fix bootloader_ci

[TychoVrahe]

This PR fixes CI Bootloader, which was unable to function properly on U5 models:

• secmon verification and header handling was not present
• resetting BHK keys was after running the fw, which can be run only once. So in effect, only one out of two installations worked.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8300533b-5bd4-40c9-92e6-40b3ff330024

📥 Commits

Reviewing files that changed from the base of the PR and between 38c50eb and 8e7e333.

📒 Files selected for processing (1)

• core/embed/projects/bootloader_ci/main.c

🚧 Files skipped from review as they are similar to previous changes (1)

• core/embed/projects/bootloader_ci/main.c

---

Walkthrough

Adds a public secret_reset() API and implements it for STM32F4, STM32U5, and Unix. The bootloader conditionally includes the secret header, calls secret_reset() after TrustZone init, optionally verifies a Secmon header to compute a code offset, calls secret_prepare_fw(...) when enabled, computes the vector-table address including the Secmon offset, and jumps to the next stage using startup_args_export() instead of NULL.

Sequence Diagram

sequenceDiagram
  participant Bootloader as Bootloader/main.c
  participant Secret as Secret/subsystem
  participant Secmon as Secmon/header
  participant NextStage as Next Stage
  Bootloader->>Secret: secret_reset() after TrustZone init
  activate Secret
  Secret-->>Bootloader: (reset complete)
  deactivate Secret
  Bootloader->>Secmon: Read and verify Secmon header
  activate Secmon
  Secmon->>Secmon: Validate model, signature, monotonic protection, contents
  Secmon-->>Bootloader: secmon_code_offset
  deactivate Secmon
  Bootloader->>Secret: secret_prepare_fw(startup_args_export())
  activate Secret
  Secret-->>Bootloader: (prepared)
  deactivate Secret
  Bootloader->>Bootloader: compute vectbl_addr (include secmon_code_offset)
  Bootloader->>NextStage: jump_to_next_stage(vectbl_addr, startup_args_export())

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'fix bootloader_ci' is too vague and generic; it does not clearly convey what aspect of the bootloader was fixed or the main technical change.	Use a more descriptive title that highlights the key fix, such as 'Fix bootloader_ci U5 support and BHK reset timing' or 'Add secmon verification and fix BHK reset in bootloader_ci'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description clearly explains the problem and solution, identifying two key issues on U5 models and explaining the timing fix for BHK key reset, which aligns with the detailed changes shown in the raw summary.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch tychovrahe/bootloader_ci/fix

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

en main(all)

model	device_test	click_test	persistence_test
T2T1	test(all) main(all)	test(all) main(all)	test(all) main(all)
T3B1	test(all) main(all)	test(all) main(all)	test(all) main(all)
T3T1	test(all) main(all)	test(all) main(all)	test(all) main(all)
T3W1	test(all) main(all)	test(all) main(all)	test(all) main(all)

Latest CI run: 26499961321

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

core/embed/sec/secret/inc/sec/secret.h (1)

85-90: ⚡ Quick win

Narrow the secret_reset() contract.

This comment currently promises that the API clears “all secrets and keys,” but none of the backends in this PR actually erase persistent secret storage; STM32U5 only drops cached state / reboots, and STM32F4/Unix are no-ops. Tighten the docstring to the real runtime-reset semantics so callers do not rely on guarantees this API does not provide.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@core/embed/sec/secret/inc/sec/secret.h` around lines 85 - 90, Update the
docstring for secret_reset() to narrow its contract to in-memory/runtime state
only: state that the function clears cached secrets and prepares the runtime for
a new firmware run but does not erase or zero persistent/flash-backed secret
storage; mention that current backends implement this as dropping cached
state/reboot on STM32U5 and as a no-op on STM32F4 and Unix so callers must not
rely on persistent erasure. Ensure the description replaces the existing “clears
all secrets and keys” language and refers to the secret_reset() API name so
reviewers can locate it.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@core/embed/projects/bootloader_ci/main.c`:
- Around line 283-285: The call to secret_prepare_fw(sectrue, sectrue) must be
moved so it runs after all Secmon validation checks (the check_secmon_* ensure()
calls) and immediately before jump_to_next_stage(), not before them; update
main.c by removing the current early invocation of secret_prepare_fw and
inserting it just before jump_to_next_stage() so that any failed ensure() paths
can call secret_reset() on the next boot without consuming the BHK, ensuring
secret_prepare_fw only locks secrets after image verification succeeds (also
adjust the nearby block covering the region corresponding to the original
289-312 area).

---

Nitpick comments:
In `@core/embed/sec/secret/inc/sec/secret.h`:
- Around line 85-90: Update the docstring for secret_reset() to narrow its
contract to in-memory/runtime state only: state that the function clears cached
secrets and prepares the runtime for a new firmware run but does not erase or
zero persistent/flash-backed secret storage; mention that current backends
implement this as dropping cached state/reboot on STM32U5 and as a no-op on
STM32F4 and Unix so callers must not rely on persistent erasure. Ensure the
description replaces the existing “clears all secrets and keys” language and
refers to the secret_reset() API name so reviewers can locate it.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ca2ea943-dfb6-40d1-ad27-91a9e1abdad9

📥 Commits

Reviewing files that changed from the base of the PR and between 79cac31 and 38c50eb.

📒 Files selected for processing (5)

• core/embed/projects/bootloader_ci/main.c
• core/embed/sec/secret/inc/sec/secret.h
• core/embed/sec/secret/stm32f4/secret.c
• core/embed/sec/secret/stm32u5/secret.c
• core/embed/sec/secret/unix/secret.c