Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: publish firmware hashes of the unsecured chip on Ledger Nano X / clarify JTAG / outdated FAQ #3541

Closed
adrelanos opened this issue May 30, 2023 · 3 comments
Closed

[Bug]: publish firmware hashes of the unsecured chip on Ledger Nano X / clarify JTAG / outdated FAQ #3541

adrelanos opened this issue May 30, 2023 · 3 comments
Labels
bug Something isn't working libraries Impacts the Libraries triage In need of triage

Comments

@adrelanos
Copy link

Impacted Library name

FAQ

Impacted Library version

2023

Describe the bug

Quote https://support.ledger.com/hc/en-us/articles/360015216913-Frequently-asked-questions

Advanced users

You can access the JTAG of the unsecured chip on Ledger Nano X, this allows you to verify the loaded firmware.

This seems outdated. Ledger saying in another place which I quote below that the JTAG interface has been disabled. This I reported already in 2021. (LedgerHQ/ledger-live-desktop#3672) Which lead to the following criticism:

Quote https://blog.kraken.com/post/5590/kraken-security-labs-supply-chain-attacks-against-ledger-nano-x/

This is misleading, because Ledger currently does not actually publish any hashes that would make it possible to check the memory contents against a known firmware image.

Quote https://www.ledger.com/enhancing-the-ledger-nano-xs-security

The new Ledger Nano X firmware update includes an MCU update where the JTAG/SWD debug protocol will be disabled by default instead.

Please update FAQ regarding:

  • JTAG
  • verification of firmware

Expected behavior

Up-to-date FAQ.

Additional context

No response
@adrelanos adrelanos added bug Something isn't working libraries Impacts the Libraries triage In need of triage labels May 30, 2023
@gre
Copy link
Contributor

gre commented Jun 19, 2023

Hi, thanks a lot for raising this issue.

I'm sorry but this still have nothing to do with Ledger Live frontend software (as far as I understand 🤔 )

Could you please contact our support team and mention this github issue? https://support.ledger.com/ 🙏

@gre gre closed this as not planned Won't fix, can't repro, duplicate, stale Jun 19, 2023
@adrelanos
Copy link
Author

Could you please contact our support team and mention this github issue? https://support.ledger.com/

Not a good practice to redirect public security / documentation related issues to private.

Contacting https://support.ledger.com/ is a dead-end. In my experience, no useful answers ever or any meaningful follow-up. It doesn't result in anyone with permission and knowledge to make any changes having a ticket created and ever taking action. Hence, a waste of time.

If you're interested in actually ever fixing this, please provide a public issue tracker. Otherwise and most likely, I consider this a wontfix.

@gre
Copy link
Contributor

gre commented Jun 20, 2023
edited

I understand your point, i will definitely forward the feedback about having an official public discussion central point 👍

you can use https://github.com/LedgerHQ/ledger-secure-sdk for public issue tracker related to the BOLOS features or MCU/SE firmwares

on the other end, this repository is only about the frontend parts of our stack and is only watched by Ledger Live developers. (which we tried to make clearer on the template https://github.com/LedgerHQ/ledger-live/issues/new/choose )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working libraries Impacts the Libraries triage In need of triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gre @adrelanos