add nitrokey3 update in qubes

[nestire]

No description provided.

[daringer]

lgtm, merge?

[jans23]

Don't copy text from other files but include it instead or refer to it.

[jans23]

Images don't belong to the "fido2" folder so move it to "nitrokey3" folder.

[tlaurion]

@daringer please update so the documentation can be tested in goal of closing Nitrokey/nitrokey-app2#249, Nitrokey/pynitrokey#542 and then merging linuxboot/heads#1684 to close their associated issues as well.

[tlaurion]

Dodging sys-usb requirement and redoing under debian-12 test qube, where sys-usb should never have network access and where passing device through device widget once mode is switched to flashing should mitigate the problem altogether.

Using debian-12 as template base in my use case so:

sudo apt install python3-pip wget
python3 -m pipx ensurepath
wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules
sudo mv 41-nitrokey.rules /etc/udev/rules.d/
sudo udevadm control --reload-rules && sudo udevadm trigger

Then the instructions are misleading and don't include the important bits from linuxboot/heads#1684 (comment)

user@heads-tests-deb12-nix-nk3:~$ nitropy nk3 update --version v1.7.1
Command line tool to interact with Nitrokey devices 0.4.47
Do you want to download the firmware version v1.7.1? [Y/n]: y
Download v1.7.1: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1.03M/1.03M [00:00<00:00, 3.28MB/s]
Current firmware version:  v1.5.0
Updated firmware version:  v1.7.1

Please do not remove the Nitrokey 3 or insert any other Nitrokey 3 devices during the update. Doing so may damage the Nitrokey 3.
Do you want to perform the firmware update now? [y/N]: y

Please press the touch button to reboot the device into bootloader mode ...

Critical error:
No Nitrokey 3 bootloader device found

--------------------------------------------------------------------------------
Critical error occurred, exiting now
Unexpected? Is this a bug? Would you like to get support/help?
- You can report issues at: https://support.nitrokey.com/
- Writing an e-mail to support@nitrokey.com is also possible
- Please attach the log: '/tmp/nitropy.log.svejmix8' with any support/help request!
- Please check if you have udev rules installed: https://docs.nitrokey.com/nitrokey3/linux/firmware-update.html#troubleshooting

(changed mode of usb devices, needs repassing usb security dongle from qubes device widget which is not connected anymore)

user@heads-tests-deb12-nix-nk3:~$ nitropy nk3 update --version v1.7.1
Command line tool to interact with Nitrokey devices 0.4.47
Do you want to download the firmware version v1.7.1? [Y/n]: y
Download v1.7.1: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1.03M/1.03M [00:00<00:00, 2.86MB/s]
Current firmware version:  [unknown]
Updated firmware version:  v1.7.1

Please do not remove the Nitrokey 3 or insert any other Nitrokey 3 devices during the update. Doing so may damage the Nitrokey 3.
Do you want to perform the firmware update now? [y/N]: y
Critical error:
Failed to perform firmware update
	Exception encountered: SPSDKConnectionError()

--------------------------------------------------------------------------------
Critical error occurred, exiting now
Unexpected? Is this a bug? Would you like to get support/help?
- You can report issues at: https://support.nitrokey.com/
- Writing an e-mail to support@nitrokey.com is also possible
- Please attach the log: '/tmp/nitropy.log.qwhw4rm1' with any support/help request!
- Please check if you have udev rules installed: https://docs.nitrokey.com/nitrokey3/linux/firmware-update.html#troubleshooting

That's where QubesOS/qubes-issues#8953 (comment) comes into play

nitropy nk3 reboot --bootloader
(touch device)
(reassign nk3 to testing qube)

user@heads-tests-deb12-nix-nk3:~$ nitropy nk3 list
Command line tool to interact with Nitrokey devices 0.4.47
:: 'Nitrokey 3' keys
Critical error:
An unhandled exception occurred
	Exception encountered: SPSDKConnectionError()

--------------------------------------------------------------------------------
Critical error occurred, exiting now
Unexpected? Is this a bug? Would you like to get support/help?
- You can report issues at: https://support.nitrokey.com/
- Writing an e-mail to support@nitrokey.com is also possible
- Please attach the log: '/tmp/nitropy.log.72xhne1h' with any support/help request!
- Please check if you have udev rules installed: https://docs.nitrokey.com/nitrokey3/linux/firmware-update.html#troubleshooting

[tlaurion]

@daringer @jans23 provided proper feedback at QubesOS/qubes-issues#8953 (comment) and pinged @DemiMarie and @marmarek there and here to hopefully fix this upstream once and for all, this impacts not only nk3 but android debugging, android tethering and basically all usb passthrough outside of using everything in sys-usb which should not happen.

[tlaurion]

@marmarek @daringer @DemiMarie @fepitre the root of the underlying issue here is that even if qvm-usb "thinks" that the device is passed to the destination qube (by usb port of sys-usb), the destination qube itself doesn't see it anymore (pid:vid changed, in case of usb composite devices), with standard tools not seeing the composite usb device having change pid:vid, nor being able to reset the device nor the hub to force a redetection since usb proxy only passes the usb port.

Replication notes after #248 (comment) 's commands from testing qube:

nitropy nk3 reboot --bootloader
(touch device)
(reassign nk3 to testing qube)

[user@dom0 ~]
$ qube=heads-tests-deb12-nix-nk3; device=$(qvm-usb | grep -e Nitrokey_Nitrokey_3 -e NXP_SEMICONDUCTOR_INC._USB_COMPOSITE_DEVICE | cut -d ' ' -f1); qvm-usb attach --persistent "$qube" "$device"
'device sys-usb:4-3 of class usb already attached to heads-tests-deb12-nix-nk3'
[user@dom0 ~]
(1)$ qvm-usb
BACKEND:DEVID  DESCRIPTION                                  USED BY
sys-usb:4-10   8087_0026                                    
sys-usb:4-3    NXP_SEMICONDUCTOR_INC._USB_COMPOSITE_DEVICE  heads-tests-deb12-nix-nk3
sys-usb:4-7    Sonix_Technology_Co.__Ltd._BisonCam_NB_Pro   

The problem here is that qubesos assigns sys-usb:4-3, not associated pid:vid, and that the device (usb port) not having been disconnected shows as if it was already passed to the qube, where

user@heads-tests-deb12-nix-nk3:~$ lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Shows that the device is still under sys-usb control here, the control haven't been relinquished to the destination qube for change pid:vid.

This is common issue for all usb devices passed by usb port instead of pid:vid, basically affecting all composite usb devices including android and muli-purpose usb devices that don't play nice with QubesOS today.

Fix would be to offer pid:vid qvm-usb assignation, permitting temporary/permanent assignation through qvm-usb and even the widget resolving whole class of issues QubesOS have had from that design decision.

---

TLDR: qvm-usb should pass pid:vid, not a usb usb port.
Otherwise:

[user@dom0 ~] $
qube=heads-tests-deb12-nix-nk3; device=$(qvm-usb | grep -e Nitrokey_Nitrokey_3 -e NXP_SEMICONDUCTOR_INC._USB_COMPOSITE_DEVICE | cut -d ' ' -f1); qvm-usb attach --persistent "$qube" "$device"
'device sys-usb:4-3 of class usb already attached to heads-tests-deb12-nix-nk3'

The stack is confused with reason.

[tlaurion]

Having users activate network under sys-usb and do this stuff under sys-usb instead of dedicated qube should not be recommended for QubesOS users.

Ideally:

• QubesOS fixes qvm-usb+usb proxy with experimental packages so that sys-usb does the right thing

And the issue would be non-issue as well as all other usb composite devices having issues under QubesOS today.

@marmarek @DemiMarie @fepitre: Can this be prioritized?

Alternative/workaround if root issue cannot be fixed promptly:

• package nitrokeyapp2 for fedora-39
• package nitrokeyapp2 for debian-12
• have QubesOS distribute those packages so that instructions can be followed to install packages under sys-usb and qube underlying template
• update current documentation accordingly

[tlaurion]

@nestire please add small description in this PR reflecting goal of this PR

[tlaurion]

Cross reference for tracking QubesOS/qubes-issues#8953 (comment)

[tlaurion]

Instructions to unset sys-usb networking are missing which would currently add network persistently to sys-usb.

[tlaurion]

@marmarek reproduced issue in nk3a nfc
QubesOS/qubes-issues#8953 (comment)

[tlaurion]

@nestire please add PR small description