New Post: November Librem 5 update: Byzantium Released

david.hamner · November 13, 2021, 12:27am

https://puri.sm/posts/november-librem-5-update-byzantium-released/

5a54a · November 13, 2021, 7:41am

@david.hamner: does the standard reflash procedure now also, out of the box, get you an encrypted filesystem?

EddyMac · November 13, 2021, 11:11am

Great news, well done to all the devs, thank you.

Is there anything to beware of before going for the upgrade on a laptop. TIA

5890238590 · November 13, 2021, 4:38pm

Maybe a stupid question, but the release post doesn’t mention anywhere how to update existing phones that are still running on Amber. Do we need to reflash? Will we get a pop-up requesting to update? Just running system updates with apt-get won’t work because the repositories are still using amber; can we just switch to byzantium (but byzantium-phone is not an existing repository)?

Also, if we want disk encryption after updating, do we need to reflash anyway to get the LUKS partitions first?

wednesday · November 13, 2021, 4:58pm

guess so.

mkefellow · November 13, 2021, 6:55pm

It looks like you need to add an option when flashing.
librem5-flash-image --variant luks

BeaverTek · November 14, 2021, 1:03am

Important question: what is that mouse at 29s?

prolog · November 14, 2021, 10:56am

Its a track ball.

Zouzou · November 14, 2021, 11:33am

Awesome, it’s amazing to see how mature this is all already looking

m4lvin · November 14, 2021, 12:42pm

Are new devices all flashed from the same image? Then as far as I understand all phones will use the same encryption keys, even if the passphrase is changed later on

This has been discussed for example here but I did not find any note from Purism (employees) how this problem will be tackled.

guru · November 14, 2021, 12:42pm

The video shows in second ~20 a case which seems to fit for the L5, at least from the places where the wholes are. Where I could get such a case?

dcz · November 14, 2021, 7:48pm

Could you point us to an explanation of how this works? Perhaps we need to research exactly what is happening a bit more in-depth.

EDIT: we even have an issue for that https://source.puri.sm/Librem5/librem5-flash-image/-/issues/2

ChriChri · November 14, 2021, 8:56pm

I guess it is the same I wrote about here. The explanation I found is the one here

It’s good to see that issue addressed. I’d also like to see it addressed for the initial setup of a freshly delivered Librem notebook.

antonis · November 15, 2021, 6:10am

I executed
gsettings set sm.puri.Chatty experimental-features true
as the new post on Byzantium released says but I do not see any difference in Calls.
Where is the matrix support? Rebooted too. apt-get update and upgraded too. No difference.

execrable · November 15, 2021, 6:36am

Under Chatty-Settings > “Add-account”.
Now you have two options “XMPP” and “Matrix”.

antonis · November 15, 2021, 6:53am

Ah, OK thanks, I was looking in a different place. To be accurate it is

Chatty→Menu→Preferences and the Add New Account

m4lvin · November 15, 2021, 8:11am

See what @ChriChri wrote. I am by far not an expert on LUKS.

Two more links might be interesting, though.

First, the cryptsetup wiki explicitly discourages writing containers/images:
From https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions a paragraph in section 1.2:

CLONING/IMAGING: If you clone or image a LUKS container, you make a copy
of the LUKS header and the master key will stay the same! That means
that if you distribute an image to several machines, the same master key
will be used on all of them, regardless of whether you change the
passphrases. Do NOT do this! If you do, a root-user on any of the
machines with a mapped (decrypted) container or a passphrase on that
machine can decrypt all other copies, breaking security. See also Item
6.15.

And in 6.15 it says among other things:

6.15 Can I clone a LUKS container?
You can, but it breaks security, because the cloned container has the same header and hence the same master key. Even if you change the passphrase(s), the master key stays the same. That means whoever has access to one of the clones can decrypt them all, completely bypassing the passphrases.

To make it concrete: This means that if I would find a Librem 5 which is turned off and where the owner has changed their passphrase, then I can take any other Librem 5 that was flashed with the same image (or just download that image itself) to get the master key and will be able to decrypt the phone I found.

As for how to actually do this, see the answers here: https://unix.stackexchange.com/q/119803

So I guess a solution would be to make reencrypting and thus changing the master key part of the flashing process.

(Also, as I understood from other threads, this does not affect the laptops because they are installed “individually” and not flashed from an image - can someone confirm this?)

ChriChri · November 15, 2021, 8:28am

To emphasize that off-topic again: It would also help a lot to do this during initial setup of Librem notebooks to make sure that a masterkey that might have gotten ‘lost’ during transport is replaced by a new one.

david.hamner · November 15, 2021, 4:16pm

That is a 3d printed TPU case: https://source.puri.sm/Librem5/3D_designs/-/tree/master/Librem5-Case

guru · November 15, 2021, 4:31pm

Thanks. If I pull the STL file from there, is there any more information about how to print this, with which material etc.?