diff --git a/core/embed/projects/bootloader/.changelog.d/4649.fixed b/core/embed/projects/bootloader/.changelog.d/4649.fixed
new file mode 100644
index 00000000000..caf260af9bf
--- /dev/null
+++ b/core/embed/projects/bootloader/.changelog.d/4649.fixed
@@ -0,0 +1 @@
+Allow running firmware on locked bootloader device based on allow_run_with_secret flag
diff --git a/core/embed/sec/secret/inc/sec/secret.h b/core/embed/sec/secret/inc/sec/secret.h
index 3540ad1a74f..a4a7b0268fc 100644
--- a/core/embed/sec/secret/inc/sec/secret.h
+++ b/core/embed/sec/secret/inc/sec/secret.h
@@ -1,5 +1,23 @@
-#ifndef TREZORHAL_SECRET_H
-#define TREZORHAL_SECRET_H
+/*
+* This file is part of the Trezor project, https://trezor.io/
+ *
+ * Copyright (c) SatoshiLabs
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see .
+ */
+
+#pragma once
#include
@@ -26,7 +44,7 @@ secbool secret_read(uint8_t* data, uint32_t offset, uint32_t len);
// Checks if the secret storage has been wiped
secbool secret_wiped(void);
-// Verifies that the secret storage has correct header
+// Verifies that the secret storage has the correct header
secbool secret_verify_header(void);
// Erases the entire secret storage
@@ -64,7 +82,8 @@ void secret_bhk_regenerate(void);
// Provisions secrets/keys to the firmware, depending on the trust level
// Disables access to the secret storage until next reset, if possible
// This function is called by the bootloader before starting the firmware
-void secret_prepare_fw(secbool allow_run_with_secret, secbool trust_all);
+void secret_prepare_fw(secbool allow_run_with_secret,
+ secbool allow_provisioning_access);
// Prepares the secret storage for running the boardloader and next stages
// Ensures that secret storage access is enabled
@@ -77,5 +96,3 @@ void secret_init(void);
// pairing secret on platforms where access to the secret storage cannot be
// restricted for unofficial firmware
secbool secret_bootloader_locked(void);
-
-#endif // TREZORHAL_SECRET_H
diff --git a/core/embed/sec/secret/stm32f4/secret.c b/core/embed/sec/secret/stm32f4/secret.c
index 970f951acc1..0cb556c979b 100644
--- a/core/embed/sec/secret/stm32f4/secret.c
+++ b/core/embed/sec/secret/stm32f4/secret.c
@@ -1,3 +1,22 @@
+/*
+* This file is part of the Trezor project, https://trezor.io/
+ *
+ * Copyright (c) SatoshiLabs
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see .
+ */
+
#include
#include
@@ -123,7 +142,9 @@ secbool secret_optiga_writable(void) { return secret_wiped(); }
void secret_optiga_erase(void) { secret_erase(); }
-void secret_prepare_fw(secbool allow_run_with_secret, secbool _trust_all) {
+void secret_prepare_fw(secbool allow_run_with_secret,
+ secbool allow_provisioning_access) {
+ (void)allow_provisioning_access;
#ifdef USE_OPTIGA
if (sectrue != allow_run_with_secret && sectrue != secret_wiped()) {
// This function does not return
diff --git a/core/embed/sec/secret/stm32u5/secret.c b/core/embed/sec/secret/stm32u5/secret.c
index 3392e915ead..5e26f0518f0 100644
--- a/core/embed/sec/secret/stm32u5/secret.c
+++ b/core/embed/sec/secret/stm32u5/secret.c
@@ -1,3 +1,22 @@
+/*
+* This file is part of the Trezor project, https://trezor.io/
+ *
+ * Copyright (c) SatoshiLabs
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see .
+ */
+
#include
#include
#include
@@ -306,7 +325,8 @@ void secret_erase(void) {
mpu_restore(mpu_mode);
}
-void secret_prepare_fw(secbool allow_run_with_secret, secbool trust_all) {
+void secret_prepare_fw(secbool allow_run_with_secret,
+ secbool allow_provisioning_access) {
/**
* The BHK is copied to the backup registers, which are accessible by the SAES
* peripheral. The BHK register is locked, so the BHK can't be accessed by the
@@ -326,7 +346,7 @@ void secret_prepare_fw(secbool allow_run_with_secret, secbool trust_all) {
secret_optiga_uncache();
secbool optiga_secret_present = secret_optiga_present();
secbool optiga_secret_writable = secret_optiga_writable();
- if (sectrue == trust_all && sectrue == allow_run_with_secret &&
+ if (sectrue == allow_provisioning_access &&
sectrue == optiga_secret_writable && secfalse == optiga_secret_present) {
// Secret is not present and the secret sector is writable.
// This means the U5 chip is unprovisioned.
@@ -340,17 +360,13 @@ void secret_prepare_fw(secbool allow_run_with_secret, secbool trust_all) {
}
// Disable access unconditionally.
secret_disable_access();
- if (sectrue != trust_all && sectrue == optiga_secret_present) {
+ if (sectrue != allow_run_with_secret && sectrue == optiga_secret_present) {
// Untrusted firmware, locked bootloader. Show the restricted screen.
show_install_restricted_screen();
}
#else
secret_disable_access();
#endif
-
- if (sectrue != trust_all) {
- secret_disable_access();
- }
}
void secret_init(void) {
diff --git a/core/embed/sec/secret/unix/secret.c b/core/embed/sec/secret/unix/secret.c
index 970f951acc1..eb1fe3db18a 100644
--- a/core/embed/sec/secret/unix/secret.c
+++ b/core/embed/sec/secret/unix/secret.c
@@ -1,3 +1,22 @@
+/*
+* This file is part of the Trezor project, https://trezor.io/
+ *
+ * Copyright (c) SatoshiLabs
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see .
+ */
+
#include
#include
@@ -123,7 +142,8 @@ secbool secret_optiga_writable(void) { return secret_wiped(); }
void secret_optiga_erase(void) { secret_erase(); }
-void secret_prepare_fw(secbool allow_run_with_secret, secbool _trust_all) {
+void secret_prepare_fw(secbool allow_run_with_secret, secbool allow_provisioning_access) {
+ (void)allow_provisioning_access;
#ifdef USE_OPTIGA
if (sectrue != allow_run_with_secret && sectrue != secret_wiped()) {
// This function does not return