Add downgrade protection

[mrnerdhair]

This adds a form of downgrade protection which prevents as-yet-undiscovered vulnerabilities in older firmware versions from being used to compromise the keys of a user who has upgraded, but whose device is subsequently stolen by an attacker who downgrades it to a vulnerable version.

Storage format 17 is introduced, which is identical to format 16 except that the three bytes at offsets 1, 2, and 3 are used to store the major, minor, and patch version numbers of the firmware version which wrote the structure. Moving to a newer firmware version will cause these version numbers to be updated; moving to an older version will cause the storage to be reset and the user's private keys to be wiped -- the same thing that would happen if an unsigned firmware image were loaded.

A warning is displayed before resetting the storage, which provides a user the opportunity to unplug the device and update it to avoid the wipe. However, if the user chooses to downgrade to a version released before this warning message was added, their keys will be wiped without any warning beyond the bootloader's usual admonishment that your keys might be erased after an upgrade and that you should verify that your recovery sentence is available.

This approach increases security while maintaining a user's sovereignty over what firmware runs on their device.

[markrypto]

This is not the correct approach:

When adding params to the storage section, add them to the reserve and decrease the reserve accordingly. Use the storage_write/readv11 to read/write.

[mrnerdhair]

version

[mrnerdhair]

encrypted_secrets_version

[mrnerdhair]

(just for posterity, in case it's not clear from the history above, @markrypto's feedback about storage format has been addressed.)

Fixed!

[mrnerdhair]

Are we OK to move forward with this now that the language is approved?

[markrypt0]

Closed, not selected.