feat: enable secure-boot for ttgo tdisplay

[1-21gigasats]

Here is my draft based on the discussions in https://github.com/epiccurious/jade-diy/issues/76 for a ttgo to enable secure-boot via user menu including the mentioned python script to detect the device status.

• I moved the tty detection to the top (but skip it within ci runners) as the python script needs the device to be connected first
• The python script to detect device status is embedded and needs cbor2 to be installed (done via pip within the loaded python venv)
  • I had problems working with exit codes as an error within the python execution terminated the whole flash script (maybe you have some ideas to make it better)

The python script can detect the status:

• secure boot enabled
• secure boot disabled
• device found but no communication possible (firmware probably not installed)
• device not found (expected in ci runner)

I tested them all but did not test a full secure boot installation as this would waste another device reserved for the workshops. maybe you can test one full installation with enabling secure boot

[1-21gigasats]

Thanks for your review and for inviting me to this project. I will come back to this soon but our workshop session starts at the end of this week so i dont want to introduce new changes now. So my plan is to collect users feedback for both versions (with and without secure-boot) and improve the code based on the users feedback

[1-21gigasats]

Note: Some devices only support secure boot version 1. There should be a variable added to optionally set to sb version 1.

Additional infos for how to enable secure boot: https://hideyourkeys.io/cheap-hardware-wallet-below-diy-guide/

[bitcoin-tools]

@1-21gigasats thanks for proposing this change. Can you please rebase the PR for review and testing?

[1-21gigasats]

Note: Some devices only support secure boot version 1. There should be a variable added to optionally set to sb version 1.

I am currently refraining from adapting secure boot version 1, as the only hardware that is unable to do v2 is the M5Stack M5StickC PLUS according to https://github.com/Blockstream/Jade/tree/master/diy .

If there are specific versions per device in the future it is maybe the best to adapt v1 for this version only as it needs different build config and openssl key.

If you try to flash SB v2 on an v1 only device, boot loader flash should fail with an appropriate message.

[1-21gigasats]

@ Can you please rebase the PR for review and testing?

Yes sure but actually i am unfamiliar with the rebasing process. Could you explain me what to do or do it for me one time and show me the commands you used afterwards?

But if the only goal is to keep a clean commit history, is a squash and merge after review not more appropriate? In my understanding rebasing requires to force push which feels unsafe