New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix branding issue with HOTP USB Security Dongles #761
Conversation
reason: it not a config option anymore
Ready and tested. Reviews are welcome :) I am sorry that it took so long and I hope you like this solution. |
Testing reproducibility from local build and https://app.circleci.com/pipelines/github/tlaurion/heads/255/workflows/8d927eec-1090-4e19-98c2-d2d20682fa4a/jobs/277 |
NitroKey CircleCI: ` |
@szszszsz we still have reproducibility issues? |
Randomly chosen binary: Nitrokey CI: Local: |
Building and functionally working, though. :) |
Note that testing with a Librem Key still asks for user to insert his Nitrokey. Not sure Purism will be happy with that merge. How is that going be be dealt with finally? Are we expected to duplicate all boards config to have their _Nitrokey _LibremKey derivatives so that it is specified specifically in board configs? |
@alex-nitrokey : Im comfortable with |
Erm... yes, I guess it is the version with the older firmware were there was a vid:pid error, right? As this PR is checking the vid to decide which device is used, it is difficult to do anything about this issue with the older firmware without breaking the idea of an automatic discovery :(
Will have a look at it with @szszszsz |
besides
|
Calculate the uncompressed used cache space Decrease retry count
@tlaurion @alex-nitrokey |
I tested the new circleci hashes with a local build (debian) and they matches for all hotp stuff (though not for the above mentioned). quite strange... |
Removed |
@tlaurion @alex-nitrokey Regarding #761 (comment) nothing comes to my mind. |
Hi @alex-nitrokey @tlaurion !
|
I considered it done, yes.
Exactly, it consists independently. Probably after updating gpg2, but I am just guessing here. |
# Set HOTP USB Security Dongle branding based on VID | ||
if [ ! $(lsusb | grep -q "20a0:") ]; then | ||
HOTPKEY_BRANDING="Nitrokey" | ||
elif [ ! $(lsusb | grep -q "316d:") ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure why, but this ends up showing my Librem Key as a Nitrokey.
using:
elif lsusb | grep -q "316d:" ; then
works correctly however
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The negation is used because grep returns 0 if it found something.
Older Librem Keys had the same VID as the Nitrokeys because of a mistake done when building the firmware for it, see #761 (comment)
I could not think of a way to prevent that :(
So I am wondering, what is the return value of lsusb | grep -q "316d:"
for you? If it is 0
the patch should work as intended. Does it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In other words first batches of the Librem Key had incorrectly set VID:PID to the same as Nitrokey Pro has, hence the confusion.
Perhaps they have changed the USB names only back then (might not show up in the lsusb
, but maybe dmesg
) - that would already help to differentiate between models, otherwise I do not see how to make it possible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I am wondering, what is the return value of lsusb | grep -q "316d:" for you? If it is 0 the patch should work as intended. Does it?
0, and no the patch does not work correctly with my LK. It identifies as a NK without the change I mentioned above
edit: this LK is one of our new US-built ones with VID/DID 316d:4c4b. Another older one is 20a0:4108 and so identifies as a Nitrokey
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pushed #781 to fix
This PR fixes the issue of having the terminology
Librem Key
everywhere in the code while there are more possible keys. On the same time we want to make it easy for users to know which key to insert. Thus, it is ensured that heads asks for the correct branding after initialization by storing the info in/boot/kexec_hotp_key
.This PR already includes #748 and thus #756 because otherwise it would not function correctly.
Things still needed:
librem_hotp_verification
PATH accordinglyIn best case I can add these tomorrow already.
Please note that I intentionally used other terminology for the variables than discussed in #746 as they felt more suitable for me. Please consider my suggestion and let me know if shall change
CONFIG_HOTPKEY
toCONFIG_HOTP_USB_SECURITY_DONGLE
instead.