Key derivation hardening

[iartemov-ledger]

Checklist

• Hardening:
  • HAVE_APPLICATION_FLAG_DERIVE_MASTER is kept only for "Bitcoin Legacy" (will be a recovery app) and "Bitcoin legacy test" (for test purposes)
  • BIP-0044 paths per coin
  • Bitcoin paths for forks
    => corresponds to the documentation from the product:
    • https://ledgerhq.atlassian.net/wiki/spaces/BI/pages/6578602006/Derivation+path+hardening+BTC
    • https://docs.google.com/spreadsheets/d/1ojxxWl2ZFnjLYXth4jacf6jSZToUg6NZ0mjQqAY4YWM/edit?gid=0#gid=0
• App update process has been followed
• Target branch is develop
• to add warning for Bitcoin app
• Application version has been bumped
• merge Key derivation hardening preparation lib-app-bitcoin#15 and to remove the temporary commit 50bfae1
• merge Removing HAVE_APPLICATION_FLAG_DERIVE_MASTER (0x10) and restricting derivation paths for coins in app-bitcoin (legacy) ledger-app-database#468 and to remove temporary commit 6d75d4a

[Copilot]

Pull request overview

This PR implements key derivation hardening by restricting BIP-32 derivation paths for cryptocurrency apps to prevent unauthorized key access across different coins.

Changes:

• Restricts HAVE_APPLICATION_FLAG_DERIVE_MASTER flag to only Bitcoin Legacy and Bitcoin Test Legacy apps
• Adds BIP-44 path restrictions (PATH_APP_LOAD_PARAMS) for each supported cryptocurrency
• Updates the lib-app-bitcoin submodule to support the hardening changes

Reviewed changes

Copilot reviewed 4 out of 71 changed files in this pull request and generated 1 comment.

File	Description
lib-app-bitcoin	Updates submodule commit to version supporting path hardening
Makefile	Adds path restrictions for all coins and limits master derivation flag to legacy Bitcoin apps
CHANGELOG.md	Documents the derivation path hardening changes
.github/workflows/guidelines_enforcer.yml	Updates workflow to use branch-specific guidelines enforcer

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.