「Tomu」の版間の差分
ナビゲーションに移動
検索に移動
Kusanaginoturugi (トーク | 投稿記録) (英語版より転載) |
(英語版差し替え) |
||
| 6行目: | 6行目: | ||
{{Related articles end}} |
{{Related articles end}} |
||
| − | The [https://tomu.im/ Tomu] is a family of open-source FIDO2 security keys. This article describes how to set up and use it. So far this page is limited to |
+ | The [https://tomu.im/ Tomu] is a family of open-source FIDO2 security keys. This article describes how to set up and use it. So far this page is limited to [https://tomu.im/tomu.html The original Tomu] – help to expand it. |
== The original Tomu == |
== The original Tomu == |
||
| − | === |
+ | === Dependencies === |
| − | To build |
+ | To build Tomu images, you will need to [[install]] {{Pkg|arm-none-eabi-gcc}} and {{Pkg|arm-none-eabi-newlib}}. To flash software on the Tomu, use {{Pkg|dfu-util}}. |
| − | === |
+ | === Verifying === |
| − | Your |
+ | Your Tomu should arrive with ''dfu-util'' installed. If you insert Tomu into the USB port and ''toboot'' starts, the green and red led should flash alternately. To check if your Tomu is running the boot loader ''toboot'', and which version, run: |
| + | |||
| − | {{hc|1=# dfu-util --list|2=[...] |
||
| + | {{hc|# dfu-util --list|2= |
||
| + | ... |
||
Found DFU: [1209:70b1] ver=0101, devnum=19, cfg=1, intf=0, path="1-1.2", alt=0, name="Tomu Bootloader (5) v2.0-rc7", serial="UNKNOWN" |
Found DFU: [1209:70b1] ver=0101, devnum=19, cfg=1, intf=0, path="1-1.2", alt=0, name="Tomu Bootloader (5) v2.0-rc7", serial="UNKNOWN" |
||
}} |
}} |
||
| − | {{Note|Some |
+ | {{Note|Some Tomu programs – including the U2F code – set the {{ic|TOBOOT_CONFIG_FLAG_AUTORUN}} flag, and start running immediately. They will then not (necessary) blink in this way and they will not be found by ''dfu-util''! To enter Toboot on these devices, short out the two outer pins with tweezers while inserting Tomu into the USB port [https://github.com/im-tomu/toboot/blob/master/media/toboot-force.jpg].}} |
| − | === Update the |
+ | === Update the boot loader (toboot) === |
| + | |||
| + | If the boot loader of your Tomu is not the [https://github.com/im-tomu/toboot/tags newest version], you should update it. You can compile it yourself, or download a [https://github.com/im-tomu/toboot/blob/master/prebuilt/toboot-boosted.dfu prebuilt version]. Install the update like this: |
||
| − | If the bootloader of your tomu is not the newest version (currently v2.0-rc7, june 2020), you should update it. You can compile it yourself, or download a prebuilt version from [https://github.com/im-tomu/toboot GitHub] ([https://github.com/im-tomu/toboot/blob/master/prebuilt/toboot-boosted.dfu direct link]). Install the update like this: |
||
# dfu-util -d 1209:70b1 -D toboot-booster.dfu |
# dfu-util -d 1209:70b1 -D toboot-booster.dfu |
||
=== Installing other software === |
=== Installing other software === |
||
| − | If you do '''not''' want to use |
+ | If you do '''not''' want to use Tomu as U2F token but use it for different purposes, you can find example applications [https://tomu.im/samples on GitHub]. They can be installed with ''df-util'': |
| + | |||
# dfu-util -d 1209:70b1 -D application.dfu |
# dfu-util -d 1209:70b1 -D application.dfu |
||
=== Installing U2F firmware (chopstx port) === |
=== Installing U2F firmware (chopstx port) === |
||
| − | The code for the U2F firmware for |
+ | The code for the U2F firmware for Tomu can be found [https://github.com/im-tomu/chopstx on GitHub]. Clone it with git and compile it: |
| + | |||
{{bc| |
{{bc| |
||
$ git clone https://github.com/im-tomu/chopstx.git |
$ git clone https://github.com/im-tomu/chopstx.git |
||
| 43行目: | 48行目: | ||
You have two options: |
You have two options: |
||
| − | * '''Flash it without a key.''' If flashed without a key, the firmware generates EC private key on its first boot and erases it when it enters the bootloader! You cannot create a backup. But this has the advantage that the key will never exist outside tomu. Make sure to have an alternative second factor or recovery possibility. You cannot update the software without losing the private key. |
||
| − | * '''Inject a private key.''' Generate a key on your computer, inject it into the firmware and flash them together to the tomu. |
||
| + | * '''Flash it without a key:''' If flashed without a key, the firmware generates EC private key on its first boot and erases it when it enters the boot loader! You cannot create a backup. But this has the advantage that the key will never exist outside Tomu. Make sure to have an alternative second factor or recovery possibility. You cannot update the software without losing the private key. |
||
| − | ==== Injecting a private key (optional, see above!) ==== |
||
| + | * '''Inject a private key:''' Generate a key on your computer, inject it into the firmware and flash them together to the Tomu. |
||
| + | |||
| + | ==== Injecting a private key (optional) ==== |
||
Generate your private key: |
Generate your private key: |
||
| 52行目: | 58行目: | ||
$ openssl ecparam -name prime256v1 -genkey -noout -outform der -out key.der |
$ openssl ecparam -name prime256v1 -genkey -noout -outform der -out key.der |
||
| − | You may want to back it up encrypted and/or offline. Inject it to the build |
+ | You may want to back it up encrypted and/or offline. Inject it to the build: |
$ ./inject_key.py --key key.der |
$ ./inject_key.py --key key.der |
||
| 59行目: | 65行目: | ||
You can flash the software to the device: |
You can flash the software to the device: |
||
| + | |||
# dfu-util -v -d 1209:70b1 -D build/u2f.bin |
# dfu-util -v -d 1209:70b1 -D build/u2f.bin |
||
| − | When the flashing |
+ | When the flashing is successful, the LEDs should have stopped flashing. Remove it and plug it in again – with the U2F software the red LED should flash only very shortly and quickly. |
| − | ==== Updating |
+ | ==== Updating or restoring ==== |
| + | |||
| + | If you have injected a private key, you can build the software again and inject the key. You must however set the counter to a value at least 1 higher than it was on the Tomu: |
||
| − | If you have the injected a private key you can again build the software and inject the key. You must however set the counter to a value at least 1 higher than it was on the tomu: |
||
$ ./inject_key.py --key key.der --ctr 1001 |
$ ./inject_key.py --key key.der --ctr 1001 |
||
| − | If you still have the original tomu (i.e. you want to update) you can find out the counter in the Yubikey demo site. Otherwise, set it to a value "big enough". |
||
| + | If you still have the original Tomu (i.e. you want to update) you can find out the counter in the Yubikey demo site. Otherwise, set it to a value "big enough". |
||
| − | == Testing, Using == |
||
| + | |||
| + | == Usage == |
||
| − | You can use |
+ | You can use https://webauthn.io/ or the Yubikey demo site to test your U2F key or with ''pamu2fcfg'' on terminal: |
| + | Plug the Tomu in. When the application (for example your browser) asks you to press the button, the red LED on the Tomu starts to blink. You have now to press the "lower button". The capacitive buttons are the four contact areas on the end of the Tomu. The "lower" one is from watching at it from the side with the chip on it. Press it with your finger – it can be tricky to reach – in worst case use a metal screwdriver or similar. When you pressed it, the red LED stays on for a few seconds then the application receives the answer. |
||
| − | '''To use the key''':<br> |
||
| − | Plug it in. When the application (for example your browser) asks you to press the button, the red LED on the tomu starts to blink. You have now to press the "lower button". The capacitive buttons are the four contact areas on the end of the tomu. The "lower" one is from watching at it from the side with the chip on it. Press it with your finger – it can be tricky to reach – in worst case use a metal screwdriver or similar. When you pressed it, the red LED stays on for a few seconds then the application receives the answer. |
||
2023年11月1日 (水) 18:24時点における版
The Tomu is a family of open-source FIDO2 security keys. This article describes how to set up and use it. So far this page is limited to The original Tomu – help to expand it.
目次
The original Tomu
Dependencies
To build Tomu images, you will need to install arm-none-eabi-gcc and arm-none-eabi-newlib. To flash software on the Tomu, use dfu-util.
Verifying
Your Tomu should arrive with dfu-util installed. If you insert Tomu into the USB port and toboot starts, the green and red led should flash alternately. To check if your Tomu is running the boot loader toboot, and which version, run:
# dfu-util --list
... Found DFU: [1209:70b1] ver=0101, devnum=19, cfg=1, intf=0, path="1-1.2", alt=0, name="Tomu Bootloader (5) v2.0-rc7", serial="UNKNOWN"
![[1]](https://github.com/im-tomu/toboot/blob/master/media/toboot-force.jpg){kind=link}
Update the boot loader (toboot)
If the boot loader of your Tomu is not the newest version, you should update it. You can compile it yourself, or download a prebuilt version. Install the update like this:
# dfu-util -d 1209:70b1 -D toboot-booster.dfu
Installing other software
If you do not want to use Tomu as U2F token but use it for different purposes, you can find example applications on GitHub. They can be installed with df-util:
# dfu-util -d 1209:70b1 -D application.dfu
Installing U2F firmware (chopstx port)
The code for the U2F firmware for Tomu can be found on GitHub. Clone it with git and compile it:
$ git clone https://github.com/im-tomu/chopstx.git $ cd chopstx/u2f $ make
You have two options:
- Flash it without a key: If flashed without a key, the firmware generates EC private key on its first boot and erases it when it enters the boot loader! You cannot create a backup. But this has the advantage that the key will never exist outside Tomu. Make sure to have an alternative second factor or recovery possibility. You cannot update the software without losing the private key.
- Inject a private key: Generate a key on your computer, inject it into the firmware and flash them together to the Tomu.
Injecting a private key (optional)
Generate your private key:
$ openssl ecparam -name prime256v1 -genkey -noout -outform der -out key.der
You may want to back it up encrypted and/or offline. Inject it to the build:
$ ./inject_key.py --key key.der
Flashing
You can flash the software to the device:
# dfu-util -v -d 1209:70b1 -D build/u2f.bin
When the flashing is successful, the LEDs should have stopped flashing. Remove it and plug it in again – with the U2F software the red LED should flash only very shortly and quickly.
Updating or restoring
If you have injected a private key, you can build the software again and inject the key. You must however set the counter to a value at least 1 higher than it was on the Tomu:
$ ./inject_key.py --key key.der --ctr 1001
If you still have the original Tomu (i.e. you want to update) you can find out the counter in the Yubikey demo site. Otherwise, set it to a value "big enough".
Usage
You can use https://webauthn.io/ or the Yubikey demo site to test your U2F key or with pamu2fcfg on terminal:
Plug the Tomu in. When the application (for example your browser) asks you to press the button, the red LED on the Tomu starts to blink. You have now to press the "lower button". The capacitive buttons are the four contact areas on the end of the Tomu. The "lower" one is from watching at it from the side with the chip on it. Press it with your finger – it can be tricky to reach – in worst case use a metal screwdriver or similar. When you pressed it, the red LED stays on for a few seconds then the application receives the answer.