@jonathon.hall has commented on the issue at February 6th, 2024:
jonathon.hall:
Thanks @FranklyFlawless . We’re considering these updates but we want to thoroughly validate the changes before we roll anything out. In particular, updating the firmware from the host system is great, but we need to understand the impact to firmware security as offered by PureBoot with the Librem Key. I am confident that Nitrokey has thought it through, but we want to fully understand the impact for our customers.
Yes you can, but v0.10 and below can only be done with hardware reflashing:
opened 03:43PM - 13 Jun 22 UTC
Edit:
Conclusion: Nitrokey Pro v2 can be upgraded from nitropy (software bas… ed firmware upgrades) if dongle is at least having firmware 0.11+
For <0.11: user will need to go the currently documented routes under firmware upgrade guide with external programmer.
SWD programmer can be a RPI :)
https://nosmd.com/raspberrypi-swdprogrammer/#rpiprogrammer-target
------
Hello there.
A user reported a Nitrokey Pro delivery delayed of 6 weeks. He decided to not trust received dongle and reflash it with newer firmware through dfu external programmer, which at the time was 0.14 RC4, which had GPIO mapping inversed, which led to issue https://github.com/osresearch/heads/issues/1170 being opened.The user bought programmer and went the manual way since it was unclear that a software method was available.
- I was not aware, either, of a software tool that permitted to do the flashing without external programmer, which is documented deep down under https://github.com/Nitrokey/nitrokey-pro-firmware/blob/master/DEVELOPMENT.md#firmware-update
I was able to upgrade with that tool from Nitrokey's firmware:
- 0.10
- 0.11
But for some reason, attempting to upgrade 0.9 was not possible.
I got firware version from heads through `hotp_verification info`
0.10 and 0.11 firmware version behaves the following way:
- `nitropy pro enable-update` triggers an internal reboot of the dongle, and the ID is different on next boot and rightfully in update mode.
- `nitropy pro update nitrokey-pro-firmware-v0.14-to_update.bin` is successful.
0n 0.9 connected dongle:
- Qubes dom0 blocks sys-usb to dom0 keyboard request (irrelevant) on usb dongle connection.
- `nitropy pro enable-update` reports success putting dongle in update mode, but the dongle doesn't reboot in update mode. The stays attached to affected qubes where tools are installed.
- `nitropy pro update nitrokey-pro-firmware-v0.14-to_update.bin` cannot find dongle in update mode and suggests to run precedent command, which has no effect.
- Manually triggering `sudo udevadm trigger` doesn't detect a change in device, while running `nitropy pro enable-update` confirms device was not in update mode, and reports success into putting it in update mode.
Questions needing answers:
- Are 0.9 firmware based dongle non-updateable with nitropy?
- Purism's Librem Key are not having proper udev rules defined and are not upgradeable through nitropy. Is that expected? @kylerankin @jans23 @MrChromebox? Maybe I haven't digged down enough, but I haven't found a nitropy equivalent on Purism's side.
- Wouldn't we want users to be more aware of the possibility of upgrading their dongles since it is now possible with software, and document limitations?
- I understand branding/rebranding/commercial necessities of having different hardware IDs between Purism/Nitrokey, but maybe some collaboration should happen under nitropy software/documentation/udev rules to not have another fork and confuse users into upgrading their firmware? Maybe udev rules should include Purism's Librem Key IDs?
-------
Some unrelated issues here:
- Searching Nitrokey website for Nitrokey Pro led flashing patterns doesn't give info as before. Section removed from FAQ?
There are multiple issues involved:
The Nitrokey Pro 2, which the Librem Key is based on, has discontinued development on v0.15.
The Librem Key is behind several version releases from upstream, on v.0.10.
The Librem Key firmware repository is not updated to v0.15, as highlighted earlier.
Documentation for hardware flashing the Librem Key firmware does not exist.
Even if the last three issues are resolved, it is clear that the Nitrokey Pro 2 is obsolete, so there are only two options for Purism at that point:
Maintain and update the Librem Key firmware repository, which is unlikely given the current situation.
Rebase on the Nitrokey Pro 3 (AKA Librem Key Mini), or another hardware design, which was claimed to not be in development when I asked about this years ago.
5 Likes