T1 bootloader: verify firmware signatures based on SignMessage

[matejcik]

The T1 bootloader verifies the firmware signature via a manual ECDSA 3-of-5 scheme:

1. let the message m be the firmware header with signature slots zeroed out.
   • (implementation-wise, take a SHA256 digest of the above data)
2. for each of the 3 signature slots:
   1. verify that the pubkey index points to one of the 5 baked in public keys
   2. verify that the pubkey index is different from the other two slots, i.e., all 3 slots are signed by different public keys
   3. verify that this is a valid signature of m for the selected pubkey
      • (implementation-wise, we call ecdsa_verify_digest instead of ecdsa_verify, because we already calculated the digest)

This entails signing arbitrary data with ECDSA, which cannot be done on Trezor directly.

We want to change the signing method so that it is possible to verify the digest being signed on Trezor screen. The signer will calculate SHA256 digest of m (fw header minus signature slots) on host and send it to Trezor as data for Bitcoin SignMessage. Trezor will display the digest on screen, and when confirmed, produce a signature of the following data: \x18Bitcoin Signed Message:\n\x20<32 bytes of digest>.

On the bootloader side, the following is the updated algorithm:

1. let m' be the firmware header with signature slots zeroed out
2. let m be "\x18Bitcoin Signed Message:\n\x20" + SHA256(m')
3. continue with (2) from the original algorithm, i.e., the signatures are now verifying the changed m