search

trezor / trezor-firmware

:lock: Trezor Firmware Monorepo
https://trezor.io
Other
1.3k stars 643 forks source link

Remove Connect to host dialog in bootloader #1039

Closed tsusanka closed 3 years ago

tsusanka commented 4 years ago

It seems redundant at the moment. If you wish not to communicate with computer why are you plugging the Trezor into the computer in the first place?

This implicitly means USB will be turned on automatically (without confirmation).

A counter-argument might be that in firmware I am protected using PIN (only after that the USB is turned on) and this serves as a confirmation I want to indeed enter the bootloader - I might have done it by accident.

tsusanka commented 4 years ago

A counter-argument might be that in firmware I am protected using PIN (only after that the USB is turned on) and this serves as a confirmation I want to indeed enter the bootloader - I might have done it by accident.

We have decided this argument is not strong enough and we want to implement this.

tsusanka commented 4 years ago

Also note that while removing this dialog we will remove the option to display the firmware fingerprint:

Peek 2020-06-05 15-30

Let's move this feature (clicking on the (i) icon) into the second screen - the one that will be directly loaded without confirmation where it seems it is not clickable at the moment.

Screenshot from 2020-06-05 15-34-08

mcudev commented 3 years ago

This is a security feature. It's there as a conservative protection in-case there is an exploitable bug in the USB stack. The USB stack is pretty complex. Maybe after a couple of years in production now there is more confidence in it, and this is less necessary. I think that the vision was to have more on-device management capabilities available in the bootloader. For example, not starting the USB stack is nice if you have a device that is setup and you want to wipe it with the on-device management capabilities. In that case, you don't need the extra risk that a USB bug could theoretically impose. Not starting-up USB easily avoids a chunk of attack surface. I always thought this was a nice extra step of protection.

If this protection is disabled, I suppose a very diligent user could wipe their device in an offline fashion by putting a bootloader on a microSD and letting the boardloader erase the flash.

tsusanka commented 3 years ago

Will be done as part of https://github.com/trezor/trezor-firmware/issues/1049.