hww: add change password workflow

Currently, changing the device password requires a full device reset
and restoration from a backup. This process is cumbersome and increases
the risk of user error or seed exposure during the restoration process.

This patch introduces a native "Change Password" workflow that allows
the user to rotate their device password without resetting the device.

The workflow:
1. Forces the user to re-enter the current password for security, even
   if the device is already unlocked.
2. Prompts for the new password (entered twice).
3. Re-encrypts the stored seed and BIP39 entropy with the new password
   using the Secure Chip for key stretching.

The implementation ensures that the wallet identity (Root Fingerprint
and BIP39 seed) is preserved, so the device remains paired and
functional with the same accounts (including passphrase) after the 
password change.

Author: cedwies

CHANGELOG.md

@@ -9,6 +9,7 @@ customers cannot upgrade their bootloader, its changes are recorded separately.
 ### [Unreleased]
 - Fix bug that BLE was turned off when iOS device is unlocked
 - simulator-graphical: a new simulator with a graphical user interface
+- Add ability to change the device password after initial setup
 
 ### v9.24.0
 - Change title when entering recovery words to `1 of 24`, `2 of 24`, etc.

CMakeLists.txt

@@ -96,7 +96,7 @@ endif()
 #
 # Versions MUST contain three parts and start with lowercase 'v'.
 # Example 'v1.0.0'. They MUST not contain a pre-release label such as '-beta'.
-set(FIRMWARE_VERSION "v9.24.0")
+set(FIRMWARE_VERSION "v9.25.0")
 set(BOOTLOADER_VERSION "v1.1.2")
 
 find_package(PythonInterp 3.6 REQUIRED)

messages/bitbox02_system.proto

@@ -66,3 +66,6 @@ message SetDeviceNameRequest {
 message SetPasswordRequest {
     bytes entropy = 1;
 }
+
+message ChangePasswordRequest{
+}

messages/hww.proto

@@ -69,6 +69,7 @@ message Request {
         CardanoRequest cardano = 27;
         BIP85Request bip85 = 28;
         BluetoothRequest bluetooth = 29;
+        ChangePasswordRequest change_password = 30;
     }
 }
 

py/bitbox02/bitbox02/bitbox02/bitbox02.py

@@ -212,6 +212,17 @@ def set_password(self, entropy_size: int = 32) -> bool:
             raise
         return True
 
+    def change_password(self) -> None:
+        """
+        Changes the device password. The user must unlock with the old password
+        and enter and confirm the new password.
+        Raises a Bitbox02Exception on failure.
+        """
+        # pylint: disable=no-member
+        request = hww.Request()
+        request.change_password.CopyFrom(bitbox02_system.ChangePasswordRequest())
+        self._msg_query(request, expected_response="success")
+
     def create_backup(self) -> bool:
         """
         Returns True if the backup was created successfully.

py/bitbox02/bitbox02/communication/generated/bitbox02_system_pb2.py

@@ -208,3 +208,13 @@ class SetPasswordRequest(google.protobuf.message.Message):
     def ClearField(self, field_name: typing.Literal["entropy", b"entropy"]) -> None: ...
 
 global___SetPasswordRequest = SetPasswordRequest
+
+@typing.final
+class ChangePasswordRequest(google.protobuf.message.Message):
+    DESCRIPTOR: google.protobuf.descriptor.Descriptor
+
+    def __init__(
+        self,
+    ) -> None: ...
+
+global___ChangePasswordRequest = ChangePasswordRequest