Have I Been Pwned

TiX0 · August 4, 2024, 3:08am

Well, interesting to see that you had made an issue about this problem that we have long been stuck with: how to upgrade those early/older Librem Keys to more recent firmware updates that were for the Nitrokey Pro 2. I noticed this was 8 months ago…but there was no follow-up whatsoever.
I guess it’s a tricky problem: just flashing the Nitrokey firmware update will not make it a Librem Key, hence it will not be recognized as such by PureBoot. So it means Purism SPC has to make their own firmware update from the Nitrokey code, so that the LK still is an LK with the newer version.
Anyway, not much happening here. I don’t feel at ease with still using my older NKs, and the question is always the same: if there is a firmware update, it means a bug or a flaw was discovered (but thankfully, was kept secret!) Or is it the case? An update could also be only an improvement or new feature.
So: should we or should we not update? And should we be worried if this proves impossible? The situation is not clear and I feel Purism should clarify.
Is it even possible to flash a new firmware in those LK/Nitrokey Pro 2 - I’m not even sure about this? I know it is possible with their newer NK3 product line, but what about the former family line?

OpojOJirYAlG · August 4, 2024, 7:48am

No.

Storing a list of parts in a spreadsheet, regardless of format (xls, ods, hand written) of that spreadsheet, is not designing.

FranklyFlawless · August 5, 2024, 10:55am

@jonathon.hall has commented on the issue at February 6th, 2024:

Yes you can, but v0.10 and below can only be done with hardware reflashing:

github.com/Nitrokey/nitrokey-pro-firmware

Nitrokey Pro firmware upgrade from 0.9 -> 0.14 impossible from nitropy?

opened 03:43PM - 13 Jun 22 UTC

tlaurion

Edit: Conclusion: Nitrokey Pro v2 can be upgraded from nitropy (software bas…ed firmware upgrades) if dongle is at least having firmware 0.11+ For <0.11: user will need to go the currently documented routes under firmware upgrade guide with external programmer. SWD programmer can be a RPI :) https://nosmd.com/raspberrypi-swdprogrammer/#rpiprogrammer-target ------ Hello there. A user reported a Nitrokey Pro delivery delayed of 6 weeks. He decided to not trust received dongle and reflash it with newer firmware through dfu external programmer, which at the time was 0.14 RC4, which had GPIO mapping inversed, which led to issue https://github.com/osresearch/heads/issues/1170 being opened.The user bought programmer and went the manual way since it was unclear that a software method was available. - I was not aware, either, of a software tool that permitted to do the flashing without external programmer, which is documented deep down under https://github.com/Nitrokey/nitrokey-pro-firmware/blob/master/DEVELOPMENT.md#firmware-update I was able to upgrade with that tool from Nitrokey's firmware: - 0.10 - 0.11 But for some reason, attempting to upgrade 0.9 was not possible. I got firware version from heads through `hotp_verification info` 0.10 and 0.11 firmware version behaves the following way: - `nitropy pro enable-update` triggers an internal reboot of the dongle, and the ID is different on next boot and rightfully in update mode. - `nitropy pro update nitrokey-pro-firmware-v0.14-to_update.bin` is successful. 0n 0.9 connected dongle: - Qubes dom0 blocks sys-usb to dom0 keyboard request (irrelevant) on usb dongle connection. - `nitropy pro enable-update` reports success putting dongle in update mode, but the dongle doesn't reboot in update mode. The stays attached to affected qubes where tools are installed. - `nitropy pro update nitrokey-pro-firmware-v0.14-to_update.bin` cannot find dongle in update mode and suggests to run precedent command, which has no effect. - Manually triggering `sudo udevadm trigger` doesn't detect a change in device, while running `nitropy pro enable-update` confirms device was not in update mode, and reports success into putting it in update mode. Questions needing answers: - Are 0.9 firmware based dongle non-updateable with nitropy? - Purism's Librem Key are not having proper udev rules defined and are not upgradeable through nitropy. Is that expected? @kylerankin @jans23 @MrChromebox? Maybe I haven't digged down enough, but I haven't found a nitropy equivalent on Purism's side. - Wouldn't we want users to be more aware of the possibility of upgrading their dongles since it is now possible with software, and document limitations? - I understand branding/rebranding/commercial necessities of having different hardware IDs between Purism/Nitrokey, but maybe some collaboration should happen under nitropy software/documentation/udev rules to not have another fork and confuse users into upgrading their firmware? Maybe udev rules should include Purism's Librem Key IDs? ------- Some unrelated issues here: - Searching Nitrokey website for Nitrokey Pro led flashing patterns doesn't give info as before. Section removed from FAQ?

There are multiple issues involved:

The Nitrokey Pro 2, which the Librem Key is based on, has discontinued development on v0.15.
The Librem Key is behind several version releases from upstream, on v.0.10.
The Librem Key firmware repository is not updated to v0.15, as highlighted earlier.
Documentation for hardware flashing the Librem Key firmware does not exist.

Even if the last three issues are resolved, it is clear that the Nitrokey Pro 2 is obsolete, so there are only two options for Purism at that point:

Maintain and update the Librem Key firmware repository, which is unlikely given the current situation.
Rebase on the Nitrokey Pro 3 (AKA Librem Key Mini), or another hardware design, which was claimed to not be in development when I asked about this years ago.

TiX0 · August 11, 2024, 3:19am

Thank you for the detailed information.
Checking on my several LKs showed that all have firmware 0.10, as you rightly pointed out.
Checking on my two NitroKey Pro 2, both are 0.15 (they were purchased much later)
It appears to be the latest and final firmware release, since dev has stopped and the product is being discontinued anyway.
I wonder how many LKs Purism still have in stock - and should they all be considered obsolete?
Those LibremKeys will never be updated, even if Purism rebases on firmware 0.15 and comes up with a firmware update. The reason for this is that firmware 0.10 and below CANNOT be updated with nitropy cli: it lacks a bootloader needed for flashing the new firmware once the device gets enabled in firmware flashing mode. Unfortunately, this bootloader (and the possibility to update the firmware via cli) appeared as a new feature of version 0.11 - one version above LKs!
But is this really so bad? There has been a lot of talk and divergent opinions on the subject of there security dongles and firmware upgradability. For some threat model, this is viewed as an unacceptable liability and a considerable increase of the attack surface: there should be no way to tamper with the device by simply reflashing a forged or modified firmware.
On the contrary, some claim that firmware updates are necessary for correcting bugs or flaws; and also as a way to introduce new features on the same product (which is what Nitrokey has done from firmware versions 0.11 and above)
I don’t know…
Which is best? I guess it depends on the threat model, in the end.

JR-Fi · August 11, 2024, 8:41pm

It may interest you to know - regarding the future of these projects - that Nitrokeys (and I quess by extension, Librem Key) have been funded by EU. See Nitrokey | Next Generation Internet and Nitrokey 3 | Next Generation Internet

Unfortunately that funding for future improvements is now threatened, see thread: EU funding to open source projects in jeopardy - YOU can help

FranklyFlawless · August 12, 2024, 12:24am

Yes, at least I would given all of the citations I provided.

It is possible for Purism to offer hardware flashing services for the Librem Key, among other Librem products, via RMA, but that idea has not been raised yet.

Always update. In practice, adversarial threats refine their techniques and tools over time.