New Post: November Librem 5 update: Byzantium Released

15 Likes

@david.hamner: does the standard reflash procedure now also, out of the box, get you an encrypted filesystem?

1 Like

Great news, well done to all the devs, thank you.

Is there anything to beware of before going for the upgrade on a laptop. TIA

2 Likes

Maybe a stupid question, but the release post doesn’t mention anywhere how to update existing phones that are still running on Amber. Do we need to reflash? Will we get a pop-up requesting to update? Just running system updates with apt-get won’t work because the repositories are still using amber; can we just switch to byzantium (but byzantium-phone is not an existing repository)?

Also, if we want disk encryption after updating, do we need to reflash anyway to get the LUKS partitions first?

5 Likes

guess so.

It looks like you need to add an option when flashing.
librem5-flash-image --variant luks

3 Likes

Important question: what is that mouse at 29s? :star_struck:

Its a track ball.

Awesome, it’s amazing to see how mature this is all already looking

1 Like

Are new devices all flashed from the same image? Then as far as I understand all phones will use the same encryption keys, even if the passphrase is changed later on :crying_cat_face:

This has been discussed for example here but I did not find any note from Purism (employees) how this problem will be tackled. :thinking:

1 Like

The video shows in second ~20 a case which seems to fit for the L5, at least from the places where the wholes are. Where I could get such a case?

3 Likes

Could you point us to an explanation of how this works? Perhaps we need to research exactly what is happening a bit more in-depth.

EDIT: we even have an issue for that https://source.puri.sm/Librem5/librem5-flash-image/-/issues/2

I guess it is the same I wrote about here. The explanation I found is the one here

It’s good to see that issue addressed. I’d also like to see it addressed for the initial setup of a freshly delivered Librem notebook.

1 Like

I executed
gsettings set sm.puri.Chatty experimental-features true
as the new post on Byzantium released says but I do not see any difference in Calls.
Where is the matrix support? Rebooted too. apt-get update and upgraded too. No difference.

Under Chatty-Settings > “Add-account”.
Now you have two options “XMPP” and “Matrix”.

1 Like

Ah, OK thanks, I was looking in a different place. To be accurate it is

Chatty→Menu→Preferences and the Add New Account

1 Like

See what @ChriChri wrote. I am by far not an expert on LUKS.

Two more links might be interesting, though.

First, the cryptsetup wiki explicitly discourages writing containers/images:
From https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions a paragraph in section 1.2:

CLONING/IMAGING: If you clone or image a LUKS container, you make a copy
of the LUKS header and the master key will stay the same! That means
that if you distribute an image to several machines, the same master key
will be used on all of them, regardless of whether you change the
passphrases. Do NOT do this! If you do, a root-user on any of the
machines with a mapped (decrypted) container or a passphrase on that
machine can decrypt all other copies, breaking security. See also Item
6.15.

And in 6.15 it says among other things:

6.15 Can I clone a LUKS container?
You can, but it breaks security, because the cloned container has the same header and hence the same master key. Even if you change the passphrase(s), the master key stays the same. That means whoever has access to one of the clones can decrypt them all, completely bypassing the passphrases.

To make it concrete: This means that if I would find a Librem 5 which is turned off and where the owner has changed their passphrase, then I can take any other Librem 5 that was flashed with the same image (or just download that image itself) to get the master key and will be able to decrypt the phone I found.

As for how to actually do this, see the answers here: https://unix.stackexchange.com/q/119803

So I guess a solution would be to make reencrypting and thus changing the master key part of the flashing process.

(Also, as I understood from other threads, this does not affect the laptops because they are installed “individually” and not flashed from an image - can someone confirm this?)

5 Likes

To emphasize that off-topic again: It would also help a lot to do this during initial setup of Librem notebooks to make sure that a masterkey that might have gotten ‘lost’ during transport is replaced by a new one.

4 Likes

That is a 3d printed TPU case: https://source.puri.sm/Librem5/3D_designs/-/tree/master/Librem5-Case

3 Likes

Thanks. If I pull the STL file from there, is there any more information about how to print this, with which material etc.?