
-                                             is_newvendor, version_cmp);
+        if (!is_new) {
+          int version_cmp = version_compare(hdr.version, current_hdr->version);
+          response = ui_screen_install_confirm(
+              &vhdr, &hdr, should_keep_seed, is_newvendor, is_new, version_cmp);
+        } else {
+          response = ui_screen_install_confirm(&vhdr, &hdr, true, is_newvendor,
+                                               is_new, 0);
+        }
       }
 
       if (INPUT_CANCEL == response) {

core/embed/rust/rust_ui_bootloader.h

@@ -4,7 +4,7 @@ uint32_t screen_install_confirm(const char* vendor_str, uint8_t vendor_str_len,
                                 const char* version_str,
                                 const uint8_t* fingerprint,
                                 bool should_keep_seed, bool is_newvendor,
-                                int version_cmp);
+                                bool is_newinstall, int version_cmp);
 uint32_t screen_wipe_confirm(void);
 void screen_install_progress(int16_t progress, bool initialize,
                              bool initial_setup);

core/embed/rust/src/ui/api/bootloader_c.rs

@@ -39,6 +39,7 @@ extern "C" fn screen_install_confirm(
     fingerprint: *const cty::uint8_t,
     should_keep_seed: bool,
     is_newvendor: bool,
+    is_newinstall: bool,
     version_cmp: cty::c_int,
 ) -> u32 {
     let text = unwrap!(unsafe { from_c_array(vendor_str, vendor_str_len as usize) });
@@ -57,6 +58,7 @@ extern "C" fn screen_install_confirm(
         fingerprint_str,
         should_keep_seed,
         is_newvendor,
+        is_newinstall,
         version_cmp,
     )
 }

core/embed/rust/src/ui/model_tr/bootloader/mod.rs

@@ -152,6 +152,7 @@ impl UIFeaturesBootloader for ModelTRFeatures {
         fingerprint: &str,
         should_keep_seed: bool,
         is_newvendor: bool,
+        is_newinstall: bool,
         version_cmp: i32,
     ) -> u32 {
         let mut version_str: BootloaderString = String::new();
@@ -160,7 +161,9 @@ impl UIFeaturesBootloader for ModelTRFeatures {
         unwrap!(version_str.push_str("\nby "));
         unwrap!(version_str.push_str(vendor));
 
-        let title_str = if is_newvendor {
+        let title_str = if is_newinstall {
+            "INSTALL FIRMWARE"
+        } else if is_newvendor {
             "CHANGE FW VENDOR"
         } else if version_cmp > 0 {
             "UPDATE FIRMWARE"

core/embed/rust/src/ui/model_tt/bootloader/mod.rs

@@ -147,6 +147,7 @@ impl UIFeaturesBootloader for ModelTTFeatures {
         fingerprint: &str,
         should_keep_seed: bool,
         is_newvendor: bool,
+        is_newinstall: bool,
         version_cmp: i32,
     ) -> u32 {
         let mut version_str: BootloaderString = String::new();
@@ -155,7 +156,9 @@ impl UIFeaturesBootloader for ModelTTFeatures {
         unwrap!(version_str.push_str("\nby "));
         unwrap!(version_str.push_str(vendor));
 
-        let title_str = if is_newvendor {
+        let title_str = if is_newinstall {
+            "INSTALL FIRMWARE"
+        } else if is_newvendor {
             "CHANGE FW\nVENDOR"
         } else if version_cmp > 0 {
             "UPDATE FIRMWARE"

core/embed/rust/src/ui/ui_features.rs

@@ -29,6 +29,7 @@ pub trait UIFeaturesBootloader {
         fingerprint: &str,
         should_keep_seed: bool,
         is_newvendor: bool,
+        is_newinstall: bool,
         version_cmp: i32,
     ) -> u32;